TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fabfb8578a071254ed2e3751fec937a91c17f731 / . / library / ssl_cli.c
blob: d45f3d3fe96bf542cbd3f644a33d65a8ca9eba58 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]32#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]56 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]61 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]62
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]65 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]66 return;
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]69 ssl->hostname ) );
70
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]71 hostname_len = strlen( ssl->hostname );
72
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]73 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]74 {
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]75 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]76 return;
77 }
78
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]79 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]80 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
81 *
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
86 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]87 * struct {
88 * NameType name_type;
89 * select (name_type) {
90 * case host_name: HostName;
91 * } name;
92 * } ServerName;
93 *
94 * enum {
95 * host_name(0), (255)
96 * } NameType;
97 *
98 * opaque HostName<1..2^16-1>;
99 *
100 * struct {
101 * ServerName server_name_list<1..2^16-1>
102 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]103 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]117
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]118 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]119
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]120 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]121}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#if defined(MBEDTLS_SSL_RENEGOTIATION)
125static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]126 unsigned char *buf,
127 size_t *olen )
128{
129 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]131
132 *olen = 0;
133
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]138 return;
139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]141
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]143 {
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
145 return;
146 }
147
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148 /*
149 * Secure renegotiation
150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]153
154 *p++ = 0x00;
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
157
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
159
160 *olen = 5 + ssl->verify_data_len;
161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]162#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]163
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]164/*
165 * Only if we handle at least one key exchange that needs signatures.
166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]167#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]170 unsigned char *buf,
171 size_t *olen )
172{
173 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]175 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]176 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]177#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]178 unsigned char *sig_alg_list = buf + 6;
179#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]180
181 *olen = 0;
182
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184 return;
185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]187
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
189 {
190#if defined(MBEDTLS_ECDSA_C)
191 sig_alg_len += 2;
192#endif
193#if defined(MBEDTLS_RSA_C)
194 sig_alg_len += 2;
195#endif
196 }
197
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]199 {
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
201 return;
202 }
203
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]204 /*
205 * Prepare signature_algorithms extension (TLS 1.2)
206 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]207 sig_alg_len = 0;
208
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]214#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]215#if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]218#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]219 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]220
221 /*
222 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
224 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]225 * } HashAlgorithm;
226 *
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
229 *
230 * struct {
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
234 *
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]240
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
243
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
246
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]247 *olen = 6 + sig_alg_len;
248}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]249#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]251
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]252#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]255 unsigned char *buf,
256 size_t *olen )
257{
258 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]260 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]261 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]262 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]263#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]264 const mbedtls_ecp_group_id *grp_id;
Paul Bakker0910f322014-02-06 13:41:18 +0100[diff] [blame]265#else
266 ((void) ssl);
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]267#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]268
269 *olen = 0;
270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]272
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]273#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]275#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]277#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]278 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]279#if defined(MBEDTLS_ECP_C)
280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]281#endif
Janos Follath8a317052016-04-21 23:37:09 +0100[diff] [blame]282 if( info == NULL )
283 {
284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
285 return;
286 }
287
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]288 elliptic_curve_len += 2;
289 }
290
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]292 {
293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
294 return;
295 }
296
297 elliptic_curve_len = 0;
298
299#if defined(MBEDTLS_ECP_C)
300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]301#else
302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]303#endif
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]304 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200[diff] [blame]305#if defined(MBEDTLS_ECP_C)
306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]307#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]310 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]311
312 if( elliptic_curve_len == 0 )
313 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]317
318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
320
321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
323
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]324 *olen = 6 + elliptic_curve_len;
325}
326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]327static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]328 unsigned char *buf,
329 size_t *olen )
330{
331 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]333
334 *olen = 0;
335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]337
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]338 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]339 {
340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
341 return;
342 }
343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]346
347 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]348 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]349
350 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]352
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]353 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]354}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]355#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]357
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]359static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
360 unsigned char *buf,
361 size_t *olen )
362{
363 int ret;
364 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]366 size_t kkpp_len;
367
368 *olen = 0;
369
370 /* Skip costly extension if we can't use EC J-PAKE anyway */
371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
372 return;
373
374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
375
376 if( end - p < 4 )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
379 return;
380 }
381
382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
384
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]385 /*
386 * We may need to send ClientHello multiple times for Hello verification.
387 * We don't want to compute fresh values every time (both for performance
388 * and consistency reasons), so cache the extension content.
389 */
390 if( ssl->handshake->ecjpake_cache == NULL ||
391 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]392 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
394
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
396 p + 2, end - p - 2, &kkpp_len,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]397 mbedtls_ssl_conf_get_frng( ssl->conf ),
398 ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]399 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]400 {
401 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
402 return;
403 }
404
405 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
406 if( ssl->handshake->ecjpake_cache == NULL )
407 {
408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
409 return;
410 }
411
412 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
413 ssl->handshake->ecjpake_cache_len = kkpp_len;
414 }
415 else
416 {
417 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
418
419 kkpp_len = ssl->handshake->ecjpake_cache_len;
420
421 if( (size_t)( end - p - 2 ) < kkpp_len )
422 {
423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
424 return;
425 }
426
427 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]428 }
429
430 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
431 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
432
433 *olen = kkpp_len + 4;
434}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]435#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]436
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]437#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]438static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
439 unsigned char *buf,
440 size_t *olen )
441{
442 unsigned char *p = buf;
443 size_t ext_len;
444 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
445
446 /*
Hanno Becker3cdf8fe2019-05-15 10:26:32 +0100[diff] [blame]447 * Quoting draft-ietf-tls-dtls-connection-id-05
448 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]449 *
450 * struct {
451 * opaque cid<0..2^8-1>;
452 * } ConnectionId;
453 */
454
455 *olen = 0;
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]456 if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]457 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
458 {
459 return;
460 }
461 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
462
463 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
464 * which is at most 255, so the increment cannot overflow. */
465 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
466 {
467 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
468 return;
469 }
470
471 /* Add extension ID + size */
472 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
473 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
474 ext_len = (size_t) ssl->own_cid_len + 1;
475 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
476 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
477
478 *p++ = (uint8_t) ssl->own_cid_len;
479 memcpy( p, ssl->own_cid, ssl->own_cid_len );
480
481 *olen = ssl->own_cid_len + 5;
482}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]483#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]485#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
486static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]487 unsigned char *buf,
488 size_t *olen )
489{
490 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]491 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]492
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]493 *olen = 0;
494
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]495 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]496 return;
497 }
498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]499 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]500
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]501 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]502 {
503 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
504 return;
505 }
506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]507 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
508 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]509
510 *p++ = 0x00;
511 *p++ = 1;
512
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]513 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]514
515 *olen = 5;
516}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
520static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]521 unsigned char *buf, size_t *olen )
522{
523 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]524 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]525
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]526 *olen = 0;
527
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]528 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]529 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]530 return;
531 }
532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]533 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]534
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]535 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]536 {
537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
538 return;
539 }
540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]541 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
542 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]543
544 *p++ = 0x00;
545 *p++ = 0x00;
546
547 *olen = 4;
548}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]549#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
552static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]553 unsigned char *buf, size_t *olen )
554{
555 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]556 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]557
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]558 *olen = 0;
559
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]560 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
561 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]562 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]563 return;
564 }
565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]567 "extension" ) );
568
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]569 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]570 {
571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
572 return;
573 }
574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]575 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
576 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]577
578 *p++ = 0x00;
579 *p++ = 0x00;
580
581 *olen = 4;
582}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]585#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
586static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]587 unsigned char *buf, size_t *olen )
588{
589 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]590 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]591
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]592 *olen = 0;
593
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]594 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
595 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]596 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]597 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]598 return;
599 }
600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]601 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]602 "extension" ) );
603
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]604 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]605 {
606 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
607 return;
608 }
609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]610 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
611 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]612
613 *p++ = 0x00;
614 *p++ = 0x00;
615
616 *olen = 4;
617}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]618#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]619
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620#if defined(MBEDTLS_SSL_SESSION_TICKETS)
621static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]622 unsigned char *buf, size_t *olen )
623{
624 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]625 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]626 size_t tlen = ssl->session_negotiate->ticket_len;
627
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]628 *olen = 0;
629
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]630 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]631 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]632 return;
633 }
634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]636
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]637 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]638 {
639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
640 return;
641 }
642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
644 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]645
646 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
647 *p++ = (unsigned char)( ( tlen ) & 0xFF );
648
649 *olen = 4;
650
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]651 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]652 {
653 return;
654 }
655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]657
658 memcpy( p, ssl->session_negotiate->ticket, tlen );
659
660 *olen += tlen;
661}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664#if defined(MBEDTLS_SSL_ALPN)
665static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]666 unsigned char *buf, size_t *olen )
667{
668 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]669 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]670 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]671 const char **cur;
672
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]673 *olen = 0;
674
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]675 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]676 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]677 return;
678 }
679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]681
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]682 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100[diff] [blame]683 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]684
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]685 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]686 {
687 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
688 return;
689 }
690
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
692 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]693
694 /*
695 * opaque ProtocolName<1..2^8-1>;
696 *
697 * struct {
698 * ProtocolName protocol_name_list<2..2^16-1>
699 * } ProtocolNameList;
700 */
701
702 /* Skip writing extension and list length for now */
703 p += 4;
704
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]705 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]706 {
707 *p = (unsigned char)( strlen( *cur ) & 0xFF );
708 memcpy( p + 1, *cur, *p );
709 p += 1 + *p;
710 }
711
712 *olen = p - buf;
713
714 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
715 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
716 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
717
718 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
719 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
720 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
721}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]723
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]724/*
725 * Generate random bytes for ClientHello
726 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]728{
729 int ret;
730 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]732 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]733#endif
734
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]735 /*
736 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
737 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]738#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]739 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]740 ssl->handshake->verify_cookie != NULL )
741 {
742 return( 0 );
743 }
744#endif
745
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]746#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]747 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]748 *p++ = (unsigned char)( t >> 24 );
749 *p++ = (unsigned char)( t >> 16 );
750 *p++ = (unsigned char)( t >> 8 );
751 *p++ = (unsigned char)( t );
752
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]754#else
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]755 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
756 ( ssl->conf->p_rng, p, 4 ) ) != 0 )
757 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]758 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]759 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]760
761 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]762#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]763
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]764 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
765 ( ssl->conf->p_rng, p, 28 ) ) != 0 )
766 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]767 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]768 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]769
770 return( 0 );
771}
772
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]773/**
774 * \brief Validate cipher suite against config in SSL context.
775 *
776 * \param suite_info cipher suite to validate
777 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]778 * \param min_minor_ver Minimal minor version to accept a cipher suite
779 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]780 *
781 * \return 0 if valid, else 1
782 */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]783static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]784 const mbedtls_ssl_context * ssl,
785 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]786{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]787 (void) ssl;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]788 if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]789 return( 1 );
790
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]791
792 if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
793 mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
794 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]795 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]796 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]797
798#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]799 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]800 ( mbedtls_ssl_suite_get_flags( suite_info ) &
801 MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
802 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]803 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]804 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]805#endif
806
807#if defined(MBEDTLS_ARC4_C)
808 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]809 mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
810 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]811 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]812 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]813#endif
814
815#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]816 if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
817 MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
818 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
819 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]820 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]821 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]822#endif
823
824 return( 0 );
825}
826
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]827static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]829 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]830 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]832 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]833 unsigned char offer_compress;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]834#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
835 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
836 int uses_ec = 0;
837#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]839 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]841 if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
844 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]845 }
846
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]847 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]848 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]849 ssl->major_ver = ssl->conf->min_major_ver;
850 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]851 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]853 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]854 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]855 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
856 "consider using mbedtls_ssl_config_defaults()" ) );
857 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]858 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859
860 /*
861 * 0 . 0 handshake type
862 * 1 . 3 handshake length
863 * 4 . 5 highest version supported
864 * 6 . 9 current UNIX time
865 * 10 . 37 random bytes
866 */
867 buf = ssl->out_msg;
868 p = buf + 4;
869
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]870 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
871 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]872 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 buf[4], buf[5] ) );
876
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]877 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
878 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]880 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]881 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]882
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]883 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]884 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]885 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]886
887 /*
888 * 38 . 38 session id length
889 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]890 * 39+n . 39+n DTLS only: cookie length (1 byte)
891 * 40+n . .. DTSL only: cookie
892 * .. . .. ciphersuitelist length (2 bytes)
893 * .. . .. ciphersuitelist
894 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]895 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]896 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]897 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]900 /*
901 * We'll write a session of non-zero length if resumption was requested
902 * by the user, we're not renegotiating, and the session ID is of
903 * appropriate length. Otherwise make the length 0 (for now, see next code
904 * block for behaviour with tickets).
905 */
906 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]907 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]908 ssl->session_negotiate->id_len < 16 ||
909 ssl->session_negotiate->id_len > 32 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]910 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]912 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]913 else
914 {
915 n = ssl->session_negotiate->id_len;
916 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]917
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]918#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]919 /*
920 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
921 * generate and include a Session ID in the TLS ClientHello."
922 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]923 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
924 ssl->session_negotiate->ticket != NULL &&
925 ssl->session_negotiate->ticket_len != 0 )
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]926 {
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]927 ret = mbedtls_ssl_conf_get_frng( ssl->conf )
928 ( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]929
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]930 if( ret != 0 )
931 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]932
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]933 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]934 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]935#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936
937 *p++ = (unsigned char) n;
938
939 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]940 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
943 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]945 /*
946 * DTLS cookie
947 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]948#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]949 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]950 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]951 if( ssl->handshake->verify_cookie == NULL )
952 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]954 *p++ = 0;
955 }
956 else
957 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]959 ssl->handshake->verify_cookie,
960 ssl->handshake->verify_cookie_len );
961
962 *p++ = ssl->handshake->verify_cookie_len;
963 memcpy( p, ssl->handshake->verify_cookie,
964 ssl->handshake->verify_cookie_len );
965 p += ssl->handshake->verify_cookie_len;
966 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]967 }
968#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]969
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]970 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]971 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]972 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]973
974 /* Skip writing ciphersuite length for now */
975 n = 0;
976 q = p;
977 p += 2;
978
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]979 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
980 ssl->minor_ver,
981 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 {
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]983 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
984 ssl->conf->min_minor_ver,
985 ssl->conf->max_minor_ver ) != 0 )
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]986 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]987 continue;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]988 }
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]989
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]990 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]991 mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]993#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
994 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
995 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
996#endif
997
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]998 n++;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]999 *p++ = (unsigned char)(
1000 mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
1001 *p++ = (unsigned char)(
1002 mbedtls_ssl_suite_get_id( ciphersuite_info ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1004 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1006 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]1007
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1008 /*
1009 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1010 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1011 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1012 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]1013 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1014 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1015 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]1016 n++;
1017 }
1018
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1019 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]1021 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1022 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1024 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1025 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1026 n++;
1027 }
1028#endif
1029
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1030 *q++ = (unsigned char)( n >> 7 );
1031 *q++ = (unsigned char)( n << 1 );
1032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1033#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1034 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1035#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1036 offer_compress = 0;
1037#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1039 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]1040 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1041 * in the same datagram, uncompressing one could overwrite the next one.
1042 * We don't want to add complexity for handling that case unless there is
1043 * an actual need for it.
1044 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1046 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1047 offer_compress = 0;
1048#endif
1049
1050 if( offer_compress )
1051 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1053 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1054 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1055
1056 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1058 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1059 }
1060 else
1061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1063 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1064 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1065
1066 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1068 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1070 // First write extensions, then the total length
1071 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1072#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1073 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1074 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1075#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1077 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1078 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1079#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1080 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1081 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1082#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1085 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1086 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1087 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1088#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1089
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1090#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1091 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1092 if( uses_ec )
1093 {
1094 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1095 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1096
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1097 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1098 ext_len += olen;
1099 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1100#endif
1101
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1102#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1103 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1104 ext_len += olen;
1105#endif
1106
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1107#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1108 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1109 ext_len += olen;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1110#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1112#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1113 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1114 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1115#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1116
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1117#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1118 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1119 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1120#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1122#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1123 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1124 ext_len += olen;
1125#endif
1126
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1128 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1129 ext_len += olen;
1130#endif
1131
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1132#if defined(MBEDTLS_SSL_ALPN)
1133 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1134 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1135#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1136
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1137#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1138 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1139 ext_len += olen;
1140#endif
1141
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1142 /* olen unused if all extensions are disabled */
1143 ((void) olen);
1144
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1146 ext_len ) );
1147
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1148 if( ext_len > 0 )
1149 {
1150 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1151 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1152 p += ext_len;
1153 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1154
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1155 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1156 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1157 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158
1159 ssl->state++;
1160
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1161#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1162 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1163 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1164#endif
1165
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1166 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1168 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1169 return( ret );
1170 }
1171
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1172#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1173 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1174 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1175 {
1176 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1177 return( ret );
1178 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1179#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1180
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1182
1183 return( 0 );
1184}
1185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1186static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1187 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1188 size_t len )
1189{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1190#if defined(MBEDTLS_SSL_RENEGOTIATION)
1191 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1192 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1193 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1194 if( len != 1 + ssl->verify_data_len * 2 ||
1195 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1197 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1198 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1199 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1200 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1201 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1202 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1203 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1205 }
1206 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1207 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1208#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1209 {
1210 if( len != 1 || buf[0] != 0x00 )
1211 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1213 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1214 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1215 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1216 }
1217
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1218 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1219 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1220
1221 return( 0 );
1222}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1223
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1224#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1225static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1226 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1227 size_t len )
1228{
1229 /*
1230 * server should use the extension only if we did,
1231 * and if so the server's value should match ours (and len is always 1)
1232 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1233 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1234 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1235 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1236 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1237 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1238 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1239 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1240 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1241 }
1242
1243 return( 0 );
1244}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1245#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1247#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1248static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1249 const unsigned char *buf,
1250 size_t len )
1251{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1252 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1253 len != 0 )
1254 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1256 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1257 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1258 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1259 }
1260
1261 ((void) buf);
1262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1263 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1264
1265 return( 0 );
1266}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1267#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1268
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1269#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1270static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1271 const unsigned char *buf,
1272 size_t len )
1273{
1274 size_t peer_cid_len;
1275
1276 if( /* CID extension only makes sense in DTLS */
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1277 MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1278 /* The server must only send the CID extension if we have offered it. */
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1279 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1280 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1281 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1282 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1283 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1284 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1285 }
1286
1287 if( len == 0 )
1288 {
1289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1290 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1291 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1292 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1293 }
1294
1295 peer_cid_len = *buf++;
1296 len--;
1297
1298 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1299 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1301 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1302 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1303 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1304 }
1305
1306 if( len != peer_cid_len )
1307 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1310 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1311 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1312 }
1313
Hanno Beckerf885d3b2019-05-03 12:47:49 +0100[diff] [blame]1314 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1315 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1316 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1317
1318 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1319 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1320
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1321 return( 0 );
1322}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1323#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1326static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1327 const unsigned char *buf,
1328 size_t len )
1329{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1330 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1332 len != 0 )
1333 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1335 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1336 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1338 }
1339
1340 ((void) buf);
1341
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1342 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1343
1344 return( 0 );
1345}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1349static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1350 const unsigned char *buf,
1351 size_t len )
1352{
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]1353 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
1354 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1356 len != 0 )
1357 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1359 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1360 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1361 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1362 }
1363
1364 ((void) buf);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1365 return( 0 );
1366}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1367#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1368
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1370static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1371 const unsigned char *buf,
1372 size_t len )
1373{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1374 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1375 len != 0 )
1376 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1378 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1379 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1381 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1382
1383 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1384
1385 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1386
1387 return( 0 );
1388}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1390
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1391#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1392 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1393static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1394 const unsigned char *buf,
1395 size_t len )
1396{
1397 size_t list_size;
1398 const unsigned char *p;
1399
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1400 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1401 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1403 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1404 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1406 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1407 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1408
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1409 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1410 while( list_size > 0 )
1411 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1413 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1414 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1415#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1416 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1417#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1418#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1419 ssl->handshake->ecjpake_ctx.point_format = p[0];
1420#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1421 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1422 return( 0 );
1423 }
1424
1425 list_size--;
1426 p++;
1427 }
1428
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1430 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1431 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1433}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1434#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1435 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1436
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1437#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1438static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1439 const unsigned char *buf,
1440 size_t len )
1441{
1442 int ret;
1443
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1444 if( mbedtls_ssl_suite_get_key_exchange(
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]1445 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
1446 != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1447 {
1448 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1449 return( 0 );
1450 }
1451
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1452 /* If we got here, we no longer need our cached extension */
1453 mbedtls_free( ssl->handshake->ecjpake_cache );
1454 ssl->handshake->ecjpake_cache = NULL;
1455 ssl->handshake->ecjpake_cache_len = 0;
1456
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1457 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1458 buf, len ) ) != 0 )
1459 {
1460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1461 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1462 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1463 return( ret );
1464 }
1465
1466 return( 0 );
1467}
1468#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1470#if defined(MBEDTLS_SSL_ALPN)
1471static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1472 const unsigned char *buf, size_t len )
1473{
1474 size_t list_len, name_len;
1475 const char **p;
1476
1477 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1478 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1479 {
1480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1481 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1482 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1483 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1484 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1485
1486 /*
1487 * opaque ProtocolName<1..2^8-1>;
1488 *
1489 * struct {
1490 * ProtocolName protocol_name_list<2..2^16-1>
1491 * } ProtocolNameList;
1492 *
1493 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1494 */
1495
1496 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1497 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1498 {
1499 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1500 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1501 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1502 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1503
1504 list_len = ( buf[0] << 8 ) | buf[1];
1505 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1506 {
1507 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1508 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1510 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1511
1512 name_len = buf[2];
1513 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1514 {
1515 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1516 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1518 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1519
1520 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1521 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1522 {
1523 if( name_len == strlen( *p ) &&
1524 memcmp( buf + 3, *p, name_len ) == 0 )
1525 {
1526 ssl->alpn_chosen = *p;
1527 return( 0 );
1528 }
1529 }
1530
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1532 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1533 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1535}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1536#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1537
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1538/*
1539 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1540 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#if defined(MBEDTLS_SSL_PROTO_DTLS)
1542static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1543{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1545 int major_ver, minor_ver;
1546 unsigned char cookie_len;
1547
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1549
1550 /*
1551 * struct {
1552 * ProtocolVersion server_version;
1553 * opaque cookie<0..2^8-1>;
1554 * } HelloVerifyRequest;
1555 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1556 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1557 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1558 p += 2;
1559
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1560 /*
1561 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1562 * even is lower than our min version.
1563 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1564 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1565 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1566 major_ver > ssl->conf->max_major_ver ||
1567 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1568 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1570
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1571 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1572 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1575 }
1576
1577 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1578 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1579
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1580 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1581 {
1582 MBEDTLS_SSL_DEBUG_MSG( 1,
1583 ( "cookie length does not match incoming message size" ) );
1584 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1585 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1586 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1587 }
1588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1589 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1590
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1591 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1592 if( ssl->handshake->verify_cookie == NULL )
1593 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1595 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1596 }
1597
1598 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1599 ssl->handshake->verify_cookie_len = cookie_len;
1600
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1601 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1602 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1603 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1605 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1606
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1608
1609 return( 0 );
1610}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1614{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1615 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1616 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1617 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1618 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1619 unsigned char comp;
1620#if defined(MBEDTLS_ZLIB_SUPPORT)
1621 int accept_comp;
1622#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1623#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1624 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1625#endif
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]1626#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1627 int extended_ms_seen = 0;
1628#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1629 int handshake_failure = 0;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1630
1631 /* The ciphersuite chosen by the server. */
1632 mbedtls_ssl_ciphersuite_handle_t server_suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1633
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1634 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1635
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1636 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1637 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1638 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1639 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1640 return( ret );
1641 }
1642
Hanno Beckerf5970a02019-05-08 09:38:41 +0100[diff] [blame]1643 buf = ssl->in_msg;
1644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1645 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1647#if defined(MBEDTLS_SSL_RENEGOTIATION)
1648 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1649 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1650 ssl->renego_records_seen++;
1651
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1652 if( ssl->conf->renego_max_records >= 0 &&
1653 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1654 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1656 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1658 }
1659
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1660 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1661
1662 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1663 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1664 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1665#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1668 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1669 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1671 }
1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1674 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1675 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1677 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1680 return( ssl_parse_hello_verify_request( ssl ) );
1681 }
1682 else
1683 {
1684 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1686 ssl->handshake->verify_cookie = NULL;
1687 ssl->handshake->verify_cookie_len = 0;
1688 }
1689 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1690#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1692 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1693 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1696 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1697 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1698 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1699 }
1700
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1701 /*
1702 * 0 . 1 server_version
1703 * 2 . 33 random (maybe including 4 bytes of Unix time)
1704 * 34 . 34 session_id length = n
1705 * 35 . 34+n session_id
1706 * 35+n . 36+n cipher_suite
1707 * 37+n . 37+n compression_method
1708 *
1709 * 38+n . 39+n extensions length (optional)
1710 * 40+n . .. extensions
1711 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1712 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1715 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1716 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1718 if( ssl->major_ver < ssl->conf->min_major_ver ||
1719 ssl->minor_ver < ssl->conf->min_minor_ver ||
1720 ssl->major_ver > ssl->conf->max_major_ver ||
1721 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1722 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1724 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1725 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1726 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1727 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1730 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1732 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1733 }
1734
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]1735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1736 ( (uint32_t) buf[2] << 24 ) |
1737 ( (uint32_t) buf[3] << 16 ) |
1738 ( (uint32_t) buf[4] << 8 ) |
1739 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1741 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1743 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1745 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1747 if( n > 32 )
1748 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1750 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1751 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1752 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1753 }
1754
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1755 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1756 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1757 ext_len = ( ( buf[38 + n] << 8 )
1758 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1760 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1761 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1762 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1764 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1765 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1766 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1767 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1769 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1770 {
1771 ext_len = 0;
1772 }
1773 else
1774 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1775 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1776 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1777 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1778 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1779 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1781 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1782 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1783
1784 /*
1785 * Read and check compression
1786 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1787 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1789#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1790 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnardff4bd9f2019-06-06 10:34:48 +0200[diff] [blame]1791 accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1792
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1793 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1794 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1795#else /* MBEDTLS_ZLIB_SUPPORT */
1796 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1797#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1798 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1800 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1801 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1803 }
1804
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1805 /*
1806 * Initialize update checksum functions
1807 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1808 server_suite_info = mbedtls_ssl_ciphersuite_from_id( i );
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1809#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1810 ssl->handshake->ciphersuite_info = server_suite_info;
1811#endif
1812 if( server_suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1813 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1815 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1816 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1817 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1818 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1819 mbedtls_ssl_optimize_checksum( ssl, server_suite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1820
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1821 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1822 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
1824 /*
1825 * Check if the session can be resumed
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1826 *
1827 * We're only resuming a session if it was requested (handshake->resume
1828 * already set to 1 by mbedtls_ssl_set_session()), and further conditions
1829 * are satisfied (not renegotiating, ID and ciphersuite match, etc).
1830 *
1831 * Update handshake->resume to the value it will keep for the rest of the
1832 * handshake, and that will be used to determine the relative order
1833 * client/server last flights, as well as in handshake_wrapup().
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1835#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
1836 if( n == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1837 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Hanno Beckere02758c2019-06-26 15:31:31 +0100[diff] [blame]1838 mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1839 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1840 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1841 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842 {
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1843 ssl->handshake->resume = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1845#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
1846
1847 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1849 /* Resume a session */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1850 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1851
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1853 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1855 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1856 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1857 return( ret );
1858 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 }
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1860 else
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1861 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1862 /* Start a new session */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1863 ssl->state++;
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1864#if defined(MBEDTLS_HAVE_TIME)
1865 ssl->session_negotiate->start = mbedtls_time( NULL );
1866#endif
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1867#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1868 ssl->session_negotiate->ciphersuite = i;
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1869#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1870 ssl->session_negotiate->compression = comp;
1871 ssl->session_negotiate->id_len = n;
1872 memcpy( ssl->session_negotiate->id, buf + 35, n );
1873 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Manuel Pégourié-Gonnard3652e992019-07-01 12:09:22 +0200[diff] [blame]1876 mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1878 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1881 /*
1882 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1883 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1884 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
1885 ssl->minor_ver,
1886 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887 {
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1888 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1889 ssl->conf->min_minor_ver,
1890 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1892 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 }
1894
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1895 if( ciphersuite_info != server_suite_info )
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1896 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1898 goto server_picked_valid_suite;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1899 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1900 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
1901
1902 /* If we reach this code-path, the server's chosen ciphersuite
1903 * wasn't among those advertised by us. */
1904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1905 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1906 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1907 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1908
1909server_picked_valid_suite:
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1910
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1911 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1912 mbedtls_ssl_suite_get_name( server_suite_info ) ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1913
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1914#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1915 if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1916 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1917 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1918 {
1919 ssl->handshake->ecrs_enabled = 1;
1920 }
1921#endif
1922
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1924#if defined(MBEDTLS_ZLIB_SUPPORT)
1925 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1926#endif
1927 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1930 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1931 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1932 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1934 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1935
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1936 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1939
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1940 while( ext_len )
1941 {
1942 unsigned int ext_id = ( ( ext[0] << 8 )
1943 | ( ext[1] ) );
1944 unsigned int ext_size = ( ( ext[2] << 8 )
1945 | ( ext[3] ) );
1946
1947 if( ext_size + 4 > ext_len )
1948 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1950 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1951 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1953 }
1954
1955 switch( ext_id )
1956 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1957 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1958 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1959#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1960 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1961#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1962
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1963 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1964 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1965 return( ret );
1966
1967 break;
1968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1970 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1971 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1972
1973 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1974 ext + 4, ext_size ) ) != 0 )
1975 {
1976 return( ret );
1977 }
1978
1979 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1980#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1982#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1983 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1984 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1985
1986 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1987 ext + 4, ext_size ) ) != 0 )
1988 {
1989 return( ret );
1990 }
1991
1992 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1993#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1994
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1995#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1996 case MBEDTLS_TLS_EXT_CID:
1997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
1998
1999 if( ( ret = ssl_parse_cid_ext( ssl,
2000 ext + 4,
2001 ext_size ) ) != 0 )
2002 {
2003 return( ret );
2004 }
2005
2006 break;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2007#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]2008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2010 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2011 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2012
2013 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2014 ext + 4, ext_size ) ) != 0 )
2015 {
2016 return( ret );
2017 }
2018
2019 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2023 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2024 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2025
2026 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2027 ext + 4, ext_size ) ) != 0 )
2028 {
2029 return( ret );
2030 }
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2031 extended_ms_seen = 1;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2032
2033 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2036#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2037 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2038 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2039
2040 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2041 ext + 4, ext_size ) ) != 0 )
2042 {
2043 return( ret );
2044 }
2045
2046 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2047#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2048
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2049#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2050 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2052 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2053
2054 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2055 ext + 4, ext_size ) ) != 0 )
2056 {
2057 return( ret );
2058 }
2059
2060 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2061#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2062 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2063
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2064#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2065 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2066 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2067
2068 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2069 ext + 4, ext_size ) ) != 0 )
2070 {
2071 return( ret );
2072 }
2073
2074 break;
2075#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077#if defined(MBEDTLS_SSL_ALPN)
2078 case MBEDTLS_TLS_EXT_ALPN:
2079 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2080
2081 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2082 return( ret );
2083
2084 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2085#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2086
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2087 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2089 ext_id ) );
2090 }
2091
2092 ext_len -= 4 + ext_size;
2093 ext += 4 + ext_size;
2094
2095 if( ext_len > 0 && ext_len < 4 )
2096 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2098 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2099 }
2100 }
2101
2102 /*
2103 * Renegotiation security checks
2104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2106 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2107 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2108 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2110 handshake_failure = 1;
2111 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112#if defined(MBEDTLS_SSL_RENEGOTIATION)
2113 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2114 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2115 renegotiation_info_seen == 0 )
2116 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2118 handshake_failure = 1;
2119 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2120 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2121 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2122 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2123 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2124 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2126 handshake_failure = 1;
2127 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2128 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2129 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2130 renegotiation_info_seen == 1 )
2131 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2133 handshake_failure = 1;
2134 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2135#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2136
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2137 /*
2138 * Check if extended master secret is being enforced
2139 */
2140#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]2141 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2142 MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2143 {
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2144 if( extended_ms_seen )
2145 {
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2146#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2147 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2148#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2149 }
2150 else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
2151 MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
2152 {
2153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2154 "secret, while it is enforced") );
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2155 handshake_failure = 1;
2156 }
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2157 }
2158#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2159
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2160 if( handshake_failure == 1 )
2161 {
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]2162 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2163 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2164 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2165 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2168
2169 return( 0 );
2170}
2171
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2173 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2174static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2175 unsigned char *end )
2176{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2177 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2178
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2179 /*
2180 * Ephemeral DH parameters:
2181 *
2182 * struct {
2183 * opaque dh_p<1..2^16-1>;
2184 * opaque dh_g<1..2^16-1>;
2185 * opaque dh_Ys<1..2^16-1>;
2186 * } ServerDHParams;
2187 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2189 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2190 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2191 return( ret );
2192 }
2193
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2194 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2195 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2196 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2197 ssl->handshake->dhm_ctx.len * 8,
2198 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2199 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2200 }
2201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2202 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2203 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2204 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2205
2206 return( ret );
2207}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2209 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2210
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2212 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2213 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2214 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2215 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2216static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2217{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2218 const mbedtls_ecp_curve_info *curve_info;
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2219 mbedtls_ecp_group_id grp_id;
2220#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2221 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2222#else
2223 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2224#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2225
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2226 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2227 if( curve_info == NULL )
2228 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2230 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2231 }
2232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2234
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2235#if defined(MBEDTLS_ECP_C)
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2236 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2237#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2238 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2239 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2240#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2241 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2242
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2243 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2244 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2245
2246 return( 0 );
2247}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2248#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2249 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2250 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2251 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2252 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2254#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2255 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2256 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2257static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2258 unsigned char **p,
2259 unsigned char *end )
2260{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2261 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2262
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2263 /*
2264 * Ephemeral ECDH parameters:
2265 *
2266 * struct {
2267 * ECParameters curve_params;
2268 * ECPoint public;
2269 * } ServerECDHParams;
2270 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2272 (const unsigned char **) p, end ) ) != 0 )
2273 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2274 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2275#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2276 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2277 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2278#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2279 return( ret );
2280 }
2281
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2282 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2283 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2285 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2286 }
2287
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2288 return( ret );
2289}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2290#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2291 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2292 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2293
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2294#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2295static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2296 unsigned char **p,
2297 unsigned char *end )
2298{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2299 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2300 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2301 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2302
2303 /*
2304 * PSK parameters:
2305 *
2306 * opaque psk_identity_hint<0..2^16-1>;
2307 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2308 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2309 {
2310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2311 "(psk_identity_hint length)" ) );
2312 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2313 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2314 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2315 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2316
Hanno Becker8df10232018-10-10 15:48:39 +0100[diff] [blame]2317 if( end - (*p) < (int) len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2318 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2320 "(psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2322 }
2323
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2324 /*
2325 * Note: we currently ignore the PKS identity hint, as we only allow one
2326 * PSK to be provisionned on the client. This could be changed later if
2327 * someone needs that feature.
2328 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2329 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2330 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2331
2332 return( ret );
2333}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2336#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2337 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2338/*
2339 * Generate a pre-master secret and encrypt it with the server's RSA key
2340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2341static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2342 size_t offset, size_t *olen,
2343 size_t pms_offset )
2344{
2345 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2346 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2347 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2348 mbedtls_pk_context *peer_pk = NULL;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2349
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2350 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2351 {
2352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2353 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2354 }
2355
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2356 /*
2357 * Generate (part of) the pre-master as
2358 * struct {
2359 * ProtocolVersion client_version;
2360 * opaque random[46];
2361 * } PreMasterSecret;
2362 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2363 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2364 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2365
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2366 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
2367 ( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2368 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2369 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2370 return( ret );
2371 }
2372
2373 ssl->handshake->pmslen = 48;
2374
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2375#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2376 /* Because the peer CRT pubkey is embedded into the handshake
2377 * params currently, and there's no 'is_init' functions for PK
2378 * contexts, we need to break the abstraction and peek into
2379 * the PK context to see if it has been initialized. */
2380 if( ssl->handshake->peer_pubkey.pk_info != NULL )
2381 peer_pk = &ssl->handshake->peer_pubkey;
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2382#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2383 if( ssl->session_negotiate->peer_cert != NULL )
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2384 {
2385 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2386 &peer_pk );
2387 if( ret != 0 )
2388 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2390 return( ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2391 }
2392 }
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2393#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2394
2395 if( peer_pk == NULL )
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2396 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2397 /* Should never happen */
Hanno Beckere9839c02019-02-26 11:51:06 +0000[diff] [blame]2398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2399 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2400 }
2401
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2402 /*
2403 * Now write it out, encrypted
2404 */
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2405 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2406 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2408 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2409 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2410 }
2411
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2412 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2413 p, ssl->handshake->pmslen,
2414 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2415 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2416 mbedtls_ssl_conf_get_frng( ssl->conf ),
2417 ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2418 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2419 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2420 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2421 }
2422
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2423#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2424 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2425 if( len_bytes == 2 )
2426 {
2427 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2428 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2429 *olen += 2;
2430 }
2431#endif
2432
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2433cleanup:
2434
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2435#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2436 /* We don't need the peer's public key anymore. Free it. */
2437 mbedtls_pk_free( peer_pk );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2438#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2439 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2440#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2441
2442 return( ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2443}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2444#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2445 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2448#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2449 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2450 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2452 unsigned char **p,
2453 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2454 mbedtls_md_type_t *md_alg,
2455 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2456{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2457 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2458 *md_alg = MBEDTLS_MD_NONE;
2459 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2460
2461 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2463 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2464 return( 0 );
2465 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2466
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2467 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2468 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2469
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2470 /*
2471 * Get hash algorithm
2472 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2473 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2474 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2476 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2477 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2478 }
2479
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2480 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2481 * Get signature algorithm
2482 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2484 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2486 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2487 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2488 }
2489
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2490 /*
2491 * Check if the hash is acceptable
2492 */
2493 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2494 {
Gilles Peskinecd3c8452017-05-09 14:57:45 +0200[diff] [blame]2495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2496 *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2497 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2498 }
2499
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2502 *p += 2;
2503
2504 return( 0 );
2505}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2506#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2507 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2508 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2509#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2511#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2512 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2513static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2514{
2515 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 const mbedtls_ecp_keypair *peer_key;
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2517 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2518
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2519#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2520 peer_pk = &ssl->handshake->peer_pubkey;
2521#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2522 if( ssl->session_negotiate->peer_cert == NULL )
2523 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2524 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2527 }
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2528
2529 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2530 &peer_pk );
2531 if( ret != 0 )
2532 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2533 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2534 return( ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2535 }
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2536#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2537
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2538 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2539 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2541 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2542 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2543 }
2544
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2545 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2547 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2548 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2549 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2550 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2551 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2552 }
2553
2554 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2555 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2557 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
2558 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2559 }
2560
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2561cleanup:
2562
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2563#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2564 /* We don't need the peer's public key anymore. Free it,
2565 * so that more RAM is available for upcoming expensive
2566 * operations like ECDHE. */
2567 mbedtls_pk_free( peer_pk );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2568#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2569 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2570#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2571
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2572 return( ret );
2573}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2574#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2575 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2578{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2579 int ret;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2580 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2581 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2582 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2584 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2587 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2588 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2589 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2591 ssl->state++;
2592 return( 0 );
2593 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2594 ((void) p);
2595 ((void) end);
2596#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2598#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2599 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2600 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2601 MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2602 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2603 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2604 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2605 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2606 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2607 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2608 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2609 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2610 return( ret );
2611 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2613 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2614 ssl->state++;
2615 return( 0 );
2616 }
2617 ((void) p);
2618 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2619#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2620 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2621
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2622#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2623 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2624 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2625 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2626 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2627 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2628#endif
2629
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2630 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2631 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2632 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2633 return( ret );
2634 }
2635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2636 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2637 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2639 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2640 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2641 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2642 }
2643
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2644 /*
2645 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2646 * doesn't use a psk_identity_hint
2647 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2648 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2649 {
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2650 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2651 == MBEDTLS_KEY_EXCHANGE_PSK ||
2652 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2653 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2654 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2655 /* Current message is probably either
2656 * CertificateRequest or ServerHelloDone */
2657 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2658 goto exit;
2659 }
2660
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2662 "not be skipped" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2663 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2664 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2666 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2667 }
2668
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2669#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2670 if( ssl->handshake->ecrs_enabled )
2671 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2672
2673start_processing:
2674#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2675 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2676 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2677 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2678
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2679#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2680 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2681 == MBEDTLS_KEY_EXCHANGE_PSK ||
2682 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2683 == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2684 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2685 == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2686 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2687 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2688 {
2689 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2690 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2692 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2693 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2694 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2695 }
2696 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2697#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2699#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2700 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2701 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2702 == MBEDTLS_KEY_EXCHANGE_PSK ||
2703 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2704 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2705 {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2706 ; /* nothing more to do */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2707 }
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2708 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2709#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2710 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2711#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2712 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2713 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2714 == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2715 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2716 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2717 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2718 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2719 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2722 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2723 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2724 }
2725 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2726 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2727#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2728 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2729#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2730 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2731 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2732 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2733 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2734 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2735 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2736 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2737 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2738 {
2739 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2740 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2742 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2743 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2744 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2745 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2746 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2747 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2748#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2749 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2750 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2751#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2752 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2753 == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2754 {
2755 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2756 p, end - p );
2757 if( ret != 0 )
2758 {
2759 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2760 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2761 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2762 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2763 }
2764 }
2765 else
2766#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2767 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2769 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2770 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2771
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2772#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2773 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2774 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2775 size_t sig_len, hashlen;
2776 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2777 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2778 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2779 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2780 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2781 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2782
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2783 mbedtls_pk_context * peer_pk;
2784
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2785 /*
2786 * Handle the digitally-signed structure
2787 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2788#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2789 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2790 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2791 if( ssl_parse_signature_algorithm( ssl, &p, end,
2792 &md_alg, &pk_alg ) != 0 )
2793 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2794 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2795 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2796 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2797 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2798 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2800 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2802 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2803 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2804 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2805 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2806 }
2807 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2808 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2809#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2810#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2811 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2812 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2813 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2814 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2815
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2816 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2817 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2818 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2819 }
2820 else
2821#endif
2822 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2824 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2825 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2826
2827 /*
2828 * Read signature
2829 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2830
2831 if( p > end - 2 )
2832 {
2833 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2834 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2835 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2836 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2837 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2838 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2839 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2840
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]2841 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2844 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2845 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2846 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2847 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2849 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2850
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2851 /*
2852 * Compute the hash that has been signed
2853 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2854#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2855 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2856 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2857 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2858 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2859 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2860 params_len );
2861 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +0100[diff] [blame]2862 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2863 }
2864 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2865#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2866 MBEDTLS_SSL_PROTO_TLS1_1 */
2867#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2868 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2869 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2870 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2871 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2872 params, params_len,
2873 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2874 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2875 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2876 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2877 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2878#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2879 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2880 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2882 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2883 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2884
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2885 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2886
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2887#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2888 peer_pk = &ssl->handshake->peer_pubkey;
2889#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2890 if( ssl->session_negotiate->peer_cert == NULL )
2891 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2892 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2894 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2895 }
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2896
2897 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2898 &peer_pk );
2899 if( ret != 0 )
2900 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2901 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2902 return( ret );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2903 }
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2904#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2905
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2906 /*
2907 * Verify signature
2908 */
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2909 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2910 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2912 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2913 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2914#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2915 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2916#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2917 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2918 }
2919
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2920#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2921 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2922 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2923#endif
2924
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2925 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2926 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2927 {
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2928#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2929 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2930#endif
2931 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2932 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2933 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2934#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2935 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2936 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2937#endif
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2938#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2939 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2940#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2941 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2942 }
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2943
2944#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2945 /* We don't need the peer's public key anymore. Free it,
2946 * so that more RAM is available for upcoming expensive
2947 * operations like ECDHE. */
2948 mbedtls_pk_free( peer_pk );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2949#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2950 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2951#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2952 }
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2953#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2954
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2955exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2956 ssl->state++;
2957
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2959
2960 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2961}
2962
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2963#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2964static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2965{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2966 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2967 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2969 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2970
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2971 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2972 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2973 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2974 ssl->state++;
2975 return( 0 );
2976 }
2977
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2979 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2980}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2981#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2982static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2983{
2984 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2985 unsigned char *buf;
2986 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2987 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2988 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2989 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2990
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2991 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2992
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2993 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2994 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2996 ssl->state++;
2997 return( 0 );
2998 }
2999
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3000 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3001 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3002 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3003 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3004 }
3005
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3006 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3007 {
3008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3009 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3010 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3011 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3012 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3013
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3014 ssl->state++;
3015 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3018 ssl->client_auth ? "a" : "no" ) );
3019
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3020 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3021 {
3022 /* Current message is probably the ServerHelloDone */
3023 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3024 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3025 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3026
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3027 /*
3028 * struct {
3029 * ClientCertificateType certificate_types<1..2^8-1>;
3030 * SignatureAndHashAlgorithm
3031 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3032 * DistinguishedName certificate_authorities<0..2^16-1>;
3033 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3034 *
3035 * Since we only support a single certificate on clients, let's just
3036 * ignore all the information that's supposed to help us pick a
3037 * certificate.
3038 *
3039 * We could check that our certificate matches the request, and bail out
3040 * if it doesn't, but it's simpler to just send the certificate anyway,
3041 * and give the server the opportunity to decide if it should terminate
3042 * the connection when it doesn't like our certificate.
3043 *
3044 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3045 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3046 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3047 *
3048 * However, we still minimally parse the message to check it is at least
3049 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3050 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3051 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3052
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3053 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3054 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3055 {
3056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3057 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3058 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3059 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3060 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3061 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3062 n = cert_type_len;
3063
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3064 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3065 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3066 * * the length of the signature algorithms field (if minor version of
3067 * SSL is 3),
3068 * * distinguished name length otherwise.
3069 * Both reach at most the index:
3070 * ...hdr_len + 2 + n,
3071 * therefore the buffer length at this point must be greater than that
3072 * regardless of the actual code path.
3073 */
3074 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3075 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3077 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3078 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3079 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3080 }
3081
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3082 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3083#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3084 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3085 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3086 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3087 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3088#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3089 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3090 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3091#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3092
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3093 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3094 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3095 * sig_alg[i + 1],
3096 * where:
3097 * sig_alg = buf + ...hdr_len + 3 + n,
3098 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3099 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3100 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3101 * which reduces to:
3102 * buf[...hdr_len + 3 + n + sig_alg_len],
3103 * which is one less than we need the buf to be.
3104 */
3105 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3106 {
3107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3109 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3110 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3111 }
3112
3113#if defined(MBEDTLS_DEBUG_C)
3114 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3115 for( i = 0; i < sig_alg_len; i += 2 )
3116 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3117 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3118 ",%d", sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3119 }
3120#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3121
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3122 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3123 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3125
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3126 /* certificate_authorities */
3127 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3128 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3129
3130 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3131 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3132 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3134 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3135 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3136 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3137 }
3138
3139exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3140 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3141
3142 return( 0 );
3143}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3144#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3145
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3146static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3147{
3148 int ret;
3149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3150 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3151
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3152 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3153 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3154 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3155 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3156 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3157
3158 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3159 {
3160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3161 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3162 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3163
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3164 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3165 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3166 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3168 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3169 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3170 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3171 }
3172
3173 ssl->state++;
3174
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3175#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3176 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3177 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3178#endif
3179
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3181
3182 return( 0 );
3183}
3184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3185static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3186{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3187 int ret;
3188 size_t i, n;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3189 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3190 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3191
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3192 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3194#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3195 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3196 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3197 /*
3198 * DHM key exchange -- send G^X mod P
3199 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3200 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3201
3202 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3203 ssl->out_msg[5] = (unsigned char)( n );
3204 i = 6;
3205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3206 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3207 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3208 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3209 mbedtls_ssl_conf_get_frng( ssl->conf ),
3210 ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3211 if( ret != 0 )
3212 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3213 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3214 return( ret );
3215 }
3216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3217 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3218 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3219
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3220 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3221 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]3222 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]3223 &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3224 mbedtls_ssl_conf_get_frng( ssl->conf ),
3225 ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3226 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3228 return( ret );
3229 }
3230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3231 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3232 }
3233 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3234#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3235#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3236 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3237 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3238 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3239 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3240 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3241 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3242 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3243 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3244 == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3245 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3246 == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3247 {
3248 /*
3249 * ECDH key exchange -- send client public value
3250 */
3251 i = 4;
3252
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3253#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3254 if( ssl->handshake->ecrs_enabled )
3255 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3256 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3257 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3258
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3259 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3260 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3261#endif
3262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3263 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3264 &n,
3265 &ssl->out_msg[i], 1000,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3266 mbedtls_ssl_conf_get_frng( ssl->conf ),
3267 ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3268 if( ret != 0 )
3269 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3270 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3271#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3272 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3273 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3274#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3275 return( ret );
3276 }
3277
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3278 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3279 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3280
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3281#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3282 if( ssl->handshake->ecrs_enabled )
3283 {
3284 ssl->handshake->ecrs_n = n;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3285 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3286 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3287
3288ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3289 if( ssl->handshake->ecrs_enabled )
3290 n = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3291#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3292 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3293 &ssl->handshake->pmslen,
3294 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3295 MBEDTLS_MPI_MAX_SIZE,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3296 mbedtls_ssl_conf_get_frng( ssl->conf ),
3297 ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3298 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3299 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3300#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3301 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3302 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3303#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3304 return( ret );
3305 }
3306
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3307 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3308 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3309 }
3310 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3311#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3312 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3313 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3314 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3315#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3316 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3317 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3318 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3319 * opaque psk_identity<0..2^16-1>;
3320 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3321 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3322 {
3323 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3324 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3325 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3326
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3327 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3328 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3329
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3330 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3331 {
3332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3333 "SSL buffer too short" ) );
3334 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3335 }
3336
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3337 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3338 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3339
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3340 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
3341 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3343#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3344 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3345 == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3346 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3347 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3348 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3349 else
3350#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3351#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3352 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3353 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3354 {
3355 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3356 return( ret );
3357 }
3358 else
3359#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3360#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3361 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3362 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3363 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3364 /*
3365 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3366 */
3367 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3368
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3369 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3370 {
3371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3372 " or SSL buffer too short" ) );
3373 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3374 }
3375
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3376 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3377 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3379 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3380 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3381 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3382 mbedtls_ssl_conf_get_frng( ssl->conf ),
3383 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3384 if( ret != 0 )
3385 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3386 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3387 return( ret );
3388 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3389 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3390 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3391#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3392#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3393 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3394 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3395 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3396 /*
3397 * ClientECDiffieHellmanPublic public;
3398 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3399 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3400 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3401 mbedtls_ssl_conf_get_frng( ssl->conf ),
3402 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3403 if( ret != 0 )
3404 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3405 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3406 return( ret );
3407 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3408
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3409 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3410 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3411 }
3412 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3413#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3414 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3415 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3416 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3417 }
3418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3419 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3420 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3421 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3422 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3423 return( ret );
3424 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3425 }
3426 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3427#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3428#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3429 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3430 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3431 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3432 i = 4;
3433 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3434 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3435 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3436 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3437#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3438#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3439 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3440 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3441 {
3442 i = 4;
3443
3444 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3445 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3446 mbedtls_ssl_conf_get_frng( ssl->conf ),
3447 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3448 if( ret != 0 )
3449 {
3450 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3451 return( ret );
3452 }
3453
3454 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3455 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3456 mbedtls_ssl_conf_get_frng( ssl->conf ),
3457 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3458 if( ret != 0 )
3459 {
3460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3461 return( ret );
3462 }
3463 }
3464 else
3465#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3466 {
3467 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3469 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3470 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3471
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3472 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3473 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3474 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3475
3476 ssl->state++;
3477
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3478 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3479 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3480 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3481 return( ret );
3482 }
3483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3485
3486 return( 0 );
3487}
3488
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3489#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3490static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3491{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3492 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3493 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3494 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3496 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3498 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3499 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3500 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3501 return( ret );
3502 }
3503
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3504 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3505 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3506 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3507 ssl->state++;
3508 return( 0 );
3509 }
3510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3513}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3514#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3515static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3516{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3517 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3518 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3519 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3520 size_t n = 0, offset = 0;
3521 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3522 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3523 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3524 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3525 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3528
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3529#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3530 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3531 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3532 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3533 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3534 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3535#endif
3536
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3537 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3538 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3539 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3540 return( ret );
3541 }
3542
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3543 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3544 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3546 ssl->state++;
3547 return( 0 );
3548 }
3549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3550 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3551 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3552 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3553 ssl->state++;
3554 return( 0 );
3555 }
3556
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3557 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3558 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3559 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3560 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3561 }
3562
3563 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3564 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3565 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3566#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3567 if( ssl->handshake->ecrs_enabled )
3568 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3569
3570sign:
3571#endif
3572
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3573 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3575#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3576 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3577 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3578 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3579 /*
3580 * digitally-signed struct {
3581 * opaque md5_hash[16];
3582 * opaque sha_hash[20];
3583 * };
3584 *
3585 * md5_hash
3586 * MD5(handshake_messages);
3587 *
3588 * sha_hash
3589 * SHA(handshake_messages);
3590 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3591 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3592
3593 /*
3594 * For ECDSA, default hash is SHA-1 only
3595 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3596 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3597 {
3598 hash_start += 16;
3599 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3600 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3601 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3602 }
3603 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3604#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3605 MBEDTLS_SSL_PROTO_TLS1_1 */
3606#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3607 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3608 {
3609 /*
3610 * digitally-signed struct {
3611 * opaque handshake_messages[handshake_messages_length];
3612 * };
3613 *
3614 * Taking shortcut here. We assume that the server always allows the
3615 * PRF Hash function and has sent it in the allowed signature
3616 * algorithms list received in the Certificate Request message.
3617 *
3618 * Until we encounter a server that does not, we will take this
3619 * shortcut.
3620 *
3621 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3622 * in order to satisfy 'weird' needs from the server side.
3623 */
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3624 if( mbedtls_ssl_suite_get_mac(
3625 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3626 == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3627 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3628 md_alg = MBEDTLS_MD_SHA384;
3629 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3630 }
3631 else
3632 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3633 md_alg = MBEDTLS_MD_SHA256;
3634 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3635 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3636 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3637
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3638 /* Info from md_alg will be used instead */
3639 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3640 offset = 2;
3641 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3642 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3643#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3644 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3646 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3647 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3648
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3649#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3650 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3651 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3652#endif
3653
3654 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3655 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3656 ssl->out_msg + 6 + offset, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3657 mbedtls_ssl_conf_get_frng( ssl->conf ),
3658 ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3659 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3660 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3661#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3662 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3663 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3664#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3665 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3666 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3667
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3668 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3669 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3670
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3671 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3672 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3673 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3674
3675 ssl->state++;
3676
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3677 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3678 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3679 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3680 return( ret );
3681 }
3682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3684
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3685 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3686}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3687#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3689#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3690static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3691{
3692 int ret;
3693 uint32_t lifetime;
3694 size_t ticket_len;
3695 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3696 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3699
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3700 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3701 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3702 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3703 return( ret );
3704 }
3705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3706 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3707 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3710 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3711 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3712 }
3713
3714 /*
3715 * struct {
3716 * uint32 ticket_lifetime_hint;
3717 * opaque ticket<0..2^16-1>;
3718 * } NewSessionTicket;
3719 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3720 * 0 . 3 ticket_lifetime_hint
3721 * 4 . 5 ticket_len (n)
3722 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3723 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3724 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3725 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3726 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3727 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3728 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3729 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3730 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3731 }
3732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3733 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3734
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]3735 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3736 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3737
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3738 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3739
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3740 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3741 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3744 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3745 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3746 }
3747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3749
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3750 /* We're not waiting for a NewSessionTicket message any more */
3751 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3752 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3753
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3754 /*
3755 * Zero-length ticket means the server changed his mind and doesn't want
3756 * to send a ticket after all, so just forget it
3757 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3758 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3759 return( 0 );
3760
Hanno Becker3d699e42019-01-30 14:46:35 +0000[diff] [blame]3761 if( ssl->session != NULL && ssl->session->ticket != NULL )
3762 {
3763 mbedtls_platform_zeroize( ssl->session->ticket,
3764 ssl->session->ticket_len );
3765 mbedtls_free( ssl->session->ticket );
3766 ssl->session->ticket = NULL;
3767 ssl->session->ticket_len = 0;
3768 }
3769
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]3770 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3771 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3772 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3773 ssl->session_negotiate->ticket = NULL;
3774 ssl->session_negotiate->ticket_len = 0;
3775
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3776 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3777 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3779 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3780 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3781 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3782 }
3783
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3784 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3785
3786 ssl->session_negotiate->ticket = ticket;
3787 ssl->session_negotiate->ticket_len = ticket_len;
3788 ssl->session_negotiate->ticket_lifetime = lifetime;
3789
3790 /*
3791 * RFC 5077 section 3.4:
3792 * "If the client receives a session ticket from the server, then it
3793 * discards any Session ID that was sent in the ServerHello."
3794 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3795 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3796 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3799
3800 return( 0 );
3801}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3802#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3803
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3804/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3805 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3806 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3807int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3808{
3809 int ret = 0;
3810
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3811 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3812 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3814 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3816 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3817 return( ret );
3818
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3819#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3820 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3821 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3822 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3823 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3824 return( ret );
3825 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3826#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3827
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3828 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3829 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3830#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3831 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3832 ssl->handshake->new_session_ticket != 0 )
3833 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3834 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3835 }
3836#endif
3837
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3838 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3839 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3840 case MBEDTLS_SSL_HELLO_REQUEST:
3841 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3842 break;
3843
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3844 /*
3845 * ==> ClientHello
3846 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3847 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3848 ret = ssl_write_client_hello( ssl );
3849 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3850
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3851 /*
3852 * <== ServerHello
3853 * Certificate
3854 * ( ServerKeyExchange )
3855 * ( CertificateRequest )
3856 * ServerHelloDone
3857 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3858 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3859 ret = ssl_parse_server_hello( ssl );
3860 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3862 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3863 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3864 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3865
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3866 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3867 ret = ssl_parse_server_key_exchange( ssl );
3868 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3869
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3870 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3871 ret = ssl_parse_certificate_request( ssl );
3872 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3873
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3874 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3875 ret = ssl_parse_server_hello_done( ssl );
3876 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3877
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3878 /*
3879 * ==> ( Certificate/Alert )
3880 * ClientKeyExchange
3881 * ( CertificateVerify )
3882 * ChangeCipherSpec
3883 * Finished
3884 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3885 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3886 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3887 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3888
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3889 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3890 ret = ssl_write_client_key_exchange( ssl );
3891 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3892
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3893 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3894 ret = ssl_write_certificate_verify( ssl );
3895 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3896
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3897 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3898 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3899 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3900
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3901 case MBEDTLS_SSL_CLIENT_FINISHED:
3902 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3903 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3904
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3905 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3906 * <== ( NewSessionTicket )
3907 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3908 * Finished
3909 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3910#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3911 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3912 ret = ssl_parse_new_session_ticket( ssl );
3913 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3914#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3915
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3916 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3917 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3918 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3919
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3920 case MBEDTLS_SSL_SERVER_FINISHED:
3921 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3922 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3924 case MBEDTLS_SSL_FLUSH_BUFFERS:
3925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3926 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3927 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3929 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3930 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3931 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3932
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3933 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3934 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3935 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3936 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3937
3938 return( ret );
3939}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3940#endif /* MBEDTLS_SSL_CLI_C */