TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0f1660ab4f1dc966c0298ab102476c7588edcafb / . / library / ssl_cli.c
blob: 3b7dde076a288f0f1deeddb9aa52848d623860dc [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]30#include "mbedtls/debug.h"
31#include "mbedtls/ssl.h"
Manuel Pégourié-Gonnard5e94dde2015-05-26 11:57:05 +0200[diff] [blame]32#include "mbedtls/ssl_internal.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]34#include <string.h>
35
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]38#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]39#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]40#define mbedtls_calloc calloc
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]42#endif
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47#include <time.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]51/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52static void mbedtls_zeroize( void *v, size_t n ) {
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]53 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
54}
55#endif
56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
58static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]59 unsigned char *buf,
60 size_t *olen )
61{
62 unsigned char *p = buf;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]63 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]64
65 *olen = 0;
66
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]67 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]68 return;
69
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]70 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]71 ssl->hostname ) );
72
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]73 hostname_len = strlen( ssl->hostname );
74
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]75 /*
76 * struct {
77 * NameType name_type;
78 * select (name_type) {
79 * case host_name: HostName;
80 * } name;
81 * } ServerName;
82 *
83 * enum {
84 * host_name(0), (255)
85 * } NameType;
86 *
87 * opaque HostName<1..2^16-1>;
88 *
89 * struct {
90 * ServerName server_name_list<1..2^16-1>
91 * } ServerNameList;
92 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
94 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]95
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]96 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
97 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]98
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]99 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
100 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]102 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]103 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
104 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]105
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]106 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]108 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]109}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]112#if defined(MBEDTLS_SSL_RENEGOTIATION)
113static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]114 unsigned char *buf,
115 size_t *olen )
116{
117 unsigned char *p = buf;
118
119 *olen = 0;
120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]121 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]122 return;
123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]125
126 /*
127 * Secure renegotiation
128 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]129 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
130 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]131
132 *p++ = 0x00;
133 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
134 *p++ = ssl->verify_data_len & 0xFF;
135
136 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
137
138 *olen = 5 + ssl->verify_data_len;
139}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]141
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]142/*
143 * Only if we handle at least one key exchange that needs signatures.
144 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]145#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
146 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
147static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148 unsigned char *buf,
149 size_t *olen )
150{
151 unsigned char *p = buf;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]152 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]153 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]154#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]155 unsigned char *sig_alg_list = buf + 6;
156#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]157
158 *olen = 0;
159
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]160 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]161 return;
162
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]163 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]164
165 /*
166 * Prepare signature_algorithms extension (TLS 1.2)
167 */
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]168 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
169 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]170#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]171 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
172 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]173#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]174#if defined(MBEDTLS_RSA_C)
175 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
176 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]177#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]178 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]179
180 /*
181 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]182 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
183 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184 * } HashAlgorithm;
185 *
186 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
187 * SignatureAlgorithm;
188 *
189 * struct {
190 * HashAlgorithm hash;
191 * SignatureAlgorithm signature;
192 * } SignatureAndHashAlgorithm;
193 *
194 * SignatureAndHashAlgorithm
195 * supported_signature_algorithms<2..2^16-2>;
196 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]197 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
198 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]199
200 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
201 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
202
203 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
204 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
205
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]206 *olen = 6 + sig_alg_len;
207}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]208#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
209 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]210
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]211#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]212 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]213static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]214 unsigned char *buf,
215 size_t *olen )
216{
217 unsigned char *p = buf;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100[diff] [blame]218 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]219 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]220 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]221#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]222 const mbedtls_ecp_group_id *grp_id;
Paul Bakker0910f322014-02-06 13:41:18 +0100[diff] [blame]223#else
224 ((void) ssl);
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]225#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]226
227 *olen = 0;
228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]230
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]231#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]232 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]233 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]234 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]235#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]236 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100[diff] [blame]237 {
238#endif
239
240 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
241 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200[diff] [blame]242 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200[diff] [blame]243
244 if( elliptic_curve_len == 0 )
245 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]247 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
248 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]249
250 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
251 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
252
253 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
254 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
255
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]256 *olen = 6 + elliptic_curve_len;
257}
258
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]259static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]260 unsigned char *buf,
261 size_t *olen )
262{
263 unsigned char *p = buf;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]264 ((void) ssl);
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]265
266 *olen = 0;
267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]268 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]270 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
271 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]272
273 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]274 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]275
276 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]277 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]278
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]279 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]280}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]281#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]282
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]283#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]284static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
285 unsigned char *buf,
286 size_t *olen )
287{
288 int ret;
289 unsigned char *p = buf;
290 const unsigned char *end = ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
291 size_t kkpp_len;
292
293 *olen = 0;
294
295 /* Skip costly extension if we can't use EC J-PAKE anyway */
296 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
297 return;
298
299 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
300
301 if( end - p < 4 )
302 {
303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
304 return;
305 }
306
307 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
308 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
309
310 if( ( ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
311 p + 2, end - p - 2, &kkpp_len,
312 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
313 {
314 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
315 return;
316 }
317
318 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
320
321 *olen = kkpp_len + 4;
322}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]323#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]325#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
326static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]327 unsigned char *buf,
328 size_t *olen )
329{
330 unsigned char *p = buf;
331
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]332 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]333 *olen = 0;
334 return;
335 }
336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]337 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]338
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]339 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
340 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]341
342 *p++ = 0x00;
343 *p++ = 1;
344
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]345 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]346
347 *olen = 5;
348}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]349#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]351#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
352static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]353 unsigned char *buf, size_t *olen )
354{
355 unsigned char *p = buf;
356
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]357 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]358 {
359 *olen = 0;
360 return;
361 }
362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]365 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
366 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]367
368 *p++ = 0x00;
369 *p++ = 0x00;
370
371 *olen = 4;
372}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]373#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]375#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
376static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]377 unsigned char *buf, size_t *olen )
378{
379 unsigned char *p = buf;
380
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]381 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
382 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]383 {
384 *olen = 0;
385 return;
386 }
387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]388 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]389 "extension" ) );
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
392 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]393
394 *p++ = 0x00;
395 *p++ = 0x00;
396
397 *olen = 4;
398}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]399#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]400
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]401#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
402static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]403 unsigned char *buf, size_t *olen )
404{
405 unsigned char *p = buf;
406
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]407 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
408 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]409 {
410 *olen = 0;
411 return;
412 }
413
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]414 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]415 "extension" ) );
416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]417 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
418 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]419
420 *p++ = 0x00;
421 *p++ = 0x00;
422
423 *olen = 4;
424}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]425#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]427#if defined(MBEDTLS_SSL_SESSION_TICKETS)
428static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]429 unsigned char *buf, size_t *olen )
430{
431 unsigned char *p = buf;
432 size_t tlen = ssl->session_negotiate->ticket_len;
433
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]434 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]435 {
436 *olen = 0;
437 return;
438 }
439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]442 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
443 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]444
445 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
446 *p++ = (unsigned char)( ( tlen ) & 0xFF );
447
448 *olen = 4;
449
450 if( ssl->session_negotiate->ticket == NULL ||
451 ssl->session_negotiate->ticket_len == 0 )
452 {
453 return;
454 }
455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]456 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]457
458 memcpy( p, ssl->session_negotiate->ticket, tlen );
459
460 *olen += tlen;
461}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]462#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_ALPN)
465static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]466 unsigned char *buf, size_t *olen )
467{
468 unsigned char *p = buf;
469 const char **cur;
470
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]471 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]472 {
473 *olen = 0;
474 return;
475 }
476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
480 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]481
482 /*
483 * opaque ProtocolName<1..2^8-1>;
484 *
485 * struct {
486 * ProtocolName protocol_name_list<2..2^16-1>
487 * } ProtocolNameList;
488 */
489
490 /* Skip writing extension and list length for now */
491 p += 4;
492
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]493 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]494 {
495 *p = (unsigned char)( strlen( *cur ) & 0xFF );
496 memcpy( p + 1, *cur, *p );
497 p += 1 + *p;
498 }
499
500 *olen = p - buf;
501
502 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
503 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
504 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
505
506 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
507 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
508 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
509}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]510#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]511
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]512/*
513 * Generate random bytes for ClientHello
514 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]516{
517 int ret;
518 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519#if defined(MBEDTLS_HAVE_TIME)
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]520 time_t t;
521#endif
522
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]523 /*
524 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
525 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]526#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]527 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]528 ssl->handshake->verify_cookie != NULL )
529 {
530 return( 0 );
531 }
532#endif
533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]534#if defined(MBEDTLS_HAVE_TIME)
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]535 t = time( NULL );
536 *p++ = (unsigned char)( t >> 24 );
537 *p++ = (unsigned char)( t >> 16 );
538 *p++ = (unsigned char)( t >> 8 );
539 *p++ = (unsigned char)( t );
540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]541 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]542#else
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]543 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]544 return( ret );
545
546 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]548
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]549 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]550 return( ret );
551
552 return( 0 );
553}
554
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]555static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]557 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]558 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]560 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]561 unsigned char offer_compress;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]562 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]567 if( ssl->conf->f_rng == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]568 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
570 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]571 }
572
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]573#if defined(MBEDTLS_SSL_RENEGOTIATION)
574 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]575#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]576 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]577 ssl->major_ver = ssl->conf->min_major_ver;
578 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]579 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]581 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]582 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]583 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
584 "consider using mbedtls_ssl_config_defaults()" ) );
585 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]586 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587
588 /*
589 * 0 . 0 handshake type
590 * 1 . 3 handshake length
591 * 4 . 5 highest version supported
592 * 6 . 9 current UNIX time
593 * 10 . 37 random bytes
594 */
595 buf = ssl->out_msg;
596 p = buf + 4;
597
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]598 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
599 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]600 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]602 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 buf[4], buf[5] ) );
604
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]605 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
606 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]607 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]608 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]609 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]610
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]611 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]612 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]613 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614
615 /*
616 * 38 . 38 session id length
617 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]618 * 39+n . 39+n DTLS only: cookie length (1 byte)
619 * 40+n . .. DTSL only: cookie
620 * .. . .. ciphersuitelist length (2 bytes)
621 * .. . .. ciphersuitelist
622 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]623 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]624 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]625 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]627 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]629 if( n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]630#if defined(MBEDTLS_SSL_RENEGOTIATION)
631 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]632#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]633 ssl->handshake->resume == 0 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]634 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]636 }
637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]639 /*
640 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
641 * generate and include a Session ID in the TLS ClientHello."
642 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643#if defined(MBEDTLS_SSL_RENEGOTIATION)
644 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]645#endif
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]646 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]647 if( ssl->session_negotiate->ticket != NULL &&
648 ssl->session_negotiate->ticket_len != 0 )
649 {
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]650 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]651
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]652 if( ret != 0 )
653 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]654
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]655 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000[diff] [blame]656 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]657 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659
660 *p++ = (unsigned char) n;
661
662 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]663 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
666 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]668 /*
669 * DTLS cookie
670 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]672 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]673 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]674 if( ssl->handshake->verify_cookie == NULL )
675 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]677 *p++ = 0;
678 }
679 else
680 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]682 ssl->handshake->verify_cookie,
683 ssl->handshake->verify_cookie_len );
684
685 *p++ = ssl->handshake->verify_cookie_len;
686 memcpy( p, ssl->handshake->verify_cookie,
687 ssl->handshake->verify_cookie_len );
688 p += ssl->handshake->verify_cookie_len;
689 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]690 }
691#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]693 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]694 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]695 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]696 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]697
698 /* Skip writing ciphersuite length for now */
699 n = 0;
700 q = p;
701 p += 2;
702
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]703 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]706
707 if( ciphersuite_info == NULL )
708 continue;
709
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]710 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
711 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]712 continue;
713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]714#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]715 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]716 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
Manuel Pégourié-Gonnardd6664512014-02-06 13:26:57 +0100[diff] [blame]717 continue;
718#endif
719
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]720#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]721 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]723 continue;
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]724#endif
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]725
Manuel Pégourié-Gonnardddf97a62015-09-16 09:58:31 +0200[diff] [blame]726#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
727 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
728 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
729 continue;
730#endif
731
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
733 ciphersuites[i] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]735 n++;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]736 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
737 *p++ = (unsigned char)( ciphersuites[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738 }
739
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]740 /*
741 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
742 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]743#if defined(MBEDTLS_SSL_RENEGOTIATION)
744 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]745#endif
746 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]747 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
748 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]749 n++;
750 }
751
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]752 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]753#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]754 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]755 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]756 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
757 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
758 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]759 n++;
760 }
761#endif
762
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]763 *q++ = (unsigned char)( n >> 7 );
764 *q++ = (unsigned char)( n << 1 );
765
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]768#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]769 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]770#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]771 offer_compress = 0;
772#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]774 /*
775 * We don't support compression with DTLS right now: is many records come
776 * in the same datagram, uncompressing one could overwrite the next one.
777 * We don't want to add complexity for handling that case unless there is
778 * an actual need for it.
779 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]780#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]781 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]782 offer_compress = 0;
783#endif
784
785 if( offer_compress )
786 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]787 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
788 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
789 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]790
791 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]792 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
793 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]794 }
795 else
796 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
799 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]800
801 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]802 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]803 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]805 // First write extensions, then the total length
806 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]807#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]808 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
809 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]810#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]811
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]812#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]813 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
814 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]815#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]816
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]817#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
818 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]819 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
820 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]821#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]822
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]823#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]824 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]825 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
826 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]827
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]828 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
829 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]830#endif
831
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]832#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]833 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
834 ext_len += olen;
835#endif
836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]837#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]838 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
839 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]840#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]841
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]842#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]843 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
844 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]845#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]846
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]847#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]848 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
849 ext_len += olen;
850#endif
851
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]852#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]853 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
854 ext_len += olen;
855#endif
856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]857#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]858 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
859 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]860#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]862#if defined(MBEDTLS_SSL_ALPN)
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]863 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
864 ext_len += olen;
865#endif
866
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]867 /* olen unused if all extensions are disabled */
868 ((void) olen);
869
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]871 ext_len ) );
872
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]873 if( ext_len > 0 )
874 {
875 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
876 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
877 p += ext_len;
878 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]879
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]881 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
882 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883
884 ssl->state++;
885
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]886#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]887 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]888 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]889#endif
890
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]891 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]892 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894 return( ret );
895 }
896
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898
899 return( 0 );
900}
901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]903 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]904 size_t len )
905{
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]906 int ret;
907
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]908#if defined(MBEDTLS_SSL_RENEGOTIATION)
909 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]910 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]911 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]912 if( len != 1 + ssl->verify_data_len * 2 ||
913 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]914 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]915 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]916 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]917 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]918 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]919 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]921 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]922 return( ret );
923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]924 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]925 }
926 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]927 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]928#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]929 {
930 if( len != 1 || buf[0] != 0x00 )
931 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]933
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]934 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]935 return( ret );
936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]937 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]938 }
939
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]940 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]941 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]942
943 return( 0 );
944}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]945
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]946#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
947static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]948 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]949 size_t len )
950{
951 /*
952 * server should use the extension only if we did,
953 * and if so the server's value should match ours (and len is always 1)
954 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]955 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]956 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]957 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]958 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]959 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]960 }
961
962 return( 0 );
963}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]964#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]966#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
967static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]968 const unsigned char *buf,
969 size_t len )
970{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]971 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]972 len != 0 )
973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]974 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]975 }
976
977 ((void) buf);
978
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]979 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]980
981 return( 0 );
982}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]985#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
986static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]987 const unsigned char *buf,
988 size_t len )
989{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]990 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]992 len != 0 )
993 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]995 }
996
997 ((void) buf);
998
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]999 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1000
1001 return( 0 );
1002}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1003#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1006static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1007 const unsigned char *buf,
1008 size_t len )
1009{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1010 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1012 len != 0 )
1013 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1014 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1015 }
1016
1017 ((void) buf);
1018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1019 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1020
1021 return( 0 );
1022}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1026static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1027 const unsigned char *buf,
1028 size_t len )
1029{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1030 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1031 len != 0 )
1032 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1033 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1034 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1035
1036 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1037
1038 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1039
1040 return( 0 );
1041}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1045static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1046 const unsigned char *buf,
1047 size_t len )
1048{
1049 size_t list_size;
1050 const unsigned char *p;
1051
1052 list_size = buf[0];
1053 if( list_size + 1 != len )
1054 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1056 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1057 }
1058
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1059 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1060 while( list_size > 0 )
1061 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1063 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1064 {
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1065 ssl->handshake->ecdh_ctx.point_format = p[0];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1067 return( 0 );
1068 }
1069
1070 list_size--;
1071 p++;
1072 }
1073
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1074 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1075 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1076}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1078
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1079#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1080static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1081 const unsigned char *buf,
1082 size_t len )
1083{
1084 int ret;
1085
1086 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1087 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1088 {
1089 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1090 return( 0 );
1091 }
1092
1093 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1094 buf, len ) ) != 0 )
1095 {
1096 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1097 return( ret );
1098 }
1099
1100 return( 0 );
1101}
1102#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104#if defined(MBEDTLS_SSL_ALPN)
1105static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1106 const unsigned char *buf, size_t len )
1107{
1108 size_t list_len, name_len;
1109 const char **p;
1110
1111 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1112 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1113 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1114
1115 /*
1116 * opaque ProtocolName<1..2^8-1>;
1117 *
1118 * struct {
1119 * ProtocolName protocol_name_list<2..2^16-1>
1120 * } ProtocolNameList;
1121 *
1122 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1123 */
1124
1125 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1126 if( len < 4 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1127 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1128
1129 list_len = ( buf[0] << 8 ) | buf[1];
1130 if( list_len != len - 2 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1131 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1132
1133 name_len = buf[2];
1134 if( name_len != list_len - 1 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1135 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1136
1137 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1138 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1139 {
1140 if( name_len == strlen( *p ) &&
1141 memcmp( buf + 3, *p, name_len ) == 0 )
1142 {
1143 ssl->alpn_chosen = *p;
1144 return( 0 );
1145 }
1146 }
1147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1148 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1149}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1150#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1151
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1152/*
1153 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1154 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155#if defined(MBEDTLS_SSL_PROTO_DTLS)
1156static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1157{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1158 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1159 int major_ver, minor_ver;
1160 unsigned char cookie_len;
1161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1163
1164 /*
1165 * struct {
1166 * ProtocolVersion server_version;
1167 * opaque cookie<0..2^8-1>;
1168 * } HelloVerifyRequest;
1169 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1171 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1172 p += 2;
1173
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1174 /*
1175 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1176 * even is lower than our min version.
1177 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1178 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1179 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1180 major_ver > ssl->conf->max_major_ver ||
1181 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1182 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1185 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1186 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1188 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1189 }
1190
1191 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1192 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1195
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1196 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1197 if( ssl->handshake->verify_cookie == NULL )
1198 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1199 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1200 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1201 }
1202
1203 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1204 ssl->handshake->verify_cookie_len = cookie_len;
1205
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1206 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1207 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1208 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1209
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1210 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1213
1214 return( 0 );
1215}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1216#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1217
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1218static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1219{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1220 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1221 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1222 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1223 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1224 unsigned char comp;
1225#if defined(MBEDTLS_ZLIB_SUPPORT)
1226 int accept_comp;
1227#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1229 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1230#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1231 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1232 const mbedtls_ssl_ciphersuite_t *suite_info;
1233#if defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnard1032c1d2013-09-18 17:18:34 +0200[diff] [blame]1234 uint32_t t;
1235#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 buf = ssl->in_msg;
1240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1241 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1243 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 return( ret );
1245 }
1246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1247 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1249#if defined(MBEDTLS_SSL_RENEGOTIATION)
1250 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1251 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1252 ssl->renego_records_seen++;
1253
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1254 if( ssl->conf->renego_max_records >= 0 &&
1255 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1256 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1257 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1258 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1259 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1260 }
1261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1263 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1264 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1265#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1266
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1268 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 }
1270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1271#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1272 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1273 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1275 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1277 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1278 return( ssl_parse_hello_verify_request( ssl ) );
1279 }
1280 else
1281 {
1282 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1283 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1284 ssl->handshake->verify_cookie = NULL;
1285 ssl->handshake->verify_cookie_len = 0;
1286 }
1287 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1290 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1291 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295 }
1296
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1297 /*
1298 * 0 . 1 server_version
1299 * 2 . 33 random (maybe including 4 bytes of Unix time)
1300 * 34 . 34 session_id length = n
1301 * 35 . 34+n session_id
1302 * 35+n . 36+n cipher_suite
1303 * 37+n . 37+n compression_method
1304 *
1305 * 38+n . 39+n extensions length (optional)
1306 * 40+n . .. extensions
1307 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1311 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1312 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1314 if( ssl->major_ver < ssl->conf->min_major_ver ||
1315 ssl->minor_ver < ssl->conf->min_minor_ver ||
1316 ssl->major_ver > ssl->conf->max_major_ver ||
1317 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1318 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1320 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1321 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1322 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1323 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1326 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1328 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1329 }
1330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331#if defined(MBEDTLS_DEBUG_C)
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1332 t = ( (uint32_t) buf[2] << 24 )
1333 | ( (uint32_t) buf[3] << 16 )
1334 | ( (uint32_t) buf[4] << 8 )
1335 | ( (uint32_t) buf[5] );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Paul Bakker87e5cda2012-01-14 18:14:15 +0000[diff] [blame]1337#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1339 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1341 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1345 if( n > 32 )
1346 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1349 }
1350
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1351 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1353 ext_len = ( ( buf[38 + n] << 8 )
1354 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1356 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1358 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1360 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1361 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1363 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1364 {
1365 ext_len = 0;
1366 }
1367 else
1368 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1370 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1371 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1373 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1374 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1375
1376 /*
1377 * Read and check compression
1378 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1379 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1382 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1384 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1385 accept_comp = 0;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1386 else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1387#endif
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1388 accept_comp = 1;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1389
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1390 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1391 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1392#else /* MBEDTLS_ZLIB_SUPPORT */
1393 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1394#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1395 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1397 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1398 }
1399
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1400 /*
1401 * Initialize update checksum functions
1402 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1403 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1404
1405 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1406 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1408 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1409 }
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1412
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1413 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1414 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1415
1416 /*
1417 * Check if the session can be resumed
1418 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1419 if( ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1420#if defined(MBEDTLS_SSL_RENEGOTIATION)
1421 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1422#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1423 ssl->session_negotiate->ciphersuite != i ||
1424 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1425 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1426 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427 {
1428 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1429 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1430#if defined(MBEDTLS_HAVE_TIME)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1431 ssl->session_negotiate->start = time( NULL );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]1432#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1433 ssl->session_negotiate->ciphersuite = i;
1434 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1435 ssl->session_negotiate->id_len = n;
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1436 memcpy( ssl->session_negotiate->id, buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437 }
1438 else
1439 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1443 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1445 return( ret );
1446 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1447 }
1448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1450 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1451
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1452 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1454
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1455 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200[diff] [blame]1456 if( suite_info == NULL
1457#if defined(MBEDTLS_ARC4_C)
1458 || ( ssl->conf->arc4_disabled &&
1459 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
1460#endif
1461 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1462 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1464 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1465 }
1466
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1467 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1468
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469 i = 0;
1470 while( 1 )
1471 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1472 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1473 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1475 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1476 }
1477
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1478 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1479 ssl->session_negotiate->ciphersuite )
1480 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1481 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200[diff] [blame]1482 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483 }
1484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1485 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1486#if defined(MBEDTLS_ZLIB_SUPPORT)
1487 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1488#endif
1489 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1490 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1492 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1493 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1494 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1496 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1499
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1500 while( ext_len )
1501 {
1502 unsigned int ext_id = ( ( ext[0] << 8 )
1503 | ( ext[1] ) );
1504 unsigned int ext_size = ( ( ext[2] << 8 )
1505 | ( ext[3] ) );
1506
1507 if( ext_size + 4 > ext_len )
1508 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1510 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1511 }
1512
1513 switch( ext_id )
1514 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1516 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1517#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1518 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1519#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1520
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1521 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1522 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1523 return( ret );
1524
1525 break;
1526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1527#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1528 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1529 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1530
1531 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1532 ext + 4, ext_size ) ) != 0 )
1533 {
1534 return( ret );
1535 }
1536
1537 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1538#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1539
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1540#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1541 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1542 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1543
1544 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1545 ext + 4, ext_size ) ) != 0 )
1546 {
1547 return( ret );
1548 }
1549
1550 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1551#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1553#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1554 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1555 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1556
1557 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1558 ext + 4, ext_size ) ) != 0 )
1559 {
1560 return( ret );
1561 }
1562
1563 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1564#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1567 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1568 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1569
1570 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1571 ext + 4, ext_size ) ) != 0 )
1572 {
1573 return( ret );
1574 }
1575
1576 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1580 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1581 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1582
1583 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1584 ext + 4, ext_size ) ) != 0 )
1585 {
1586 return( ret );
1587 }
1588
1589 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1591
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200[diff] [blame]1592#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1593 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1594 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1595
1596 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1597 ext + 4, ext_size ) ) != 0 )
1598 {
1599 return( ret );
1600 }
1601
1602 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1603#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1604
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1605#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1606 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1608
1609 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1610 ext + 4, ext_size ) ) != 0 )
1611 {
1612 return( ret );
1613 }
1614
1615 break;
1616#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1617
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1618#if defined(MBEDTLS_SSL_ALPN)
1619 case MBEDTLS_TLS_EXT_ALPN:
1620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1621
1622 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1623 return( ret );
1624
1625 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1627
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1628 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1630 ext_id ) );
1631 }
1632
1633 ext_len -= 4 + ext_size;
1634 ext += 4 + ext_size;
1635
1636 if( ext_len > 0 && ext_len < 4 )
1637 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1639 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1640 }
1641 }
1642
1643 /*
1644 * Renegotiation security checks
1645 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1647 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1648 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1650 handshake_failure = 1;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]1651 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1652#if defined(MBEDTLS_SSL_RENEGOTIATION)
1653 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1654 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1655 renegotiation_info_seen == 0 )
1656 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1658 handshake_failure = 1;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1659 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1660 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1661 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1662 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1663 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1665 handshake_failure = 1;
1666 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1668 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1669 renegotiation_info_seen == 1 )
1670 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1672 handshake_failure = 1;
1673 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1674#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1675
1676 if( handshake_failure == 1 )
1677 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1679 return( ret );
1680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1681 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1682 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685
1686 return( 0 );
1687}
1688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1689#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1690 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1691static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1692 unsigned char *end )
1693{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1694 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1695
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1696 /*
1697 * Ephemeral DH parameters:
1698 *
1699 * struct {
1700 * opaque dh_p<1..2^16-1>;
1701 * opaque dh_g<1..2^16-1>;
1702 * opaque dh_Ys<1..2^16-1>;
1703 * } ServerDHParams;
1704 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1705 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1706 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1707 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1708 return( ret );
1709 }
1710
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]1711 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1712 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]1713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
1714 ssl->handshake->dhm_ctx.len * 8,
1715 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1717 }
1718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1719 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1720 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1721 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1722
1723 return( ret );
1724}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1725#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1726 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1728#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1729 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1730 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1731 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1732 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1733static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1734{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1735 const mbedtls_ecp_curve_info *curve_info;
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]1738 if( curve_info == NULL )
1739 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1740 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1741 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]1742 }
1743
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1745
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]1746#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +0200[diff] [blame]1747 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]1748#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1749 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1750 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]1751#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1752 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1753
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1755
1756 return( 0 );
1757}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1758#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1759 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1760 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1761 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1762 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1764#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1765 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1766 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1767static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1768 unsigned char **p,
1769 unsigned char *end )
1770{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1771 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1772
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1773 /*
1774 * Ephemeral ECDH parameters:
1775 *
1776 * struct {
1777 * ECParameters curve_params;
1778 * ECPoint public;
1779 * } ServerECDHParams;
1780 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1782 (const unsigned char **) p, end ) ) != 0 )
1783 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1785 return( ret );
1786 }
1787
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1788 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1789 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1791 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1792 }
1793
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1794 return( ret );
1795}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1797 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1798 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1800#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1801static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1802 unsigned char **p,
1803 unsigned char *end )
1804{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1806 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1807 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1808
1809 /*
1810 * PSK parameters:
1811 *
1812 * opaque psk_identity_hint<0..2^16-1>;
1813 */
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]1814 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1815 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1816
1817 if( (*p) + len > end )
1818 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1820 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1821 }
1822
1823 // TODO: Retrieve PSK identity hint and callback to app
1824 //
1825 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1826 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1827
1828 return( ret );
1829}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1830#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]1831
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1832#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1833 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1834/*
1835 * Generate a pre-master secret and encrypt it with the server's RSA key
1836 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1838 size_t offset, size_t *olen,
1839 size_t pms_offset )
1840{
1841 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1843 unsigned char *p = ssl->handshake->premaster + pms_offset;
1844
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]1845 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
1846 {
1847 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
1848 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1849 }
1850
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1851 /*
1852 * Generate (part of) the pre-master as
1853 * struct {
1854 * ProtocolVersion client_version;
1855 * opaque random[46];
1856 * } PreMasterSecret;
1857 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1858 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
1859 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1860
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1861 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1862 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1864 return( ret );
1865 }
1866
1867 ssl->handshake->pmslen = 48;
1868
1869 /*
1870 * Now write it out, encrypted
1871 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1872 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1873 MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1874 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1876 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1877 }
1878
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1880 p, ssl->handshake->pmslen,
1881 ssl->out_msg + offset + len_bytes, olen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1882 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]1883 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1884 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1886 return( ret );
1887 }
1888
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1890 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]1891 if( len_bytes == 2 )
1892 {
1893 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1894 ssl->out_msg[offset+1] = (unsigned char)( *olen );
1895 *olen += 2;
1896 }
1897#endif
1898
1899 return( 0 );
1900}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1901#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1902 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1903
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1904#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]1905#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1906static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1907 unsigned char **p,
1908 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1909 mbedtls_md_type_t *md_alg,
1910 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1911{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]1912 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1913 *md_alg = MBEDTLS_MD_NONE;
1914 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1915
1916 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1917 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1918 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1919 return( 0 );
1920 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1921
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]1922 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1924
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1925 /*
1926 * Get hash algorithm
1927 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1928 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1929 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1930 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]1931 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1932 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1933 }
1934
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1935 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]1936 * Get signature algorithm
1937 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1939 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1940 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]1941 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1942 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1943 }
1944
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]1945 /*
1946 * Check if the hash is acceptable
1947 */
1948 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
1949 {
1950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm "
1951 "that was not offered" ) );
1952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1953 }
1954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1955 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1957 *p += 2;
1958
1959 return( 0 );
1960}
Manuel Pégourié-Gonnard36a8b572015-06-17 12:43:26 +0200[diff] [blame]1961#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1962#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]1963
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1964#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1965 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1966static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1967{
1968 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 const mbedtls_ecp_keypair *peer_key;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1970
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1972 MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
1975 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1976 }
1977
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1978 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1979
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1980 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
1981 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1982 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1983 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1984 return( ret );
1985 }
1986
1987 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1988 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
1990 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1991 }
1992
1993 return( ret );
1994}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1995#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
1996 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]1997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1998static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1999{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2000 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2002 unsigned char *p, *end;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2006#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2007 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 ssl->state++;
2011 return( 0 );
2012 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2013 ((void) p);
2014 ((void) end);
2015#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2017#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2018 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2019 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2020 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2021 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2022 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2023 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2024 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2025 return( ret );
2026 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2029 ssl->state++;
2030 return( 0 );
2031 }
2032 ((void) p);
2033 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2035 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040 return( ret );
2041 }
2042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2043 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2046 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2047 }
2048
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2049 /*
2050 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2051 * doesn't use a psk_identity_hint
2052 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2055 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2056 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2057 {
2058 ssl->record_read = 1;
2059 goto exit;
2060 }
2061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2063 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2064 }
2065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2066 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2067 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2068 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2070#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2071 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2072 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2073 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2074 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2075 {
2076 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2077 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2079 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2080 }
2081 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2082#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2084#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2085 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2086 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2087 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2088 ; /* nothing more to do */
2089 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2091 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2092#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2093 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2094 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2095 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2096 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2097 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2098 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2100 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2101 }
2102 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2103 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2104#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2105 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2106#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2107 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2108 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2109 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2110 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2111 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2112 {
2113 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2114 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2116 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2117 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2118 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2119 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2120#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2121 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2122 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame^]2123#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2124 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2125 {
2126 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2127 p, end - p );
2128 if( ret != 0 )
2129 {
2130 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2131 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2132 }
2133 }
2134 else
2135#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2136 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2138 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2139 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2142 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2143 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2144 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2145 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2146 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2147 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2148 size_t sig_len, hashlen;
2149 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2150 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2151 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2152 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2153 size_t params_len = p - params;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2154
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2155 /*
2156 * Handle the digitally-signed structure
2157 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2158#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2159 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2160 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2161 if( ssl_parse_signature_algorithm( ssl, &p, end,
2162 &md_alg, &pk_alg ) != 0 )
2163 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2165 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2166 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2168 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2169 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2170 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2171 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2172 }
2173 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2174 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2175#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2176#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2177 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2178 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2179 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2180 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2181
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2182 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2183 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2184 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2185 }
2186 else
2187#endif
2188 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2191 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2192
2193 /*
2194 * Read signature
2195 */
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2196 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2197 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2198
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2199 if( end != p + sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2200 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2201 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2202 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2203 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2205 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2206
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2207 /*
2208 * Compute the hash that has been signed
2209 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2210#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2211 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2212 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2213 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214 mbedtls_md5_context mbedtls_md5;
2215 mbedtls_sha1_context mbedtls_sha1;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2217 mbedtls_md5_init( &mbedtls_md5 );
2218 mbedtls_sha1_init( &mbedtls_sha1 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]2219
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2220 hashlen = 36;
2221
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2222 /*
2223 * digitally-signed struct {
2224 * opaque md5_hash[16];
2225 * opaque sha_hash[20];
2226 * };
2227 *
2228 * md5_hash
2229 * MD5(ClientHello.random + ServerHello.random
2230 * + ServerParams);
2231 * sha_hash
2232 * SHA(ClientHello.random + ServerHello.random
2233 * + ServerParams);
2234 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2235 mbedtls_md5_starts( &mbedtls_md5 );
2236 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
2237 mbedtls_md5_update( &mbedtls_md5, params, params_len );
2238 mbedtls_md5_finish( &mbedtls_md5, hash );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2239
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2240 mbedtls_sha1_starts( &mbedtls_sha1 );
2241 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
2242 mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
2243 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
Paul Bakker5b4af392014-06-26 12:09:34 +0200[diff] [blame]2244
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2245 mbedtls_md5_free( &mbedtls_md5 );
2246 mbedtls_sha1_free( &mbedtls_sha1 );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2247 }
2248 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2250 MBEDTLS_SSL_PROTO_TLS1_1 */
2251#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2252 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2253 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2254 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2255 mbedtls_md_context_t ctx;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2256
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2257 mbedtls_md_init( &ctx );
Paul Bakker84bbeb52014-07-01 14:53:22 +0200[diff] [blame]2258
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2259 /* Info from md_alg will be used instead */
2260 hashlen = 0;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2261
2262 /*
2263 * digitally-signed struct {
2264 * opaque client_random[32];
2265 * opaque server_random[32];
2266 * ServerDHParams params;
2267 * };
2268 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269 if( ( ret = mbedtls_md_setup( &ctx,
2270 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2271 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2273 return( ret );
2274 }
2275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2276 mbedtls_md_starts( &ctx );
2277 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
2278 mbedtls_md_update( &ctx, params, params_len );
2279 mbedtls_md_finish( &ctx, hash );
2280 mbedtls_md_free( &ctx );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2281 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2282 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2283#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2284 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2285 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2287 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2288 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2289
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2290 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2291 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2292
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2293 /*
2294 * Verify signature
2295 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2296 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2297 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2299 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2300 }
2301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2302 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard20846b12013-08-19 12:32:12 +0200[diff] [blame]2303 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2304 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2305 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2306 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2307 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2308 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2309#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2310 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2311 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2312
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2313exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2314 ssl->state++;
2315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2316 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317
2318 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2319}
2320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2321#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2322 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2323 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2324 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2325static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2326{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2327 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2329 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2331 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2332 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2333 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]2334 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2335 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2336 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2337 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2338 ssl->state++;
2339 return( 0 );
2340 }
2341
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2343 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2344}
2345#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2346static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2347{
2348 int ret;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2349 unsigned char *buf, *p;
Paul Bakker9c94cdd2013-01-22 13:45:33 +0100[diff] [blame]2350 size_t n = 0, m = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2351 size_t cert_type_len = 0, dn_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2352 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2353
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2354 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2355
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2356 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2357 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2358 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]2359 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2360 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2361 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2362 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2363 ssl->state++;
2364 return( 0 );
2365 }
2366
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2367 if( ssl->record_read == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2368 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2369 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2370 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2371 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2372 return( ret );
2373 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2374
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2375 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2376 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2378 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2379 }
2380
2381 ssl->record_read = 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2382 }
2383
2384 ssl->client_auth = 0;
2385 ssl->state++;
2386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2387 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2388 ssl->client_auth++;
2389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391 ssl->client_auth ? "a" : "no" ) );
2392
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2393 if( ssl->client_auth == 0 )
2394 goto exit;
2395
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2396 ssl->record_read = 0;
2397
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2398 // TODO: handshake_failure alert for an anonymous server to request
2399 // client authentication
2400
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]2401 /*
2402 * struct {
2403 * ClientCertificateType certificate_types<1..2^8-1>;
2404 * SignatureAndHashAlgorithm
2405 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2406 * DistinguishedName certificate_authorities<0..2^16-1>;
2407 * } CertificateRequest;
2408 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2409 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2410
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2411 // Retrieve cert types
2412 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2413 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2414 n = cert_type_len;
2415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2417 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2419 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2420 }
2421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2422 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2423 while( cert_type_len > 0 )
2424 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2425#if defined(MBEDTLS_RSA_C)
2426 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
2427 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2428 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2430 break;
2431 }
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2432 else
2433#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2434#if defined(MBEDTLS_ECDSA_C)
2435 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
2436 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2437 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2438 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2439 break;
2440 }
2441 else
2442#endif
2443 {
2444 ; /* Unsupported cert type, ignore */
2445 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2446
2447 cert_type_len--;
2448 p++;
2449 }
2450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2452 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2453 {
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2454 /* Ignored, see comments about hash in write_certificate_verify */
2455 // TODO: should check the signature part against our pk_key though
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2456 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2457 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2458
Paul Bakker9c94cdd2013-01-22 13:45:33 +0100[diff] [blame]2459 m += 2;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2460 n += sig_alg_len;
2461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2463 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2465 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2466 }
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]2467 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2468#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2469
Manuel Pégourié-Gonnarda3104592013-09-17 21:17:44 +0200[diff] [blame]2470 /* Ignore certificate_authorities, we only have one cert anyway */
2471 // TODO: should not send cert if no CA matches
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2472 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
2473 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2474
2475 n += dn_len;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2476 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2477 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2479 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2480 }
2481
2482exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2484
2485 return( 0 );
2486}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2487#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2488 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2489 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2490 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2492static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2493{
2494 int ret;
2495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2496 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2497
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2498 if( ssl->record_read == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2499 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2500 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2501 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2502 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2503 return( ret );
2504 }
2505
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2506 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2507 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2509 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510 }
2511 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2512 ssl->record_read = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2513
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2514 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
2515 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2517 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2518 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2519 }
2520
2521 ssl->state++;
2522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2523#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2524 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2525 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]2526#endif
2527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2529
2530 return( 0 );
2531}
2532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2533static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2534{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2535 int ret;
2536 size_t i, n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2537 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2541#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2542 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2543 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2544 /*
2545 * DHM key exchange -- send G^X mod P
2546 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2547 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2548
2549 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2550 ssl->out_msg[5] = (unsigned char)( n );
2551 i = 6;
2552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2553 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2554 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2555 &ssl->out_msg[i], n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2556 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2557 if( ret != 0 )
2558 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2560 return( ret );
2561 }
2562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2563 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2564 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2566 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2567 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]2568 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]2569 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2570 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2571 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2572 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2573 return( ret );
2574 }
2575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2576 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2577 }
2578 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2579#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2580#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2581 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2582 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2583 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2584 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2585 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2586 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2587 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2588 {
2589 /*
2590 * ECDH key exchange -- send client public value
2591 */
2592 i = 4;
2593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2594 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2595 &n,
2596 &ssl->out_msg[i], 1000,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2597 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2598 if( ret != 0 )
2599 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2600 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2601 return( ret );
2602 }
2603
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2604 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2606 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2607 &ssl->handshake->pmslen,
2608 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2609 MBEDTLS_MPI_MAX_SIZE,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2610 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2611 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2612 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2613 return( ret );
2614 }
2615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2616 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2617 }
2618 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2619#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2620 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2621 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2622 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2623#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2624 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2625 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2626 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2627 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2628 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2629 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2630 * opaque psk_identity<0..2^16-1>;
2631 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2632 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]2633 {
2634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2635 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]2636 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2637
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2638 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2639 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2640
2641 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2642 {
2643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
2644 "SSL buffer too short" ) );
2645 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2646 }
2647
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2648 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2649 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2650
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2651 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
2652 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2654#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
2655 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2656 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2657 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]2658 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2659 else
2660#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2661#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2662 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2663 {
2664 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2665 return( ret );
2666 }
2667 else
2668#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2669#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2670 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2671 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2672 /*
2673 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2674 */
2675 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2676
2677 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2678 {
2679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
2680 " or SSL buffer too short" ) );
2681 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2682 }
2683
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2684 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2685 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2687 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2688 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2689 &ssl->out_msg[i], n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2690 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2691 if( ret != 0 )
2692 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2694 return( ret );
2695 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2696 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2697 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2698#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2699#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2700 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2701 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2702 /*
2703 * ClientECDiffieHellmanPublic public;
2704 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2705 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2706 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2707 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2708 if( ret != 0 )
2709 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2710 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2711 return( ret );
2712 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]2713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2714 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2715 }
2716 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2717#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]2718 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2720 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2721 }
2722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2723 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]2724 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2725 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2726 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2727 return( ret );
2728 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2729 }
2730 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2731#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2732#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2733 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2734 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2735 i = 4;
2736 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]2737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2738 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2739 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2740#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame^]2741#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2742 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2743 {
2744 i = 4;
2745
2746 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
2747 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
2748 ssl->conf->f_rng, ssl->conf->p_rng );
2749 if( ret != 0 )
2750 {
2751 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2752 return( ret );
2753 }
2754
2755 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
2756 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
2757 ssl->conf->f_rng, ssl->conf->p_rng );
2758 if( ret != 0 )
2759 {
2760 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
2761 return( ret );
2762 }
2763 }
2764 else
2765#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2766 {
2767 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2769 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2770 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2771
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2772 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2773 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2774 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2775
2776 ssl->state++;
2777
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2778 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2779 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2780 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2781 return( ret );
2782 }
2783
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2784 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2785
2786 return( 0 );
2787}
2788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2789#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2790 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2791 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2792 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2793static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2794{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2795 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]2796 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2800 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]2801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2802 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]2803 return( ret );
2804 }
2805
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2806 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2807 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2808 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]2809 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2810 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2811 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2813 ssl->state++;
2814 return( 0 );
2815 }
2816
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2818 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2819}
2820#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2821static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2822{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2823 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2824 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2825 size_t n = 0, offset = 0;
2826 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2827 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2828 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]2829 unsigned int hashlen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2831 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2832
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2833 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]2834 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2835 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]2836 return( ret );
2837 }
2838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2839 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2840 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2841 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +0200[diff] [blame]2842 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2843 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2844 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2846 ssl->state++;
2847 return( 0 );
2848 }
2849
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2850 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2851 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2853 ssl->state++;
2854 return( 0 );
2855 }
2856
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2857 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2858 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]2859 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2860 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2861 }
2862
2863 /*
2864 * Make an RSA signature of the handshake digests
2865 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2866 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2867
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2868#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2869 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2870 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2871 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2872 /*
2873 * digitally-signed struct {
2874 * opaque md5_hash[16];
2875 * opaque sha_hash[20];
2876 * };
2877 *
2878 * md5_hash
2879 * MD5(handshake_messages);
2880 *
2881 * sha_hash
2882 * SHA(handshake_messages);
2883 */
2884 hashlen = 36;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2885 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2886
2887 /*
2888 * For ECDSA, default hash is SHA-1 only
2889 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2890 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2891 {
2892 hash_start += 16;
2893 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2894 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2895 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2896 }
2897 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2898#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2899 MBEDTLS_SSL_PROTO_TLS1_1 */
2900#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2901 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2902 {
2903 /*
2904 * digitally-signed struct {
2905 * opaque handshake_messages[handshake_messages_length];
2906 * };
2907 *
2908 * Taking shortcut here. We assume that the server always allows the
2909 * PRF Hash function and has sent it in the allowed signature
2910 * algorithms list received in the Certificate Request message.
2911 *
2912 * Until we encounter a server that does not, we will take this
2913 * shortcut.
2914 *
2915 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2916 * in order to satisfy 'weird' needs from the server side.
2917 */
Paul Bakkerb7149bc2013-03-20 15:30:09 +0100[diff] [blame]2918 if( ssl->transform_negotiate->ciphersuite_info->mac ==
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2919 MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2920 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2921 md_alg = MBEDTLS_MD_SHA384;
2922 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2923 }
2924 else
2925 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2926 md_alg = MBEDTLS_MD_SHA256;
2927 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]2928 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2929 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2930
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]2931 /* Info from md_alg will be used instead */
2932 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2933 offset = 2;
2934 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2935 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2936#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2937 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2939 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2940 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2942 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]2943 ssl->out_msg + 6 + offset, &n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100[diff] [blame]2944 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]2945 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2946 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]2947 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]2948 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2949
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2950 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2951 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2952
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2953 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2954 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2955 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2956
2957 ssl->state++;
2958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2959 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2960 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2961 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2962 return( ret );
2963 }
2964
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2966
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]2967 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2968}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2969#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2970 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2971 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2973#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2974static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2975{
2976 int ret;
2977 uint32_t lifetime;
2978 size_t ticket_len;
2979 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]2980 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2982 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2984 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2985 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2986 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2987 return( ret );
2988 }
2989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2990 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2991 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2993 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]2994 }
2995
2996 /*
2997 * struct {
2998 * uint32 ticket_lifetime_hint;
2999 * opaque ticket<0..2^16-1>;
3000 * } NewSessionTicket;
3001 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3002 * 0 . 3 ticket_lifetime_hint
3003 * 4 . 5 ticket_len (n)
3004 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3005 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3006 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3007 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3008 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3009 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3010 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3011 }
3012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3013 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3014
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3015 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) |
3016 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3017
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3018 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3020 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3021 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3023 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3024 }
3025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3027
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3028 /* We're not waiting for a NewSessionTicket message any more */
3029 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3030 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3031
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3032 /*
3033 * Zero-length ticket means the server changed his mind and doesn't want
3034 * to send a ticket after all, so just forget it
3035 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3036 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3037 return( 0 );
3038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3039 mbedtls_zeroize( ssl->session_negotiate->ticket,
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]3040 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3041 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3042 ssl->session_negotiate->ticket = NULL;
3043 ssl->session_negotiate->ticket_len = 0;
3044
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3045 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3046 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3048 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3049 }
3050
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3051 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3052
3053 ssl->session_negotiate->ticket = ticket;
3054 ssl->session_negotiate->ticket_len = ticket_len;
3055 ssl->session_negotiate->ticket_lifetime = lifetime;
3056
3057 /*
3058 * RFC 5077 section 3.4:
3059 * "If the client receives a session ticket from the server, then it
3060 * discards any Session ID that was sent in the ServerHello."
3061 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3063 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3064
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3065 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3066
3067 return( 0 );
3068}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3069#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3070
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3071/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3072 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3073 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3074int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3075{
3076 int ret = 0;
3077
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3078 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3079 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3080
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3082
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3083 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3084 return( ret );
3085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3086#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3087 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3088 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3089 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3090 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3091 return( ret );
3092 }
3093#endif
3094
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3095 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3096 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3097#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3098 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3099 ssl->handshake->new_session_ticket != 0 )
3100 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3101 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3102 }
3103#endif
3104
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3105 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3106 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3107 case MBEDTLS_SSL_HELLO_REQUEST:
3108 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3109 break;
3110
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3111 /*
3112 * ==> ClientHello
3113 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3114 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3115 ret = ssl_write_client_hello( ssl );
3116 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3117
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3118 /*
3119 * <== ServerHello
3120 * Certificate
3121 * ( ServerKeyExchange )
3122 * ( CertificateRequest )
3123 * ServerHelloDone
3124 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3125 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3126 ret = ssl_parse_server_hello( ssl );
3127 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3128
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3129 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3130 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3131 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3133 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3134 ret = ssl_parse_server_key_exchange( ssl );
3135 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3137 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3138 ret = ssl_parse_certificate_request( ssl );
3139 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3141 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3142 ret = ssl_parse_server_hello_done( ssl );
3143 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3144
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3145 /*
3146 * ==> ( Certificate/Alert )
3147 * ClientKeyExchange
3148 * ( CertificateVerify )
3149 * ChangeCipherSpec
3150 * Finished
3151 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3152 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3153 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3154 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3155
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3156 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3157 ret = ssl_write_client_key_exchange( ssl );
3158 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3160 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3161 ret = ssl_write_certificate_verify( ssl );
3162 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3163
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3164 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3165 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3166 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3168 case MBEDTLS_SSL_CLIENT_FINISHED:
3169 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3170 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3171
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3172 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3173 * <== ( NewSessionTicket )
3174 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3175 * Finished
3176 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3177#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3178 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3179 ret = ssl_parse_new_session_ticket( ssl );
3180 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3181#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3182
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3183 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3184 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3185 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3186
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3187 case MBEDTLS_SSL_SERVER_FINISHED:
3188 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3189 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3190
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3191 case MBEDTLS_SSL_FLUSH_BUFFERS:
3192 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3193 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3194 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3197 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3198 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3199
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3200 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3201 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3202 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3203 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3204
3205 return( ret );
3206}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3207#endif /* MBEDTLS_SSL_CLI_C */