blob: f5fecb7239d3e64a1aefac58339a3eefb419ac76 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02005 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000018 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000019 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +000020 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020022#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000023#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020024#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020025#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020026#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020028#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000029
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020030#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000031#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +020032#else
Rich Evans00ab4702015-02-06 13:43:58 +000033#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +020034#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +010035#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +020036#endif
37
SimonBd5800b72016-04-26 07:43:27 +010038#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +020044#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +020045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020046#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +010047#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +020048#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000049
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020050#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -050051#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +020052#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020054#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +010056 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +010060 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +010061 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +010062
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +020065 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +010066 return;
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +010069 ssl->hostname ) );
70
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +010071 hostname_len = strlen( ssl->hostname );
72
Simon Butcher0fc94e92015-09-28 20:52:04 +010073 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +010074 {
Simon Butcher0fc94e92015-09-28 20:52:04 +010075 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +010076 return;
77 }
78
Paul Bakkerd3edc862013-03-20 16:07:17 +010079 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +010080 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
81 *
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
86 *
Paul Bakkerd3edc862013-03-20 16:07:17 +010087 * struct {
88 * NameType name_type;
89 * select (name_type) {
90 * case host_name: HostName;
91 * } name;
92 * } ServerName;
93 *
94 * enum {
95 * host_name(0), (255)
96 * } NameType;
97 *
98 * opaque HostName<1..2^16-1>;
99 *
100 * struct {
101 * ServerName server_name_list<1..2^16-1>
102 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100103 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100110
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100117
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100118 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100119
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100120 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100121}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200122#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200124#if defined(MBEDTLS_SSL_RENEGOTIATION)
125static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100126 unsigned char *buf,
127 size_t *olen )
128{
129 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100131
132 *olen = 0;
133
Hanno Becker40f8b512017-10-12 14:58:55 +0100134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100138 return;
139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100141
Simon Butcher0fc94e92015-09-28 20:52:04 +0100142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100143 {
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
145 return;
146 }
147
Paul Bakkerd3edc862013-03-20 16:07:17 +0100148 /*
149 * Secure renegotiation
150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100153
154 *p++ = 0x00;
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
157
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
159
160 *olen = 5 + ssl->verify_data_len;
161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200162#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100163
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100164/*
165 * Only if we handle at least one key exchange that needs signatures.
166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200167#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100170 unsigned char *buf,
171 size_t *olen )
172{
173 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100175 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200176 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200177#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200178 unsigned char *sig_alg_list = buf + 6;
179#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100180
181 *olen = 0;
182
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100184 return;
185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100187
Simon Butchered997662015-09-28 02:14:30 +0100188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
189 {
190#if defined(MBEDTLS_ECDSA_C)
191 sig_alg_len += 2;
192#endif
193#if defined(MBEDTLS_RSA_C)
194 sig_alg_len += 2;
195#endif
196 }
197
Simon Butcher0fc94e92015-09-28 20:52:04 +0100198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100199 {
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
201 return;
202 }
203
Paul Bakkerd3edc862013-03-20 16:07:17 +0100204 /*
205 * Prepare signature_algorithms extension (TLS 1.2)
206 */
Simon Butchered997662015-09-28 02:14:30 +0100207 sig_alg_len = 0;
208
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200211#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200214#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200215#if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200218#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200219 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100220
221 /*
222 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
224 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100225 * } HashAlgorithm;
226 *
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
229 *
230 * struct {
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
234 *
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100240
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
243
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
246
Paul Bakkerd3edc862013-03-20 16:07:17 +0100247 *olen = 6 + sig_alg_len;
248}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200249#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100251
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200252#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200254static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100255 unsigned char *buf,
256 size_t *olen )
257{
258 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard8e205fc2014-01-23 17:27:10 +0100260 unsigned char *elliptic_curve_list = p + 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100261 size_t elliptic_curve_len = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200262 const mbedtls_ecp_curve_info *info;
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200263#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200264 const mbedtls_ecp_group_id *grp_id;
Paul Bakker0910f322014-02-06 13:41:18 +0100265#else
266 ((void) ssl);
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100267#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100268
269 *olen = 0;
270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100272
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200273#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100275#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200277#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100278 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200279#if defined(MBEDTLS_ECP_C)
280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100281#endif
Janos Follath8a317052016-04-21 23:37:09 +0100282 if( info == NULL )
283 {
284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
285 return;
286 }
287
Simon Butchered997662015-09-28 02:14:30 +0100288 elliptic_curve_len += 2;
289 }
290
Simon Butcher0fc94e92015-09-28 20:52:04 +0100291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100292 {
293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
294 return;
295 }
296
297 elliptic_curve_len = 0;
298
299#if defined(MBEDTLS_ECP_C)
300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Simon Butchered997662015-09-28 02:14:30 +0100301#else
302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Gilles Peskinef9828522017-05-03 12:28:43 +0200303#endif
Simon Butchered997662015-09-28 02:14:30 +0100304 {
Gilles Peskinef9828522017-05-03 12:28:43 +0200305#if defined(MBEDTLS_ECP_C)
306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Simon Butchered997662015-09-28 02:14:30 +0100307#endif
Manuel Pégourié-Gonnardcd49f762014-02-04 15:14:13 +0100308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Manuel Pégourié-Gonnard568c9cf2013-09-16 17:30:04 +0200310 }
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200311
312 if( elliptic_curve_len == 0 )
313 return;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100317
318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
320
321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
323
Paul Bakkerd3edc862013-03-20 16:07:17 +0100324 *olen = 6 + elliptic_curve_len;
325}
326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200327static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100328 unsigned char *buf,
329 size_t *olen )
330{
331 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100333
334 *olen = 0;
335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100337
Simon Butcher0fc94e92015-09-28 20:52:04 +0100338 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100339 {
340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
341 return;
342 }
343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100346
347 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100348 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200349
350 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100352
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200353 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100354}
Robert Cragieae8535d2015-10-06 17:11:18 +0100355#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100357
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200358#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200359static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
360 unsigned char *buf,
361 size_t *olen )
362{
363 int ret;
364 unsigned char *p = buf;
Robert Cragie39a60de2015-10-02 13:57:59 +0100365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200366 size_t kkpp_len;
367
368 *olen = 0;
369
370 /* Skip costly extension if we can't use EC J-PAKE anyway */
371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
372 return;
373
374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
375
376 if( end - p < 4 )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
379 return;
380 }
381
382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
384
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200385 /*
386 * We may need to send ClientHello multiple times for Hello verification.
387 * We don't want to compute fresh values every time (both for performance
388 * and consistency reasons), so cache the extension content.
389 */
390 if( ssl->handshake->ecjpake_cache == NULL ||
391 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200392 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
394
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
396 p + 2, end - p - 2, &kkpp_len,
397 ssl->conf->f_rng, ssl->conf->p_rng );
398 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200399 {
400 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
401 return;
402 }
403
404 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
405 if( ssl->handshake->ecjpake_cache == NULL )
406 {
407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
408 return;
409 }
410
411 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
412 ssl->handshake->ecjpake_cache_len = kkpp_len;
413 }
414 else
415 {
416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
417
418 kkpp_len = ssl->handshake->ecjpake_cache_len;
419
420 if( (size_t)( end - p - 2 ) < kkpp_len )
421 {
422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
423 return;
424 }
425
426 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200427 }
428
429 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
430 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
431
432 *olen = kkpp_len + 4;
433}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200434#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000435
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200436#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
437static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200438 unsigned char *buf,
439 size_t *olen )
440{
441 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100442 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200443
Simon Butcher0fc94e92015-09-28 20:52:04 +0100444 *olen = 0;
445
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200446 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200447 return;
448 }
449
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200450 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200451
Simon Butcher0fc94e92015-09-28 20:52:04 +0100452 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100453 {
454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
455 return;
456 }
457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200458 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
459 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200460
461 *p++ = 0x00;
462 *p++ = 1;
463
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200464 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200465
466 *olen = 5;
467}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200468#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200470#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
471static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200472 unsigned char *buf, size_t *olen )
473{
474 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100475 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200476
Simon Butcher0fc94e92015-09-28 20:52:04 +0100477 *olen = 0;
478
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200479 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200480 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200481 return;
482 }
483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200484 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200485
Simon Butcher0fc94e92015-09-28 20:52:04 +0100486 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100487 {
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
489 return;
490 }
491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200492 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
493 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200494
495 *p++ = 0x00;
496 *p++ = 0x00;
497
498 *olen = 4;
499}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200500#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200502#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
503static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100504 unsigned char *buf, size_t *olen )
505{
506 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100507 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100508
Simon Butcher0fc94e92015-09-28 20:52:04 +0100509 *olen = 0;
510
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200511 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
512 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100513 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100514 return;
515 }
516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100518 "extension" ) );
519
Simon Butcher0fc94e92015-09-28 20:52:04 +0100520 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100521 {
522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
523 return;
524 }
525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200526 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
527 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100528
529 *p++ = 0x00;
530 *p++ = 0x00;
531
532 *olen = 4;
533}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200534#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200536#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
537static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200538 unsigned char *buf, size_t *olen )
539{
540 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100541 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200542
Simon Butcher0fc94e92015-09-28 20:52:04 +0100543 *olen = 0;
544
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200545 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
546 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200547 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200548 return;
549 }
550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200552 "extension" ) );
553
Simon Butcher0fc94e92015-09-28 20:52:04 +0100554 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100555 {
556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
557 return;
558 }
559
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200560 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
561 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200562
563 *p++ = 0x00;
564 *p++ = 0x00;
565
566 *olen = 4;
567}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200568#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200569
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200570#if defined(MBEDTLS_SSL_SESSION_TICKETS)
571static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200572 unsigned char *buf, size_t *olen )
573{
574 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100575 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200576 size_t tlen = ssl->session_negotiate->ticket_len;
577
Simon Butcher0fc94e92015-09-28 20:52:04 +0100578 *olen = 0;
579
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200580 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200581 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200582 return;
583 }
584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200585 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200586
Simon Butcher0fc94e92015-09-28 20:52:04 +0100587 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100588 {
589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
590 return;
591 }
592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200593 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
594 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200595
596 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
597 *p++ = (unsigned char)( ( tlen ) & 0xFF );
598
599 *olen = 4;
600
Simon Butchered997662015-09-28 02:14:30 +0100601 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200602 {
603 return;
604 }
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200607
608 memcpy( p, ssl->session_negotiate->ticket, tlen );
609
610 *olen += tlen;
611}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200612#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200614#if defined(MBEDTLS_SSL_ALPN)
615static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200616 unsigned char *buf, size_t *olen )
617{
618 unsigned char *p = buf;
Simon Butchered997662015-09-28 02:14:30 +0100619 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
620 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200621 const char **cur;
622
Simon Butcher0fc94e92015-09-28 20:52:04 +0100623 *olen = 0;
624
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200625 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200626 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200627 return;
628 }
629
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200631
Simon Butchered997662015-09-28 02:14:30 +0100632 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100633 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100634
Simon Butcher0fc94e92015-09-28 20:52:04 +0100635 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100636 {
637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
638 return;
639 }
640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200641 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
642 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200643
644 /*
645 * opaque ProtocolName<1..2^8-1>;
646 *
647 * struct {
648 * ProtocolName protocol_name_list<2..2^16-1>
649 * } ProtocolNameList;
650 */
651
652 /* Skip writing extension and list length for now */
653 p += 4;
654
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200655 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200656 {
657 *p = (unsigned char)( strlen( *cur ) & 0xFF );
658 memcpy( p + 1, *cur, *p );
659 p += 1 + *p;
660 }
661
662 *olen = p - buf;
663
664 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
665 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
666 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
667
668 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
669 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
670 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
671}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200672#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200673
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200674/*
675 * Generate random bytes for ClientHello
676 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200677static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200678{
679 int ret;
680 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200681#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100682 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200683#endif
684
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200685 /*
686 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
687 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200688#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200689 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200690 ssl->handshake->verify_cookie != NULL )
691 {
692 return( 0 );
693 }
694#endif
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200696#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100697 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200698 *p++ = (unsigned char)( t >> 24 );
699 *p++ = (unsigned char)( t >> 16 );
700 *p++ = (unsigned char)( t >> 8 );
701 *p++ = (unsigned char)( t );
702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200704#else
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100705 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200706 return( ret );
707
708 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200709#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200710
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100711 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200712 return( ret );
713
714 return( 0 );
715}
716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200717static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000718{
Paul Bakker23986e52011-04-24 08:57:21 +0000719 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100720 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000721 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200722 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200723 unsigned char offer_compress;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200724 const int *ciphersuites;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200725 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000728
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100729 if( ssl->conf->f_rng == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100730 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
732 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100733 }
734
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200735#if defined(MBEDTLS_SSL_RENEGOTIATION)
736 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100737#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000738 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200739 ssl->major_ver = ssl->conf->min_major_ver;
740 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000741 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000742
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200743 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000744 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200745 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
746 "consider using mbedtls_ssl_config_defaults()" ) );
747 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000748 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000749
750 /*
751 * 0 . 0 handshake type
752 * 1 . 3 handshake length
753 * 4 . 5 highest version supported
754 * 6 . 9 current UNIX time
755 * 10 . 37 random bytes
756 */
757 buf = ssl->out_msg;
758 p = buf + 4;
759
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200760 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
761 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100762 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000763
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000765 buf[4], buf[5] ) );
766
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200767 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
768 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200769 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200770 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200771 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200772
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200773 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200774 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200775 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000776
777 /*
778 * 38 . 38 session id length
779 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100780 * 39+n . 39+n DTLS only: cookie length (1 byte)
781 * 40+n . .. DTSL only: cookie
782 * .. . .. ciphersuitelist length (2 bytes)
783 * .. . .. ciphersuitelist
784 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000785 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100786 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000787 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000788 */
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200789 n = ssl->session_negotiate->id_len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000790
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100791 if( n < 16 || n > 32 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200792#if defined(MBEDTLS_SSL_RENEGOTIATION)
793 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100794#endif
Paul Bakker0a597072012-09-25 21:55:46 +0000795 ssl->handshake->resume == 0 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200796 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000797 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200798 }
799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200800#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200801 /*
802 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
803 * generate and include a Session ID in the TLS ClientHello."
804 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200805#if defined(MBEDTLS_SSL_RENEGOTIATION)
806 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000807#endif
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000808 {
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000809 if( ssl->session_negotiate->ticket != NULL &&
810 ssl->session_negotiate->ticket_len != 0 )
811 {
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +0100812 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200813
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000814 if( ret != 0 )
815 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200816
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200817 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard59c6f2e2015-01-22 11:06:40 +0000818 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200819 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200820#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000821
822 *p++ = (unsigned char) n;
823
824 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000825 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000826
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200827 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
828 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000829
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100830 /*
831 * DTLS cookie
832 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200833#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200834 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100835 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200836 if( ssl->handshake->verify_cookie == NULL )
837 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200838 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200839 *p++ = 0;
840 }
841 else
842 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200843 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200844 ssl->handshake->verify_cookie,
845 ssl->handshake->verify_cookie_len );
846
847 *p++ = ssl->handshake->verify_cookie_len;
848 memcpy( p, ssl->handshake->verify_cookie,
849 ssl->handshake->verify_cookie_len );
850 p += ssl->handshake->verify_cookie_len;
851 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100852 }
853#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000854
Paul Bakker48916f92012-09-16 19:57:18 +0000855 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100856 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000857 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200858 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100859
860 /* Skip writing ciphersuite length for now */
861 n = 0;
862 q = p;
863 p += 2;
864
Paul Bakker2fbefde2013-06-29 16:01:15 +0200865 for( i = 0; ciphersuites[i] != 0; i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000866 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200867 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Paul Bakker2fbefde2013-06-29 16:01:15 +0200868
869 if( ciphersuite_info == NULL )
870 continue;
871
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200872 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
873 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
Paul Bakker2fbefde2013-06-29 16:01:15 +0200874 continue;
875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200876#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200877 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200878 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
Manuel Pégourié-Gonnardd6664512014-02-06 13:26:57 +0100879 continue;
880#endif
881
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200882#if defined(MBEDTLS_ARC4_C)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200883 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200884 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100885 continue;
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +0200886#endif
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100887
Manuel Pégourié-Gonnardddf97a62015-09-16 09:58:31 +0200888#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
889 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
890 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
891 continue;
892#endif
893
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200894 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
895 ciphersuites[i] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000896
Paul Bakker2fbefde2013-06-29 16:01:15 +0200897 n++;
Paul Bakker8f4ddae2013-04-15 15:09:54 +0200898 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
899 *p++ = (unsigned char)( ciphersuites[i] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000900 }
901
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300902 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300903
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000904 /*
905 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
906 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200907#if defined(MBEDTLS_SSL_RENEGOTIATION)
908 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000909#endif
910 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300911 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200912 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
913 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000914 n++;
915 }
916
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200917 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200918#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100919 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200920 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
922 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
923 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200924 n++;
925 }
926#endif
927
Paul Bakker2fbefde2013-06-29 16:01:15 +0200928 *q++ = (unsigned char)( n >> 7 );
929 *q++ = (unsigned char)( n << 1 );
930
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200931#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200932 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000933#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200934 offer_compress = 0;
935#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000936
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200937 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100938 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200939 * in the same datagram, uncompressing one could overwrite the next one.
940 * We don't want to add complexity for handling that case unless there is
941 * an actual need for it.
942 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200943#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200944 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200945 offer_compress = 0;
946#endif
947
948 if( offer_compress )
949 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
951 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
952 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200953
954 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200955 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
956 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200957 }
958 else
959 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200960 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
961 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
962 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200963
964 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200965 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200966 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000967
Paul Bakkerd3edc862013-03-20 16:07:17 +0100968 // First write extensions, then the total length
969 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200970#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100971 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
972 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200973#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000974
Hanno Becker40f8b512017-10-12 14:58:55 +0100975 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
976 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200977#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100978 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
979 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100980#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000981
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200982#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
983 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100984 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
985 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200986#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000987
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200988#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100989 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100990 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
991 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100992
Paul Bakkerd3edc862013-03-20 16:07:17 +0100993 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
994 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100995#endif
996
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200997#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200998 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
999 ext_len += olen;
1000#endif
1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001002#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02001003 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1004 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +02001005#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02001006
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001007#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001008 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1009 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +02001010#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001011
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001012#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001013 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1014 ext_len += olen;
1015#endif
1016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001017#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001018 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1019 ext_len += olen;
1020#endif
1021
Simon Butcher5624ec82015-09-29 01:06:06 +01001022#if defined(MBEDTLS_SSL_ALPN)
1023 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001024 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +02001025#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001026
Simon Butcher5624ec82015-09-29 01:06:06 +01001027#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1028 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001029 ext_len += olen;
1030#endif
1031
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001032 /* olen unused if all extensions are disabled */
1033 ((void) olen);
1034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001035 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +00001036 ext_len ) );
1037
Paul Bakkera7036632014-04-30 10:15:38 +02001038 if( ext_len > 0 )
1039 {
1040 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1041 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1042 p += ext_len;
1043 }
Paul Bakker41c83d32013-03-20 14:39:14 +01001044
Paul Bakker5121ce52009-01-03 21:22:43 +00001045 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001046 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1047 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00001048
1049 ssl->state++;
1050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001051#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001052 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001053 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +02001054#endif
1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001056 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001057 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001059 return( ret );
1060 }
1061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001063
1064 return( 0 );
1065}
1066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001067static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001068 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +00001069 size_t len )
1070{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001071#if defined(MBEDTLS_SSL_RENEGOTIATION)
1072 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00001073 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001074 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +00001075 if( len != 1 + ssl->verify_data_len * 2 ||
1076 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001077 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001078 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001079 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +01001080 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001081 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001082 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001083 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1084 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001085 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001086 }
1087 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001088 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001089#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001090 {
1091 if( len != 1 || buf[0] != 0x00 )
1092 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001093 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001094 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1095 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001096 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001097 }
1098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001099 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001100 }
Paul Bakker48916f92012-09-16 19:57:18 +00001101
1102 return( 0 );
1103}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001105#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1106static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +02001107 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001108 size_t len )
1109{
1110 /*
1111 * server should use the extension only if we did,
1112 * and if so the server's value should match ours (and len is always 1)
1113 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001114 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001115 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001116 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001117 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001118 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001119 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1120 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001122 }
1123
1124 return( 0 );
1125}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001126#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +00001127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001128#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1129static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001130 const unsigned char *buf,
1131 size_t len )
1132{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001133 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001134 len != 0 )
1135 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001137 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1138 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001139 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001140 }
1141
1142 ((void) buf);
1143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001144 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001145
1146 return( 0 );
1147}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001148#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001150#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1151static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001152 const unsigned char *buf,
1153 size_t len )
1154{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001155 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001156 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001157 len != 0 )
1158 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001160 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1161 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001162 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001163 }
1164
1165 ((void) buf);
1166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001167 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001168
1169 return( 0 );
1170}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001171#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001172
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001173#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1174static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001175 const unsigned char *buf,
1176 size_t len )
1177{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001178 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001179 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001180 len != 0 )
1181 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001183 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1184 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001186 }
1187
1188 ((void) buf);
1189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001190 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001191
1192 return( 0 );
1193}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001194#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001196#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1197static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001198 const unsigned char *buf,
1199 size_t len )
1200{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001201 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02001202 len != 0 )
1203 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001204 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001205 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1206 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001207 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +02001208 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001209
1210 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02001211
1212 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001213
1214 return( 0 );
1215}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001216#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001217
Robert Cragie136884c2015-10-02 13:34:31 +01001218#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +01001219 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001220static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001221 const unsigned char *buf,
1222 size_t len )
1223{
1224 size_t list_size;
1225 const unsigned char *p;
1226
1227 list_size = buf[0];
1228 if( list_size + 1 != len )
1229 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001231 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1232 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001234 }
1235
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +02001236 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001237 while( list_size > 0 )
1238 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001239 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1240 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001241 {
Robert Cragie136884c2015-10-02 13:34:31 +01001242#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +02001243 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +02001244#endif
Robert Cragieae8535d2015-10-06 17:11:18 +01001245#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +01001246 ssl->handshake->ecjpake_ctx.point_format = p[0];
1247#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001248 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001249 return( 0 );
1250 }
1251
1252 list_size--;
1253 p++;
1254 }
1255
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001257 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1258 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001259 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001260}
Robert Cragieae8535d2015-10-06 17:11:18 +01001261#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1262 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001263
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001264#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1265static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1266 const unsigned char *buf,
1267 size_t len )
1268{
1269 int ret;
1270
1271 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1272 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1273 {
1274 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1275 return( 0 );
1276 }
1277
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +02001278 /* If we got here, we no longer need our cached extension */
1279 mbedtls_free( ssl->handshake->ecjpake_cache );
1280 ssl->handshake->ecjpake_cache = NULL;
1281 ssl->handshake->ecjpake_cache_len = 0;
1282
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001283 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1284 buf, len ) ) != 0 )
1285 {
1286 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001287 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1288 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001289 return( ret );
1290 }
1291
1292 return( 0 );
1293}
1294#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00001295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001296#if defined(MBEDTLS_SSL_ALPN)
1297static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001298 const unsigned char *buf, size_t len )
1299{
1300 size_t list_len, name_len;
1301 const char **p;
1302
1303 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001304 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001305 {
1306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001307 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1308 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001309 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001310 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001311
1312 /*
1313 * opaque ProtocolName<1..2^8-1>;
1314 *
1315 * struct {
1316 * ProtocolName protocol_name_list<2..2^16-1>
1317 * } ProtocolNameList;
1318 *
1319 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1320 */
1321
1322 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1323 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001324 {
1325 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1326 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001327 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001328 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001329
1330 list_len = ( buf[0] << 8 ) | buf[1];
1331 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001332 {
1333 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1334 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001335 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001336 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001337
1338 name_len = buf[2];
1339 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001340 {
1341 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1342 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001343 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001344 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001345
1346 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001347 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001348 {
1349 if( name_len == strlen( *p ) &&
1350 memcmp( buf + 3, *p, name_len ) == 0 )
1351 {
1352 ssl->alpn_chosen = *p;
1353 return( 0 );
1354 }
1355 }
1356
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001357 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +02001358 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1359 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001360 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001361}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001362#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001363
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001364/*
1365 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1366 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001367#if defined(MBEDTLS_SSL_PROTO_DTLS)
1368static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001369{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001370 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001371 int major_ver, minor_ver;
1372 unsigned char cookie_len;
1373
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001375
1376 /*
1377 * struct {
1378 * ProtocolVersion server_version;
1379 * opaque cookie<0..2^8-1>;
1380 * } HelloVerifyRequest;
1381 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001382 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001383 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001384 p += 2;
1385
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +02001386 /*
1387 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1388 * even is lower than our min version.
1389 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001390 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1391 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001392 major_ver > ssl->conf->max_major_ver ||
1393 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001394 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001397 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1398 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001399
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001400 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001401 }
1402
1403 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001404 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001405
Andres AG5a87c932016-09-26 14:53:05 +01001406 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1407 {
1408 MBEDTLS_SSL_DEBUG_MSG( 1,
1409 ( "cookie length does not match incoming message size" ) );
1410 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1411 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1412 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1413 }
1414
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001415 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001416
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02001417 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001418 if( ssl->handshake->verify_cookie == NULL )
1419 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02001420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02001421 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001422 }
1423
1424 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1425 ssl->handshake->verify_cookie_len = cookie_len;
1426
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +02001427 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001428 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1429 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001430
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001431 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02001432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001434
1435 return( 0 );
1436}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001437#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001439static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00001440{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001441 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +00001442 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02001443 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +00001444 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +02001445 unsigned char comp;
1446#if defined(MBEDTLS_ZLIB_SUPPORT)
1447 int accept_comp;
1448#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001449#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00001450 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001451#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001452 int handshake_failure = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001453 const mbedtls_ssl_ciphersuite_t *suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00001454
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001455 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001456
Paul Bakker5121ce52009-01-03 21:22:43 +00001457 buf = ssl->in_msg;
1458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001459 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001460 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001461 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00001463 return( ret );
1464 }
1465
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001466 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00001467 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001468#if defined(MBEDTLS_SSL_RENEGOTIATION)
1469 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02001470 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02001471 ssl->renego_records_seen++;
1472
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001473 if( ssl->conf->renego_max_records >= 0 &&
1474 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02001475 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001476 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02001477 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001478 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +02001479 }
1480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01001482
1483 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001484 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02001485 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001486#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +02001487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1490 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001491 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00001492 }
1493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001494#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001495 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001496 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001497 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001498 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001501 return( ssl_parse_hello_verify_request( ssl ) );
1502 }
1503 else
1504 {
1505 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001506 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +02001507 ssl->handshake->verify_cookie = NULL;
1508 ssl->handshake->verify_cookie_len = 0;
1509 }
1510 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001511#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +00001512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001513 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1514 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +00001515 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001517 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1518 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00001520 }
1521
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001522 /*
1523 * 0 . 1 server_version
1524 * 2 . 33 random (maybe including 4 bytes of Unix time)
1525 * 34 . 34 session_id length = n
1526 * 35 . 34+n session_id
1527 * 35+n . 36+n cipher_suite
1528 * 37+n . 37+n compression_method
1529 *
1530 * 38+n . 39+n extensions length (optional)
1531 * 40+n . .. extensions
1532 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001533 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001535 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1536 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001537 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001538
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001539 if( ssl->major_ver < ssl->conf->min_major_ver ||
1540 ssl->minor_ver < ssl->conf->min_minor_ver ||
1541 ssl->major_ver > ssl->conf->max_major_ver ||
1542 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +00001543 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01001545 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001546 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +01001547 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001548 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001550 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1551 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001553 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +00001554 }
1555
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +01001556 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1557 ( (uint32_t) buf[2] << 24 ) |
1558 ( (uint32_t) buf[3] << 16 ) |
1559 ( (uint32_t) buf[4] << 8 ) |
1560 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001561
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001562 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001563
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001564 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +00001565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001566 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +00001567
Paul Bakker48916f92012-09-16 19:57:18 +00001568 if( n > 32 )
1569 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001571 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1572 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001573 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001574 }
1575
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +02001576 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +00001577 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001578 ext_len = ( ( buf[38 + n] << 8 )
1579 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001580
Paul Bakker48916f92012-09-16 19:57:18 +00001581 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001582 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +00001583 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001585 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1586 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001587 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001588 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001589 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +02001590 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02001591 {
1592 ext_len = 0;
1593 }
1594 else
1595 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001596 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001597 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1598 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001599 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +02001600 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001601
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001602 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001603 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001604
1605 /*
1606 * Read and check compression
1607 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001608 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +00001609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001610#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001611 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001612#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001613 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001614 accept_comp = 0;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +02001615 else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001616#endif
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +02001617 accept_comp = 1;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001618
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +02001619 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1620 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1621#else /* MBEDTLS_ZLIB_SUPPORT */
1622 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1623#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001624 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001626 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1627 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001628 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001629 }
1630
Paul Bakker380da532012-04-18 16:10:25 +00001631 /*
1632 * Initialize update checksum functions
1633 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001634 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
Paul Bakker68884e32013-01-07 18:20:04 +01001635
1636 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1637 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001639 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1640 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001641 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +01001642 }
Paul Bakker380da532012-04-18 16:10:25 +00001643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001644 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +01001645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001646 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1647 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00001648
1649 /*
1650 * Check if the session can be resumed
1651 */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001652 if( ssl->handshake->resume == 0 || n == 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001653#if defined(MBEDTLS_SSL_RENEGOTIATION)
1654 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001655#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001656 ssl->session_negotiate->ciphersuite != i ||
1657 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02001658 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001659 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001660 {
1661 ssl->state++;
Paul Bakker0a597072012-09-25 21:55:46 +00001662 ssl->handshake->resume = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001663#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +01001664 ssl->session_negotiate->start = mbedtls_time( NULL );
Paul Bakkerfa9b1002013-07-03 15:31:03 +02001665#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001666 ssl->session_negotiate->ciphersuite = i;
1667 ssl->session_negotiate->compression = comp;
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02001668 ssl->session_negotiate->id_len = n;
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001669 memcpy( ssl->session_negotiate->id, buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +00001670 }
1671 else
1672 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001673 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +00001674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001675 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +00001676 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001678 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1679 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +00001680 return( ret );
1681 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001682 }
1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001684 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Paul Bakker0a597072012-09-25 21:55:46 +00001685 ssl->handshake->resume ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001686
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +02001687 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001689
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001690 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
Manuel Pégourié-Gonnard66dc5552015-05-14 12:28:21 +02001691 if( suite_info == NULL
1692#if defined(MBEDTLS_ARC4_C)
1693 || ( ssl->conf->arc4_disabled &&
1694 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
1695#endif
1696 )
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01001697 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001699 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1700 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +01001702 }
1703
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +02001704 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1705
Paul Bakker5121ce52009-01-03 21:22:43 +00001706 i = 0;
1707 while( 1 )
1708 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001709 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001710 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1713 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001714 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00001715 }
1716
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001717 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001718 ssl->session_negotiate->ciphersuite )
1719 {
Paul Bakker5121ce52009-01-03 21:22:43 +00001720 break;
Paul Bakker8f4ddae2013-04-15 15:09:54 +02001721 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001722 }
1723
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001724 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1725#if defined(MBEDTLS_ZLIB_SUPPORT)
1726 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +00001727#endif
1728 )
Paul Bakker5121ce52009-01-03 21:22:43 +00001729 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001731 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1732 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001733 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +00001734 }
Paul Bakker48916f92012-09-16 19:57:18 +00001735 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +00001736
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +02001737 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +00001738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001739 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +02001740
Paul Bakker48916f92012-09-16 19:57:18 +00001741 while( ext_len )
1742 {
1743 unsigned int ext_id = ( ( ext[0] << 8 )
1744 | ( ext[1] ) );
1745 unsigned int ext_size = ( ( ext[2] << 8 )
1746 | ( ext[3] ) );
1747
1748 if( ext_size + 4 > ext_len )
1749 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001750 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02001751 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1752 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001753 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001754 }
1755
1756 switch( ext_id )
1757 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001758 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1760#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +00001761 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +01001762#endif
Paul Bakker48916f92012-09-16 19:57:18 +00001763
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +02001764 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1765 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +00001766 return( ret );
1767
1768 break;
1769
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001770#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1771 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1772 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001773
1774 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1775 ext + 4, ext_size ) ) != 0 )
1776 {
1777 return( ret );
1778 }
1779
1780 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001781#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +02001782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001783#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1784 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1785 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001786
1787 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1788 ext + 4, ext_size ) ) != 0 )
1789 {
1790 return( ret );
1791 }
1792
1793 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001794#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +02001795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001796#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1797 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001799
1800 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1801 ext + 4, ext_size ) ) != 0 )
1802 {
1803 return( ret );
1804 }
1805
1806 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001807#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001808
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001809#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1810 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1811 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001812
1813 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1814 ext + 4, ext_size ) ) != 0 )
1815 {
1816 return( ret );
1817 }
1818
1819 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001820#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001821
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001822#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1823 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1824 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001825
1826 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1827 ext + 4, ext_size ) ) != 0 )
1828 {
1829 return( ret );
1830 }
1831
1832 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001833#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +02001834
Robert Cragie136884c2015-10-02 13:34:31 +01001835#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +01001836 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001837 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1838 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001839
1840 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1841 ext + 4, ext_size ) ) != 0 )
1842 {
1843 return( ret );
1844 }
1845
1846 break;
Robert Cragieae8535d2015-10-06 17:11:18 +01001847#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1848 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +02001849
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +02001850#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1851 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1852 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1853
1854 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1855 ext + 4, ext_size ) ) != 0 )
1856 {
1857 return( ret );
1858 }
1859
1860 break;
1861#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001862
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001863#if defined(MBEDTLS_SSL_ALPN)
1864 case MBEDTLS_TLS_EXT_ALPN:
1865 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001866
1867 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1868 return( ret );
1869
1870 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001871#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +02001872
Paul Bakker48916f92012-09-16 19:57:18 +00001873 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +00001875 ext_id ) );
1876 }
1877
1878 ext_len -= 4 + ext_size;
1879 ext += 4 + ext_size;
1880
1881 if( ext_len > 0 && ext_len < 4 )
1882 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001883 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1884 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001885 }
1886 }
1887
1888 /*
1889 * Renegotiation security checks
1890 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001891 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001892 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +00001893 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00001895 handshake_failure = 1;
1896 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001897#if defined(MBEDTLS_SSL_RENEGOTIATION)
1898 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1899 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +00001900 renegotiation_info_seen == 0 )
1901 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +00001903 handshake_failure = 1;
1904 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001905 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1906 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02001907 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +00001908 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001910 handshake_failure = 1;
1911 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001912 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1913 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001914 renegotiation_info_seen == 1 )
1915 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001916 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001917 handshake_failure = 1;
1918 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001919#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +00001920
1921 if( handshake_failure == 1 )
1922 {
Gilles Peskinec94f7352017-05-10 16:37:56 +02001923 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1924 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001925 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +00001926 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001927
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00001929
1930 return( 0 );
1931}
1932
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001933#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1934 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1935static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +02001936 unsigned char *end )
1937{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001938 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +02001939
Paul Bakker29e1f122013-04-16 13:07:56 +02001940 /*
1941 * Ephemeral DH parameters:
1942 *
1943 * struct {
1944 * opaque dh_p<1..2^16-1>;
1945 * opaque dh_g<1..2^16-1>;
1946 * opaque dh_Ys<1..2^16-1>;
1947 * } ServerDHParams;
1948 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001949 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02001950 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001951 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02001952 return( ret );
1953 }
1954
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02001955 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +02001956 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +02001957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
1958 ssl->handshake->dhm_ctx.len * 8,
1959 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001960 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02001961 }
1962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001963 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1964 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1965 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +02001966
1967 return( ret );
1968}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001969#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1970 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02001971
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001972#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1973 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1974 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1975 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1976 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1977static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001978{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001979 const mbedtls_ecp_curve_info *curve_info;
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01001980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001981 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01001982 if( curve_info == NULL )
1983 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001984 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1985 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +01001986 }
1987
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001988 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001989
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +02001990#if defined(MBEDTLS_ECP_C)
Manuel Pégourié-Gonnard9d412d82015-06-17 12:10:46 +02001991 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01001992#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001993 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1994 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01001995#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001996 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001998 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01001999
2000 return( 0 );
2001}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002002#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2003 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2004 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2005 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2006 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002008#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2009 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2010 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2011static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +02002012 unsigned char **p,
2013 unsigned char *end )
2014{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002015 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +02002016
Paul Bakker29e1f122013-04-16 13:07:56 +02002017 /*
2018 * Ephemeral ECDH parameters:
2019 *
2020 * struct {
2021 * ECParameters curve_params;
2022 * ECPoint public;
2023 * } ServerECDHParams;
2024 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002025 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +02002026 (const unsigned char **) p, end ) ) != 0 )
2027 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002028 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02002029 return( ret );
2030 }
2031
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002032 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02002033 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2035 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002036 }
2037
Paul Bakker29e1f122013-04-16 13:07:56 +02002038 return( ret );
2039}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002040#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2041 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2042 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02002043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002044#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2045static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002046 unsigned char **p,
2047 unsigned char *end )
2048{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002049 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002050 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +02002051 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002052
2053 /*
2054 * PSK parameters:
2055 *
2056 * opaque psk_identity_hint<0..2^16-1>;
2057 */
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +01002058 if( (*p) > end - 2 )
2059 {
2060 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2061 "(psk_identity_hint length)" ) );
2062 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2063 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +02002064 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002065 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002066
Krzysztof Stachowiak5224a752018-03-13 11:31:38 +01002067 if( (*p) > end - len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002068 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002069 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2070 "(psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002071 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002072 }
2073
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +01002074 /*
2075 * Note: we currently ignore the PKS identity hint, as we only allow one
2076 * PSK to be provisionned on the client. This could be changed later if
2077 * someone needs that feature.
2078 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002079 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002080 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002081
2082 return( ret );
2083}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002084#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002086#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2087 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002088/*
2089 * Generate a pre-master secret and encrypt it with the server's RSA key
2090 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002091static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002092 size_t offset, size_t *olen,
2093 size_t pms_offset )
2094{
2095 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002096 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002097 unsigned char *p = ssl->handshake->premaster + pms_offset;
2098
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02002099 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
2100 {
2101 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2102 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2103 }
2104
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002105 /*
2106 * Generate (part of) the pre-master as
2107 * struct {
2108 * ProtocolVersion client_version;
2109 * opaque random[46];
2110 * } PreMasterSecret;
2111 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002112 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2113 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002114
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002115 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002116 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002117 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002118 return( ret );
2119 }
2120
2121 ssl->handshake->pmslen = 48;
2122
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002123 if( ssl->session_negotiate->peer_cert == NULL )
2124 {
2125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2126 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2127 }
2128
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002129 /*
2130 * Now write it out, encrypted
2131 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002132 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2133 MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002134 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2136 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002137 }
2138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002139 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002140 p, ssl->handshake->pmslen,
2141 ssl->out_msg + offset + len_bytes, olen,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002142 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002143 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002144 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002145 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002146 return( ret );
2147 }
2148
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002149#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2150 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002151 if( len_bytes == 2 )
2152 {
2153 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2154 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2155 *olen += 2;
2156 }
2157#endif
2158
2159 return( 0 );
2160}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002161#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2162 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +02002163
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002164#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +02002165#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2166 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2167 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002168static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +02002169 unsigned char **p,
2170 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002171 mbedtls_md_type_t *md_alg,
2172 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +02002173{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +02002174 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002175 *md_alg = MBEDTLS_MD_NONE;
2176 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002177
2178 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002179 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002180 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002181 return( 0 );
2182 }
Paul Bakker29e1f122013-04-16 13:07:56 +02002183
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002184 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002186
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002187 /*
2188 * Get hash algorithm
2189 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002190 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02002191 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +01002192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002193 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002194 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002195 }
2196
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002197 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002198 * Get signature algorithm
2199 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002200 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02002201 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +01002202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +02002203 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +02002205 }
2206
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02002207 /*
2208 * Check if the hash is acceptable
2209 */
2210 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2211 {
Gilles Peskinecd3c8452017-05-09 14:57:45 +02002212 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2213 *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +02002214 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2215 }
2216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002217 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2218 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +02002219 *p += 2;
2220
2221 return( 0 );
2222}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +02002223#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2224 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2225 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002226#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +02002227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002228#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2229 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2230static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002231{
2232 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002233 const mbedtls_ecp_keypair *peer_key;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002234
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002235 if( ssl->session_negotiate->peer_cert == NULL )
2236 {
2237 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2238 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2239 }
2240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002241 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2242 MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002243 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2245 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002246 }
2247
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002248 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002249
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002250 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2251 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002252 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002253 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002254 return( ret );
2255 }
2256
2257 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2258 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2260 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002261 }
2262
2263 return( ret );
2264}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002265#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2266 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002268static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +01002269{
Paul Bakker23986e52011-04-24 08:57:21 +00002270 int ret;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002271 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2272 ssl->transform_negotiate->ciphersuite_info;
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +01002273 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +00002274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002275 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002277#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2278 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002279 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002281 ssl->state++;
2282 return( 0 );
2283 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +02002284 ((void) p);
2285 ((void) end);
2286#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00002287
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002288#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2289 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2290 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2291 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002292 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002293 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2294 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002295 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002296 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +01002298 return( ret );
2299 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002302 ssl->state++;
2303 return( 0 );
2304 }
2305 ((void) p);
2306 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002307#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2308 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +01002309
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002310 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002311 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002312 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002313 return( ret );
2314 }
2315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002316 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002317 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002319 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2320 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002321 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002322 }
2323
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002324 /*
2325 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2326 * doesn't use a psk_identity_hint
2327 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002328 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002329 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002330 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2331 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +02002332 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002333 /* Current message is probably either
2334 * CertificateRequest or ServerHelloDone */
2335 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +02002336 goto exit;
2337 }
2338
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2340 "not be skipped" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002341 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2342 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002343
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002344 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002345 }
2346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002347 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +01002348 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002349 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +01002350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002351#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2352 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2353 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2354 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2355 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002356 {
2357 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2358 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002360 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2361 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002362 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002363 }
2364 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002365#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002367#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2368 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2369 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2370 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +02002371 ; /* nothing more to do */
2372 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002373#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2374 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2375#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2376 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2377 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2378 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +00002379 {
Paul Bakker29e1f122013-04-16 13:07:56 +02002380 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002381 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002383 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2384 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002385 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002386 }
2387 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002388 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002389#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2390 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2391#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2392 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2393 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2394 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2395 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2396 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002397 {
2398 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2399 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002400 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002401 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2402 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002403 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +01002404 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00002405 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002406 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002407#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2408 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2409 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02002410#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2411 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2412 {
2413 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2414 p, end - p );
2415 if( ret != 0 )
2416 {
2417 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002418 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2419 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02002420 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2421 }
2422 }
2423 else
2424#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +01002425 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2427 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002428 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00002429
Hanno Becker1aa267c2017-04-28 17:08:27 +01002430#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2431 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002432 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +00002433 size_t sig_len, hashlen;
2434 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002435 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2436 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2437 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +00002438 size_t params_len = p - params;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002439
Paul Bakker29e1f122013-04-16 13:07:56 +02002440 /*
2441 * Handle the digitally-signed structure
2442 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002443#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2444 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002445 {
Paul Bakker9659dae2013-08-28 16:21:34 +02002446 if( ssl_parse_signature_algorithm( ssl, &p, end,
2447 &md_alg, &pk_alg ) != 0 )
2448 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002450 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2451 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002452 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +02002453 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00002454
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002455 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +00002456 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002458 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2459 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002460 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002461 }
2462 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +02002463 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002464#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2465#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2466 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2467 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +02002468 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002469 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +00002470
Paul Bakker9659dae2013-08-28 16:21:34 +02002471 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002472 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2473 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +02002474 }
2475 else
2476#endif
2477 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2479 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +02002480 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002481
2482 /*
2483 * Read signature
2484 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +01002485
2486 if( p > end - 2 )
2487 {
2488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2490 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2491 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2492 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002493 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +00002494 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +00002495
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +01002496 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +01002497 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002499 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2500 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002501 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +01002502 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002504 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +02002505
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002506 /*
2507 * Compute the hash that has been signed
2508 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002509#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2510 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2511 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +00002512 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002513 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01002514 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2515 params_len );
2516 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +01002517 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02002518 }
2519 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002520#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2521 MBEDTLS_SSL_PROTO_TLS1_1 */
2522#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2523 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2524 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +02002525 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02002526 /* Info from md_alg will be used instead */
2527 hashlen = 0;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +01002528 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params,
2529 params_len, md_alg );
2530 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +02002531 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +02002532 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002533 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002534#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2535 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +02002536 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2538 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02002539 }
Paul Bakker29e1f122013-04-16 13:07:56 +02002540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002541 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2542 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
Paul Bakker29e1f122013-04-16 13:07:56 +02002543
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002544 if( ssl->session_negotiate->peer_cert == NULL )
2545 {
2546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002547 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2548 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +02002549 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2550 }
2551
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002552 /*
2553 * Verify signature
2554 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002555 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002556 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002558 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2559 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002560 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002561 }
2562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002563 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
Manuel Pégourié-Gonnard20846b12013-08-19 12:32:12 +02002564 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +02002565 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002566 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2567 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002568 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Paul Bakkerc70b9822013-04-07 22:00:46 +02002569 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +00002570 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002571 }
Hanno Becker1aa267c2017-04-28 17:08:27 +01002572#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002573
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002574exit:
Paul Bakker5121ce52009-01-03 21:22:43 +00002575 ssl->state++;
2576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002577 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002578
2579 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +00002580}
2581
Hanno Becker1aa267c2017-04-28 17:08:27 +01002582#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002583static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002584{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002585 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2586 ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002588 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002589
Hanno Becker1aa267c2017-04-28 17:08:27 +01002590 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002591 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002593 ssl->state++;
2594 return( 0 );
2595 }
2596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2598 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002599}
Hanno Becker1aa267c2017-04-28 17:08:27 +01002600#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002601static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002602{
2603 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002604 unsigned char *buf;
2605 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +02002606 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002607 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2608 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002609
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002610 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002611
Hanno Becker1aa267c2017-04-28 17:08:27 +01002612 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002613 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +01002615 ssl->state++;
2616 return( 0 );
2617 }
2618
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002619 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002620 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002621 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2622 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002623 }
2624
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002625 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2626 {
2627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2629 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2630 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2631 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002632
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002633 ssl->state++;
2634 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +00002635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002636 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +00002637 ssl->client_auth ? "a" : "no" ) );
2638
Paul Bakker926af752012-11-23 13:38:07 +01002639 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002640 {
2641 /* Current message is probably the ServerHelloDone */
2642 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +01002643 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002644 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002645
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +02002646 /*
2647 * struct {
2648 * ClientCertificateType certificate_types<1..2^8-1>;
2649 * SignatureAndHashAlgorithm
2650 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2651 * DistinguishedName certificate_authorities<0..2^16-1>;
2652 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002653 *
2654 * Since we only support a single certificate on clients, let's just
2655 * ignore all the information that's supposed to help us pick a
2656 * certificate.
2657 *
2658 * We could check that our certificate matches the request, and bail out
2659 * if it doesn't, but it's simpler to just send the certificate anyway,
2660 * and give the server the opportunity to decide if it should terminate
2661 * the connection when it doesn't like our certificate.
2662 *
2663 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2664 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +00002665 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002666 *
2667 * However, we still minimally parse the message to check it is at least
2668 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +02002669 */
Paul Bakker926af752012-11-23 13:38:07 +01002670 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +02002671
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002672 /* certificate_types */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002673 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +01002674 n = cert_type_len;
2675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002676 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +01002677 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002679 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2680 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002681 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +01002682 }
2683
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002684 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002685#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2686 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01002687 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002688 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2689 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +01002690#if defined(MBEDTLS_DEBUG_C)
2691 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
2692 size_t i;
2693
2694 for( i = 0; i < sig_alg_len; i += 2 )
2695 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002696 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
2697 ",%d", sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +01002698 }
2699#endif
Paul Bakker926af752012-11-23 13:38:07 +01002700
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002701 n += 2 + sig_alg_len;
Paul Bakker926af752012-11-23 13:38:07 +01002702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002703 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +01002704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002706 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2707 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002708 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +01002709 }
Paul Bakkerf7abd422013-04-16 13:15:56 +02002710 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002711#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +01002712
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002713 /* certificate_authorities */
2714 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2715 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +01002716
2717 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +00002718 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +01002719 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2722 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002723 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +01002724 }
2725
2726exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002728
2729 return( 0 );
2730}
Hanno Becker1aa267c2017-04-28 17:08:27 +01002731#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00002732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002733static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002734{
2735 int ret;
2736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002738
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002739 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002740 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002741 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2742 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002743 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +01002744
2745 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2746 {
2747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2748 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2749 }
Paul Bakker5121ce52009-01-03 21:22:43 +00002750
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002751 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
2752 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +00002753 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002754 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02002755 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2756 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002757 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +00002758 }
2759
2760 ssl->state++;
2761
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002762#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002763 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002764 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02002765#endif
2766
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002768
2769 return( 0 );
2770}
2771
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002772static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00002773{
Paul Bakker23986e52011-04-24 08:57:21 +00002774 int ret;
2775 size_t i, n;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01002776 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2777 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +00002778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00002780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002781#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2782 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002783 {
Paul Bakker5121ce52009-01-03 21:22:43 +00002784 /*
2785 * DHM key exchange -- send G^X mod P
2786 */
Paul Bakker48916f92012-09-16 19:57:18 +00002787 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +00002788
2789 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2790 ssl->out_msg[5] = (unsigned char)( n );
2791 i = 6;
2792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002793 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2794 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +00002795 &ssl->out_msg[i], n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002796 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +00002797 if( ret != 0 )
2798 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002799 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002800 return( ret );
2801 }
2802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002803 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2804 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +00002805
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002806 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +00002807 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +01002808 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +02002809 &ssl->handshake->pmslen,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002810 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00002811 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002812 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002813 return( ret );
2814 }
2815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002816 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +00002817 }
2818 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002819#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2820#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2821 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2822 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2823 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2824 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2825 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2826 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2827 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +01002828 {
2829 /*
2830 * ECDH key exchange -- send client public value
2831 */
2832 i = 4;
2833
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002834 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +01002835 &n,
2836 &ssl->out_msg[i], 1000,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002837 ssl->conf->f_rng, ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +01002838 if( ret != 0 )
2839 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002840 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Paul Bakker41c83d32013-03-20 14:39:14 +01002841 return( ret );
2842 }
2843
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002844 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Paul Bakker41c83d32013-03-20 14:39:14 +01002845
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002846 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +01002847 &ssl->handshake->pmslen,
2848 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002849 MBEDTLS_MPI_MAX_SIZE,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002850 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +01002851 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Paul Bakker41c83d32013-03-20 14:39:14 +01002853 return( ret );
2854 }
2855
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002856 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
Paul Bakker41c83d32013-03-20 14:39:14 +01002857 }
2858 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002859#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2860 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2861 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2862 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2863#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +01002864 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002865 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002866 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002867 * opaque psk_identity<0..2^16-1>;
2868 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002869 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02002870 {
2871 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002872 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02002873 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +02002874
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002875 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002876 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02002877
2878 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2879 {
2880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
2881 "SSL buffer too short" ) );
2882 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2883 }
2884
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002885 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2886 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002887
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02002888 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
2889 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002890
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002891#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
2892 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002893 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002894 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002895 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002896 else
2897#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002898#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2899 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002900 {
2901 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2902 return( ret );
2903 }
2904 else
2905#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002906#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2907 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002908 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002909 /*
2910 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2911 */
2912 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +02002913
2914 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2915 {
2916 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
2917 " or SSL buffer too short" ) );
2918 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2919 }
2920
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002921 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2922 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002924 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2925 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002926 &ssl->out_msg[i], n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002927 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002928 if( ret != 0 )
2929 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002930 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002931 return( ret );
2932 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002933 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002934 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002935#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2936#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2937 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002938 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002939 /*
2940 * ClientECDiffieHellmanPublic public;
2941 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002942 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2943 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01002944 ssl->conf->f_rng, ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002945 if( ret != 0 )
2946 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002947 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002948 return( ret );
2949 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +02002950
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002951 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002952 }
2953 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002954#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +02002955 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002956 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2957 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002958 }
2959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002960 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +02002961 ciphersuite_info->key_exchange ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002962 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002963 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002964 return( ret );
2965 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +02002966 }
2967 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002968#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2969#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2970 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +00002971 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +02002972 i = 4;
2973 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +00002974 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00002975 }
Paul Bakkered27a042013-04-18 22:46:23 +02002976 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002977#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +02002978#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2979 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2980 {
2981 i = 4;
2982
2983 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
2984 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
2985 ssl->conf->f_rng, ssl->conf->p_rng );
2986 if( ret != 0 )
2987 {
2988 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2989 return( ret );
2990 }
2991
2992 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
2993 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
2994 ssl->conf->f_rng, ssl->conf->p_rng );
2995 if( ret != 0 )
2996 {
2997 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
2998 return( ret );
2999 }
3000 }
3001 else
3002#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +02003003 {
3004 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3006 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +02003007 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003008
Paul Bakker5121ce52009-01-03 21:22:43 +00003009 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003010 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3011 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +00003012
3013 ssl->state++;
3014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003015 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003016 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003017 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003018 return( ret );
3019 }
3020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003021 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003022
3023 return( 0 );
3024}
3025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003026#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3027 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Paul Bakker29f221f2016-07-22 13:49:02 +01003028 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003029 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Paul Bakker29f221f2016-07-22 13:49:02 +01003030 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003031 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3032static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003033{
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003034 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3035 ssl->transform_negotiate->ciphersuite_info;
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02003036 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +00003037
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003038 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003040 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02003041 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003042 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02003043 return( ret );
3044 }
3045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003046 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3047 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3048 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +02003049 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3050 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakkered27a042013-04-18 22:46:23 +02003051 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +02003053 ssl->state++;
3054 return( 0 );
3055 }
3056
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003057 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3058 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003059}
3060#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003061static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003062{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003063 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker0d0cd4b2017-05-11 14:06:43 +01003064 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3065 ssl->transform_negotiate->ciphersuite_info;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003066 size_t n = 0, offset = 0;
3067 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003068 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003069 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +02003070 unsigned int hashlen;
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003071
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003072 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003073
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003074 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02003075 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003076 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +02003077 return( ret );
3078 }
3079
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003080 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3081 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3082 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Manuel Pégourié-Gonnard25dbeb02015-09-16 17:30:03 +02003083 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3084 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003085 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003086 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +02003087 ssl->state++;
3088 return( 0 );
3089 }
3090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003091 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003092 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003093 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003094 ssl->state++;
3095 return( 0 );
3096 }
3097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003098 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +00003099 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +02003100 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003101 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +00003102 }
3103
3104 /*
3105 * Make an RSA signature of the handshake digests
3106 */
Paul Bakker48916f92012-09-16 19:57:18 +00003107 ssl->handshake->calc_verify( ssl, hash );
Paul Bakker5121ce52009-01-03 21:22:43 +00003108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003109#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3110 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3111 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +00003112 {
Paul Bakker926af752012-11-23 13:38:07 +01003113 /*
3114 * digitally-signed struct {
3115 * opaque md5_hash[16];
3116 * opaque sha_hash[20];
3117 * };
3118 *
3119 * md5_hash
3120 * MD5(handshake_messages);
3121 *
3122 * sha_hash
3123 * SHA(handshake_messages);
3124 */
3125 hashlen = 36;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003126 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003127
3128 /*
3129 * For ECDSA, default hash is SHA-1 only
3130 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003131 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003132 {
3133 hash_start += 16;
3134 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003135 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +02003136 }
Paul Bakker926af752012-11-23 13:38:07 +01003137 }
3138 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003139#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3140 MBEDTLS_SSL_PROTO_TLS1_1 */
3141#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3142 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +01003143 {
3144 /*
3145 * digitally-signed struct {
3146 * opaque handshake_messages[handshake_messages_length];
3147 * };
3148 *
3149 * Taking shortcut here. We assume that the server always allows the
3150 * PRF Hash function and has sent it in the allowed signature
3151 * algorithms list received in the Certificate Request message.
3152 *
3153 * Until we encounter a server that does not, we will take this
3154 * shortcut.
3155 *
3156 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3157 * in order to satisfy 'weird' needs from the server side.
3158 */
Paul Bakkerb7149bc2013-03-20 15:30:09 +01003159 if( ssl->transform_negotiate->ciphersuite_info->mac ==
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003160 MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +00003161 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003162 md_alg = MBEDTLS_MD_SHA384;
3163 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +00003164 }
3165 else
3166 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003167 md_alg = MBEDTLS_MD_SHA256;
3168 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +00003169 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003170 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +00003171
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +02003172 /* Info from md_alg will be used instead */
3173 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +00003174 offset = 2;
3175 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +02003176 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003177#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +02003178 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3180 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +02003181 }
Paul Bakker1ef83d62012-04-11 12:09:53 +00003182
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003183 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003184 ssl->out_msg + 6 + offset, &n,
Manuel Pégourié-Gonnard750e4d72015-05-07 12:35:38 +01003185 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +02003186 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003187 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +02003188 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +02003189 }
Paul Bakker926af752012-11-23 13:38:07 +01003190
Paul Bakker1ef83d62012-04-11 12:09:53 +00003191 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3192 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +00003193
Paul Bakker1ef83d62012-04-11 12:09:53 +00003194 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003195 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3196 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +00003197
3198 ssl->state++;
3199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003200 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +00003201 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003202 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003203 return( ret );
3204 }
3205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003206 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +00003207
Paul Bakkered27a042013-04-18 22:46:23 +02003208 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +00003209}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003210#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3211 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Paul Bakker29f221f2016-07-22 13:49:02 +01003212 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3213 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3214 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3215 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +00003216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003217#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3218static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003219{
3220 int ret;
3221 uint32_t lifetime;
3222 size_t ticket_len;
3223 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02003224 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003228 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003229 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003230 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003231 return( ret );
3232 }
3233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003234 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003235 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003236 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003237 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3238 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003239 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003240 }
3241
3242 /*
3243 * struct {
3244 * uint32 ticket_lifetime_hint;
3245 * opaque ticket<0..2^16-1>;
3246 * } NewSessionTicket;
3247 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02003248 * 0 . 3 ticket_lifetime_hint
3249 * 4 . 5 ticket_len (n)
3250 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003251 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003252 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3253 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003254 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003256 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3257 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003258 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003259 }
3260
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003261 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003262
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02003263 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) |
3264 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003265
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02003266 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003268 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003269 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003270 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003271 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3272 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003273 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003274 }
3275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003277
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02003278 /* We're not waiting for a NewSessionTicket message any more */
3279 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003280 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +02003281
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003282 /*
3283 * Zero-length ticket means the server changed his mind and doesn't want
3284 * to send a ticket after all, so just forget it
3285 */
Paul Bakker66d5d072014-06-17 16:39:18 +02003286 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003287 return( 0 );
3288
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -05003289 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3290 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003291 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003292 ssl->session_negotiate->ticket = NULL;
3293 ssl->session_negotiate->ticket_len = 0;
3294
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +02003295 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003296 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +02003297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +02003298 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3299 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +02003300 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003301 }
3302
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +02003303 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003304
3305 ssl->session_negotiate->ticket = ticket;
3306 ssl->session_negotiate->ticket_len = ticket_len;
3307 ssl->session_negotiate->ticket_lifetime = lifetime;
3308
3309 /*
3310 * RFC 5077 section 3.4:
3311 * "If the client receives a session ticket from the server, then it
3312 * discards any Session ID that was sent in the ServerHello."
3313 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003314 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +02003315 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003317 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003318
3319 return( 0 );
3320}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003321#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003322
Paul Bakker5121ce52009-01-03 21:22:43 +00003323/*
Paul Bakker1961b702013-01-25 14:49:24 +01003324 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +00003325 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003326int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +00003327{
3328 int ret = 0;
3329
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +02003330 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003331 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +00003332
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003333 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +01003334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003335 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +01003336 return( ret );
3337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003338#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +02003339 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003340 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003341 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003342 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +02003343 return( ret );
3344 }
3345#endif
3346
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003347 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02003348 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003349#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3350 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02003351 ssl->handshake->new_session_ticket != 0 )
3352 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003353 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02003354 }
3355#endif
3356
Paul Bakker1961b702013-01-25 14:49:24 +01003357 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +00003358 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003359 case MBEDTLS_SSL_HELLO_REQUEST:
3360 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +00003361 break;
3362
Paul Bakker1961b702013-01-25 14:49:24 +01003363 /*
3364 * ==> ClientHello
3365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003366 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +01003367 ret = ssl_write_client_hello( ssl );
3368 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003369
Paul Bakker1961b702013-01-25 14:49:24 +01003370 /*
3371 * <== ServerHello
3372 * Certificate
3373 * ( ServerKeyExchange )
3374 * ( CertificateRequest )
3375 * ServerHelloDone
3376 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003377 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +01003378 ret = ssl_parse_server_hello( ssl );
3379 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003381 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3382 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003383 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003385 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +01003386 ret = ssl_parse_server_key_exchange( ssl );
3387 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003388
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003389 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +01003390 ret = ssl_parse_certificate_request( ssl );
3391 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003393 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +01003394 ret = ssl_parse_server_hello_done( ssl );
3395 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003396
Paul Bakker1961b702013-01-25 14:49:24 +01003397 /*
3398 * ==> ( Certificate/Alert )
3399 * ClientKeyExchange
3400 * ( CertificateVerify )
3401 * ChangeCipherSpec
3402 * Finished
3403 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003404 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3405 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003406 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003408 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +01003409 ret = ssl_write_client_key_exchange( ssl );
3410 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003412 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +01003413 ret = ssl_write_certificate_verify( ssl );
3414 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003416 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3417 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003418 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003419
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003420 case MBEDTLS_SSL_CLIENT_FINISHED:
3421 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003422 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003423
Paul Bakker1961b702013-01-25 14:49:24 +01003424 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +02003425 * <== ( NewSessionTicket )
3426 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +01003427 * Finished
3428 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003429#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3430 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02003431 ret = ssl_parse_new_session_ticket( ssl );
3432 break;
Paul Bakkera503a632013-08-14 13:48:06 +02003433#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +02003434
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003435 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3436 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003437 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003438
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003439 case MBEDTLS_SSL_SERVER_FINISHED:
3440 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003441 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003442
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003443 case MBEDTLS_SSL_FLUSH_BUFFERS:
3444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3445 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +01003446 break;
Paul Bakker5121ce52009-01-03 21:22:43 +00003447
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003448 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3449 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +01003450 break;
Paul Bakker48916f92012-09-16 19:57:18 +00003451
Paul Bakker1961b702013-01-25 14:49:24 +01003452 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003453 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3454 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +01003455 }
Paul Bakker5121ce52009-01-03 21:22:43 +00003456
3457 return( ret );
3458}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02003459#endif /* MBEDTLS_SSL_CLI_C */