TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7decea9ea915228de78be0a75a5456c6dfd13251 / . / library / ssl_cli.c
blob: 736d9d9242ce615c2624ad93107036cb3d9d1e34 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_SSL_CLI_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]31#include "mbedtls/platform.h"
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]32#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]33#include <stdlib.h>
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]34#define mbedtls_calloc calloc
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]35#define mbedtls_free free
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]36#endif
37
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#include <string.h>
43
Manuel Pégourié-Gonnard93866642015-06-22 19:21:23 +0200[diff] [blame]44#include <stdint.h>
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_HAVE_TIME)
Simon Butcherb5b6af22016-07-13 14:46:18 +0100[diff] [blame]47#include "mbedtls/platform_time.h"
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]48#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]51#include "mbedtls/platform_util.h"
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]52#endif
53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]56 unsigned char *buf,
57 size_t *olen )
58{
59 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]61 size_t hostname_len;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]62
63 *olen = 0;
64
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]65 if( ssl->hostname == NULL )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]66 return;
67
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]69 ssl->hostname ) );
70
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]71 hostname_len = strlen( ssl->hostname );
72
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]73 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]74 {
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]75 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]76 return;
77 }
78
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]79 /*
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]80 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
81 *
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
86 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]87 * struct {
88 * NameType name_type;
89 * select (name_type) {
90 * case host_name: HostName;
91 * } name;
92 * } ServerName;
93 *
94 * enum {
95 * host_name(0), (255)
96 * } NameType;
97 *
98 * opaque HostName<1..2^16-1>;
99 *
100 * struct {
101 * ServerName server_name_list<1..2^16-1>
102 * } ServerNameList;
Hanno Becker1a9a51c2017-04-07 13:02:16 +0100[diff] [blame]103 *
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]104 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]107
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]110
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]117
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]118 memcpy( p, ssl->hostname, hostname_len );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]119
Manuel Pégourié-Gonnardba26c242015-05-06 10:47:06 +0100[diff] [blame]120 *olen = hostname_len + 9;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]121}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]124#if defined(MBEDTLS_SSL_RENEGOTIATION)
125static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]126 unsigned char *buf,
127 size_t *olen )
128{
129 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]131
132 *olen = 0;
133
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]138 return;
139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]141
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]143 {
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
145 return;
146 }
147
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]148 /*
149 * Secure renegotiation
150 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]153
154 *p++ = 0x00;
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
157
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
159
160 *olen = 5 + ssl->verify_data_len;
161}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]162#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]163
Manuel Pégourié-Gonnardd9423232014-12-02 11:57:29 +0100[diff] [blame]164/*
165 * Only if we handle at least one key exchange that needs signatures.
166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]167#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]170 unsigned char *buf,
171 size_t *olen )
172{
173 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]175 size_t sig_alg_len = 0;
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]176 const int *md;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]177#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5bfd9682014-06-24 15:18:11 +0200[diff] [blame]178 unsigned char *sig_alg_list = buf + 6;
179#endif
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]180
181 *olen = 0;
182
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]184 return;
185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]187
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
189 {
190#if defined(MBEDTLS_ECDSA_C)
191 sig_alg_len += 2;
192#endif
193#if defined(MBEDTLS_RSA_C)
194 sig_alg_len += 2;
195#endif
196 }
197
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]199 {
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
201 return;
202 }
203
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]204 /*
205 * Prepare signature_algorithms extension (TLS 1.2)
206 */
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]207 sig_alg_len = 0;
208
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
210 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]211#if defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]214#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]215#if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Manuel Pégourié-Gonnardd11eb7c2013-08-22 15:57:15 +0200[diff] [blame]218#endif
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]219 }
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]220
221 /*
222 * enum {
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
224 * sha512(6), (255)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]225 * } HashAlgorithm;
226 *
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
229 *
230 * struct {
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
234 *
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]240
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
243
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
246
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]247 *olen = 6 + sig_alg_len;
248}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]249#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]251
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]252#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Beckera4a9c692019-06-18 16:55:47 +0100[diff] [blame]254static size_t ssl_get_ec_curve_list_length( mbedtls_ssl_context *ssl )
255{
256 size_t ec_list_len = 0;
257
258 MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id )
259 ((void) tls_id);
260 ec_list_len++;
261 MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID
262
263 return( ec_list_len );
264}
265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]266static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]267 unsigned char *buf,
268 size_t *olen )
269{
270 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]271 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]272 size_t elliptic_curve_len = 0;
273
274 *olen = 0;
275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]277
Hanno Beckera4a9c692019-06-18 16:55:47 +0100[diff] [blame]278 /* Each elliptic curve is encoded in 2 bytes. */
279 elliptic_curve_len = 2 * ssl_get_ec_curve_list_length( ssl );
280 if( elliptic_curve_len == 0 )
281 return;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]282
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]283 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]284 {
285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
286 return;
287 }
288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]289 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
290 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]291
292 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
293 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
294
295 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
296 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
297
Hanno Becker7decea92019-06-19 12:59:24 +0100[diff] [blame^]298 MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id )
299 *p++ = tls_id >> 8;
300 *p++ = tls_id & 0xFF;
301 MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID
302
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]303 *olen = 6 + elliptic_curve_len;
304}
305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]306static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]307 unsigned char *buf,
308 size_t *olen )
309{
310 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]311 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]312
313 *olen = 0;
314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]316
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]317 if( end < p || (size_t)( end - p ) < 6 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]318 {
319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
320 return;
321 }
322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]323 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
324 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]325
326 *p++ = 0x00;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]327 *p++ = 2;
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]328
329 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]330 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]331
Manuel Pégourié-Gonnard6b8846d2013-08-15 17:42:02 +0200[diff] [blame]332 *olen = 6;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]333}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]334#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]335 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]336
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]337#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]338static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
339 unsigned char *buf,
340 size_t *olen )
341{
342 int ret;
343 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]344 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]345 size_t kkpp_len;
346
347 *olen = 0;
348
349 /* Skip costly extension if we can't use EC J-PAKE anyway */
350 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
351 return;
352
353 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
354
355 if( end - p < 4 )
356 {
357 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
358 return;
359 }
360
361 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
362 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
363
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]364 /*
365 * We may need to send ClientHello multiple times for Hello verification.
366 * We don't want to compute fresh values every time (both for performance
367 * and consistency reasons), so cache the extension content.
368 */
369 if( ssl->handshake->ecjpake_cache == NULL ||
370 ssl->handshake->ecjpake_cache_len == 0 )
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]371 {
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]372 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
373
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]374 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
375 p + 2, end - p - 2, &kkpp_len,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]376 mbedtls_ssl_conf_get_frng( ssl->conf ),
377 ssl->conf->p_rng );
Manuel Pégourié-Gonnard5674a972015-10-19 15:14:03 +0200[diff] [blame]378 if( ret != 0 )
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]379 {
380 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
381 return;
382 }
383
384 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
385 if( ssl->handshake->ecjpake_cache == NULL )
386 {
387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
388 return;
389 }
390
391 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
392 ssl->handshake->ecjpake_cache_len = kkpp_len;
393 }
394 else
395 {
396 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
397
398 kkpp_len = ssl->handshake->ecjpake_cache_len;
399
400 if( (size_t)( end - p - 2 ) < kkpp_len )
401 {
402 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
403 return;
404 }
405
406 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]407 }
408
409 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
410 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
411
412 *olen = kkpp_len + 4;
413}
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]414#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]415
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]416#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]417static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
418 unsigned char *buf,
419 size_t *olen )
420{
421 unsigned char *p = buf;
422 size_t ext_len;
423 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
424
425 /*
Hanno Becker3cdf8fe2019-05-15 10:26:32 +0100[diff] [blame]426 * Quoting draft-ietf-tls-dtls-connection-id-05
427 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]428 *
429 * struct {
430 * opaque cid<0..2^8-1>;
431 * } ConnectionId;
432 */
433
434 *olen = 0;
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]435 if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]436 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
437 {
438 return;
439 }
440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
441
442 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
443 * which is at most 255, so the increment cannot overflow. */
444 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
445 {
446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
447 return;
448 }
449
450 /* Add extension ID + size */
451 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
452 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
453 ext_len = (size_t) ssl->own_cid_len + 1;
454 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
455 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
456
457 *p++ = (uint8_t) ssl->own_cid_len;
458 memcpy( p, ssl->own_cid, ssl->own_cid_len );
459
460 *olen = ssl->own_cid_len + 5;
461}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]462#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]464#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
465static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]466 unsigned char *buf,
467 size_t *olen )
468{
469 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]470 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]471
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]472 *olen = 0;
473
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]474 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]475 return;
476 }
477
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]479
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]480 if( end < p || (size_t)( end - p ) < 5 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]481 {
482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
483 return;
484 }
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
487 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]488
489 *p++ = 0x00;
490 *p++ = 1;
491
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]492 *p++ = ssl->conf->mfl_code;
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]493
494 *olen = 5;
495}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]496#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
499static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]500 unsigned char *buf, size_t *olen )
501{
502 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]503 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]504
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]505 *olen = 0;
506
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]507 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]508 {
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]509 return;
510 }
511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]512 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]513
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]514 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]515 {
516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
517 return;
518 }
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
521 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]522
523 *p++ = 0x00;
524 *p++ = 0x00;
525
526 *olen = 4;
527}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]528#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]530#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
531static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]532 unsigned char *buf, size_t *olen )
533{
534 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]535 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]536
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]537 *olen = 0;
538
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]539 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
540 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]541 {
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]542 return;
543 }
544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]545 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]546 "extension" ) );
547
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]548 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]549 {
550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
551 return;
552 }
553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]554 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
555 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]556
557 *p++ = 0x00;
558 *p++ = 0x00;
559
560 *olen = 4;
561}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]562#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]563
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]564#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
565static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]566 unsigned char *buf, size_t *olen )
567{
568 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]569 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]570
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]571 *olen = 0;
572
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]573 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
574 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]575 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]576 {
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]577 return;
578 }
579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]580 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]581 "extension" ) );
582
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]583 if( end < p || (size_t)( end - p ) < 4 )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]584 {
585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
586 return;
587 }
588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]589 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
590 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]591
592 *p++ = 0x00;
593 *p++ = 0x00;
594
595 *olen = 4;
596}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]599#if defined(MBEDTLS_SSL_SESSION_TICKETS)
600static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]601 unsigned char *buf, size_t *olen )
602{
603 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]604 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]605 size_t tlen = ssl->session_negotiate->ticket_len;
606
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]607 *olen = 0;
608
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]609 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]610 {
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]611 return;
612 }
613
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]614 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]615
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]616 if( end < p || (size_t)( end - p ) < 4 + tlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]617 {
618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
619 return;
620 }
621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]622 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
623 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]624
625 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
626 *p++ = (unsigned char)( ( tlen ) & 0xFF );
627
628 *olen = 4;
629
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]630 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]631 {
632 return;
633 }
634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]636
637 memcpy( p, ssl->session_negotiate->ticket, tlen );
638
639 *olen += tlen;
640}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]641#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643#if defined(MBEDTLS_SSL_ALPN)
644static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]645 unsigned char *buf, size_t *olen )
646{
647 unsigned char *p = buf;
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]648 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]649 size_t alpnlen = 0;
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]650 const char **cur;
651
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]652 *olen = 0;
653
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]654 if( ssl->conf->alpn_list == NULL )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]655 {
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]656 return;
657 }
658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]659 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]660
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]661 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Simon Butcher04799a42015-09-29 00:31:09 +0100[diff] [blame]662 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]663
Simon Butcher0fc94e92015-09-28 20:52:04 +0100[diff] [blame]664 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Simon Butchered997662015-09-28 02:14:30 +0100[diff] [blame]665 {
666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
667 return;
668 }
669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]670 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
671 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]672
673 /*
674 * opaque ProtocolName<1..2^8-1>;
675 *
676 * struct {
677 * ProtocolName protocol_name_list<2..2^16-1>
678 * } ProtocolNameList;
679 */
680
681 /* Skip writing extension and list length for now */
682 p += 4;
683
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]684 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]685 {
686 *p = (unsigned char)( strlen( *cur ) & 0xFF );
687 memcpy( p + 1, *cur, *p );
688 p += 1 + *p;
689 }
690
691 *olen = p - buf;
692
693 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
694 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
695 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
696
697 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
698 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
699 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
700}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]702
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]703/*
704 * Generate random bytes for ClientHello
705 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]706static int ssl_generate_random( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]707{
708 int ret;
709 unsigned char *p = ssl->handshake->randbytes;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]711 mbedtls_time_t t;
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]712#endif
713
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]714 /*
715 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
716 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]718 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnardfb2d2232014-07-22 15:59:14 +0200[diff] [blame]719 ssl->handshake->verify_cookie != NULL )
720 {
721 return( 0 );
722 }
723#endif
724
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]725#if defined(MBEDTLS_HAVE_TIME)
SimonBd5800b72016-04-26 07:43:27 +0100[diff] [blame]726 t = mbedtls_time( NULL );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]727 *p++ = (unsigned char)( t >> 24 );
728 *p++ = (unsigned char)( t >> 16 );
729 *p++ = (unsigned char)( t >> 8 );
730 *p++ = (unsigned char)( t );
731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]733#else
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]734 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
735 ( ssl->conf->p_rng, p, 4 ) ) != 0 )
736 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]737 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]738 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]739
740 p += 4;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]741#endif /* MBEDTLS_HAVE_TIME */
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]742
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]743 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
744 ( ssl->conf->p_rng, p, 28 ) ) != 0 )
745 {
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]746 return( ret );
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]747 }
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]748
749 return( 0 );
750}
751
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]752/**
753 * \brief Validate cipher suite against config in SSL context.
754 *
755 * \param suite_info cipher suite to validate
756 * \param ssl SSL context
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]757 * \param min_minor_ver Minimal minor version to accept a cipher suite
758 * \param max_minor_ver Maximal minor version to accept a cipher suite
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]759 *
760 * \return 0 if valid, else 1
761 */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]762static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]763 const mbedtls_ssl_context * ssl,
764 int min_minor_ver, int max_minor_ver )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]765{
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]766 (void) ssl;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]767 if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]768 return( 1 );
769
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]770
771 if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
772 mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
773 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]774 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]775 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]776
777#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]778 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]779 ( mbedtls_ssl_suite_get_flags( suite_info ) &
780 MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
781 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]782 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]783 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]784#endif
785
786#if defined(MBEDTLS_ARC4_C)
787 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]788 mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
789 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]790 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]791 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]792#endif
793
794#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]795 if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
796 MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
797 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
798 {
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]799 return( 1 );
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]800 }
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]801#endif
802
803 return( 0 );
804}
805
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]806static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]808 int ret;
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]809 size_t i, n, olen, ext_len = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]810 unsigned char *buf;
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]811 unsigned char *p, *q;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]812 unsigned char offer_compress;
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]813#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
814 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
815 int uses_ec = 0;
816#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]818 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]820 if( mbedtls_ssl_conf_get_frng( ssl->conf ) == NULL )
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]821 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
823 return( MBEDTLS_ERR_SSL_NO_RNG );
Paul Bakkera9a028e2013-11-21 17:31:06 +0100[diff] [blame]824 }
825
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]826 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]827 {
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]828 ssl->major_ver = ssl->conf->min_major_ver;
829 ssl->minor_ver = ssl->conf->min_minor_ver;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]830 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]832 if( ssl->conf->max_major_ver == 0 )
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]833 {
Manuel Pégourié-Gonnard1897af92015-05-10 23:27:38 +0200[diff] [blame]834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
835 "consider using mbedtls_ssl_config_defaults()" ) );
836 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker490ecc82011-10-06 13:04:09 +0000[diff] [blame]837 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
839 /*
840 * 0 . 0 handshake type
841 * 1 . 3 handshake length
842 * 4 . 5 highest version supported
843 * 6 . 9 current UNIX time
844 * 10 . 37 random bytes
845 */
846 buf = ssl->out_msg;
847 p = buf + 4;
848
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]849 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
850 ssl->conf->transport, p );
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]851 p += 2;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]854 buf[4], buf[5] ) );
855
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]856 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
857 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]858 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]859 return( ret );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]860 }
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200[diff] [blame]861
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]862 memcpy( p, ssl->handshake->randbytes, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]863 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Manuel Pégourié-Gonnardb760f002014-07-22 15:53:27 +0200[diff] [blame]864 p += 32;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865
866 /*
867 * 38 . 38 session id length
868 * 39 . 39+n session id
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]869 * 39+n . 39+n DTLS only: cookie length (1 byte)
870 * 40+n . .. DTSL only: cookie
871 * .. . .. ciphersuitelist length (2 bytes)
872 * .. . .. ciphersuitelist
873 * .. . .. compression methods length (1 byte)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]874 * .. . .. compression methods
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]875 * .. . .. extensions length (2 bytes)
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]876 * .. . .. extensions
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]878
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]879 /*
880 * We'll write a session of non-zero length if resumption was requested
881 * by the user, we're not renegotiating, and the session ID is of
882 * appropriate length. Otherwise make the length 0 (for now, see next code
883 * block for behaviour with tickets).
884 */
885 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]886 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]887 ssl->session_negotiate->id_len < 16 ||
888 ssl->session_negotiate->id_len > 32 )
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]889 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890 n = 0;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]891 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]892 else
893 {
894 n = ssl->session_negotiate->id_len;
895 }
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]896
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897#if defined(MBEDTLS_SSL_SESSION_TICKETS)
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]898 /*
899 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
900 * generate and include a Session ID in the TLS ClientHello."
901 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]902 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
903 ssl->session_negotiate->ticket != NULL &&
904 ssl->session_negotiate->ticket_len != 0 )
Manuel Pégourié-Gonnardd2b35ec2015-03-10 11:40:43 +0000[diff] [blame]905 {
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]906 ret = mbedtls_ssl_conf_get_frng( ssl->conf )
907 ( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]908
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]909 if( ret != 0 )
910 return( ret );
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]911
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]912 ssl->session_negotiate->id_len = n = 32;
Manuel Pégourié-Gonnard6377e412013-07-31 16:31:33 +0200[diff] [blame]913 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]914#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915
916 *p++ = (unsigned char) n;
917
918 for( i = 0; i < n; i++ )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]919 *p++ = ssl->session_negotiate->id[i];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
922 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]924 /*
925 * DTLS cookie
926 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]928 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]929 {
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]930 if( ssl->handshake->verify_cookie == NULL )
931 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]933 *p++ = 0;
934 }
935 else
936 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]937 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]938 ssl->handshake->verify_cookie,
939 ssl->handshake->verify_cookie_len );
940
941 *p++ = ssl->handshake->verify_cookie_len;
942 memcpy( p, ssl->handshake->verify_cookie,
943 ssl->handshake->verify_cookie_len );
944 p += ssl->handshake->verify_cookie_len;
945 }
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]946 }
947#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]948
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]949 /*
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]950 * Ciphersuite list
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]951 */
Manuel Pégourié-Gonnard4128aa72014-03-21 09:40:12 +0100[diff] [blame]952
953 /* Skip writing ciphersuite length for now */
954 n = 0;
955 q = p;
956 p += 2;
957
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]958 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
959 ssl->minor_ver,
960 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]961 {
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]962 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
963 ssl->conf->min_minor_ver,
964 ssl->conf->max_minor_ver ) != 0 )
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]965 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]966 continue;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]967 }
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]968
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]969 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]970 mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]972#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
973 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
974 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
975#endif
976
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]977 n++;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]978 *p++ = (unsigned char)(
979 mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
980 *p++ = (unsigned char)(
981 mbedtls_ssl_suite_get_id( ciphersuite_info ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]983 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
Ron Eldor714785d2017-08-28 13:55:55 +0300[diff] [blame]986
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]987 /*
988 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
989 */
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]990 if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]991 {
Ron Eldor4a2fb4c2017-09-10 17:03:50 +0300[diff] [blame]992 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
994 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Manuel Pégourié-Gonnard5d9cde22015-01-22 10:49:41 +0000[diff] [blame]995 n++;
996 }
997
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]998 /* Some versions of OpenSSL don't handle it correctly if not at end */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]999#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Manuel Pégourié-Gonnard684b0592015-05-06 09:27:31 +0100[diff] [blame]1000 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1001 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1003 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1004 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1005 n++;
1006 }
1007#endif
1008
Paul Bakker2fbefde2013-06-29 16:01:15 +0200[diff] [blame]1009 *q++ = (unsigned char)( n >> 7 );
1010 *q++ = (unsigned char)( n << 1 );
1011
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1012#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1013 offer_compress = 1;
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1014#else
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1015 offer_compress = 0;
1016#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1018 /*
Johannes H4e5d23f2018-01-06 09:46:57 +0100[diff] [blame]1019 * We don't support compression with DTLS right now: if many records come
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1020 * in the same datagram, uncompressing one could overwrite the next one.
1021 * We don't want to add complexity for handling that case unless there is
1022 * an actual need for it.
1023 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1025 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1026 offer_compress = 0;
1027#endif
1028
1029 if( offer_compress )
1030 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1031 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1033 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1034
1035 *p++ = 2;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1037 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1038 }
1039 else
1040 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1043 MBEDTLS_SSL_COMPRESS_NULL ) );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1044
1045 *p++ = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1047 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1049 // First write extensions, then the total length
1050 //
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1052 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1053 ext_len += olen;
Paul Bakker0be444a2013-08-27 21:55:01 +0200[diff] [blame]1054#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055
Hanno Becker40f8b512017-10-12 14:58:55 +0100[diff] [blame]1056 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1057 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1059 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1060 ext_len += olen;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1061#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1064 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Paul Bakkerd3edc862013-03-20 16:07:17 +0100[diff] [blame]1065 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1066 ext_len += olen;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]1067#endif
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1068
Manuel Pégourié-Gonnardf4721792015-09-15 10:53:51 +0200[diff] [blame]1069#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1070 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1071 if( uses_ec )
1072 {
1073 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1074 ext_len += olen;
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1075
Ron Eldor755bb6a2018-02-14 19:30:48 +0200[diff] [blame]1076 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1077 ext_len += olen;
1078 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1079#endif
1080
Manuel Pégourié-Gonnardeef142d2015-09-16 10:05:04 +0200[diff] [blame]1081#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard294139b2015-09-15 16:55:05 +0200[diff] [blame]1082 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1083 ext_len += olen;
1084#endif
1085
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1086#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1087 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1088 ext_len += olen;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1089#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker39ec5252019-04-25 16:55:15 +0100[diff] [blame]1090
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1092 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1093 ext_len += olen;
Paul Bakker05decb22013-08-15 13:33:48 +0200[diff] [blame]1094#endif
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1095
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1097 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1098 ext_len += olen;
Paul Bakker1f2bc622013-08-15 13:45:55 +0200[diff] [blame]1099#endif
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1102 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1103 ext_len += olen;
1104#endif
1105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1106#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1107 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1108 ext_len += olen;
1109#endif
1110
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1111#if defined(MBEDTLS_SSL_ALPN)
1112 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1113 ext_len += olen;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]1114#endif
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1115
Simon Butcher5624ec82015-09-29 01:06:06 +0100[diff] [blame]1116#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1117 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1118 ext_len += olen;
1119#endif
1120
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1121 /* olen unused if all extensions are disabled */
1122 ((void) olen);
1123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]1125 ext_len ) );
1126
Paul Bakkera7036632014-04-30 10:15:38 +0200[diff] [blame]1127 if( ext_len > 0 )
1128 {
1129 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1130 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1131 p += ext_len;
1132 }
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]1133
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 ssl->out_msglen = p - buf;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1135 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1136 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1137
1138 ssl->state++;
1139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1140#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1141 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1142 mbedtls_ssl_send_flight_completed( ssl );
Manuel Pégourié-Gonnard7de3c9e2014-09-29 15:29:48 +0200[diff] [blame]1143#endif
1144
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1145 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]1147 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148 return( ret );
1149 }
1150
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1151#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1152 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1153 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1154 {
1155 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1156 return( ret );
1157 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]1158#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]1159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1161
1162 return( 0 );
1163}
1164
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1165static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1166 const unsigned char *buf,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1167 size_t len )
1168{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1169#if defined(MBEDTLS_SSL_RENEGOTIATION)
1170 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1171 {
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1172 /* Check verify-data in constant-time. The length OTOH is no secret */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1173 if( len != 1 + ssl->verify_data_len * 2 ||
1174 buf[0] != ssl->verify_data_len * 2 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1175 mbedtls_ssl_safer_memcmp( buf + 1,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1176 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1177 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Manuel Pégourié-Gonnard31ff1d22013-10-28 13:46:11 +0100[diff] [blame]1178 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1179 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1181 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1182 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1184 }
1185 }
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1186 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1187#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1188 {
1189 if( len != 1 || buf[0] != 0x00 )
1190 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1192 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1193 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1195 }
1196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1197 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +0100[diff] [blame]1198 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1199
1200 return( 0 );
1201}
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1204static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnarde048b672013-07-19 12:47:00 +0200[diff] [blame]1205 const unsigned char *buf,
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1206 size_t len )
1207{
1208 /*
1209 * server should use the extension only if we did,
1210 * and if so the server's value should match ours (and len is always 1)
1211 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1212 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1213 len != 1 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1214 buf[0] != ssl->conf->mfl_code )
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1215 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1216 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1217 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1218 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1219 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1220 }
1221
1222 return( 0 );
1223}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1224#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1226#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1227static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1228 const unsigned char *buf,
1229 size_t len )
1230{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1231 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1232 len != 0 )
1233 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1234 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1235 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1236 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1238 }
1239
1240 ((void) buf);
1241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1242 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1243
1244 return( 0 );
1245}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1247
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1248#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1249static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1250 const unsigned char *buf,
1251 size_t len )
1252{
1253 size_t peer_cid_len;
1254
1255 if( /* CID extension only makes sense in DTLS */
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1256 MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1257 /* The server must only send the CID extension if we have offered it. */
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1258 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1259 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1261 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1262 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1263 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1264 }
1265
1266 if( len == 0 )
1267 {
1268 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1269 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1270 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1271 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1272 }
1273
1274 peer_cid_len = *buf++;
1275 len--;
1276
1277 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1278 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1279 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1280 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1281 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1282 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1283 }
1284
1285 if( len != peer_cid_len )
1286 {
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1288 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Hanno Becker8f68f872019-05-03 12:46:59 +0100[diff] [blame]1289 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1290 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1291 }
1292
Hanno Beckerf885d3b2019-05-03 12:47:49 +0100[diff] [blame]1293 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1294 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1295 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1296
1297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1298 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1299
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1300 return( 0 );
1301}
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1302#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1304#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1305static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1306 const unsigned char *buf,
1307 size_t len )
1308{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1309 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1311 len != 0 )
1312 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1314 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1315 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1317 }
1318
1319 ((void) buf);
1320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1322
1323 return( 0 );
1324}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1328static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1329 const unsigned char *buf,
1330 size_t len )
1331{
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]1332 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
1333 MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1334 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1335 len != 0 )
1336 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1338 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1339 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1340 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1341 }
1342
1343 ((void) buf);
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1344 return( 0 );
1345}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1349static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1350 const unsigned char *buf,
1351 size_t len )
1352{
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1353 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1354 len != 0 )
1355 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1357 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1358 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardaa0d4d12013-08-03 13:02:31 +0200[diff] [blame]1360 }
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1361
1362 ((void) buf);
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]1363
1364 ssl->handshake->new_session_ticket = 1;
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1365
1366 return( 0 );
1367}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1368#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]1369
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1370#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1371 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1373 const unsigned char *buf,
1374 size_t len )
1375{
1376 size_t list_size;
1377 const unsigned char *p;
1378
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1379 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1380 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1382 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1383 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1385 }
Philippe Antoine747fd532018-05-30 09:13:21 +0200[diff] [blame]1386 list_size = buf[0];
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1387
Manuel Pégourié-Gonnardfd35af12014-06-23 14:10:13 +0200[diff] [blame]1388 p = buf + 1;
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1389 while( list_size > 0 )
1390 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1392 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1393 {
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1394#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Manuel Pégourié-Gonnard5734b2d2013-08-15 19:04:02 +0200[diff] [blame]1395 ssl->handshake->ecdh_ctx.point_format = p[0];
Gilles Peskine064a85c2017-05-10 10:46:40 +0200[diff] [blame]1396#endif
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1397#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]1398 ssl->handshake->ecjpake_ctx.point_format = p[0];
1399#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1401 return( 0 );
1402 }
1403
1404 list_size--;
1405 p++;
1406 }
1407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1409 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1410 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1412}
Darryl Green11999bb2018-03-13 15:22:58 +0000[diff] [blame]1413#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]1414 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]1415
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1416#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1417static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1418 const unsigned char *buf,
1419 size_t len )
1420{
1421 int ret;
1422
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1423 if( mbedtls_ssl_suite_get_key_exchange(
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]1424 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
1425 != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1426 {
1427 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1428 return( 0 );
1429 }
1430
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]1431 /* If we got here, we no longer need our cached extension */
1432 mbedtls_free( ssl->handshake->ecjpake_cache );
1433 ssl->handshake->ecjpake_cache = NULL;
1434 ssl->handshake->ecjpake_cache_len = 0;
1435
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1436 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1437 buf, len ) ) != 0 )
1438 {
1439 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1440 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1441 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]1442 return( ret );
1443 }
1444
1445 return( 0 );
1446}
1447#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449#if defined(MBEDTLS_SSL_ALPN)
1450static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1451 const unsigned char *buf, size_t len )
1452{
1453 size_t list_len, name_len;
1454 const char **p;
1455
1456 /* If we didn't send it, the server shouldn't send it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1457 if( ssl->conf->alpn_list == NULL )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1458 {
1459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1460 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1461 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1463 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1464
1465 /*
1466 * opaque ProtocolName<1..2^8-1>;
1467 *
1468 * struct {
1469 * ProtocolName protocol_name_list<2..2^16-1>
1470 * } ProtocolNameList;
1471 *
1472 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1473 */
1474
1475 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1476 if( len < 4 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1477 {
1478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1479 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1480 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1481 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1482
1483 list_len = ( buf[0] << 8 ) | buf[1];
1484 if( list_len != len - 2 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1485 {
1486 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1487 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1488 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1489 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1490
1491 name_len = buf[2];
1492 if( name_len != list_len - 1 )
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1493 {
1494 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1495 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1497 }
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1498
1499 /* Check that the server chosen protocol was in our list and save it */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1500 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1501 {
1502 if( name_len == strlen( *p ) &&
1503 memcmp( buf + 3, *p, name_len ) == 0 )
1504 {
1505 ssl->alpn_chosen = *p;
1506 return( 0 );
1507 }
1508 }
1509
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]1511 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1512 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1514}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]1516
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1517/*
1518 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1519 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520#if defined(MBEDTLS_SSL_PROTO_DTLS)
1521static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1522{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1524 int major_ver, minor_ver;
1525 unsigned char cookie_len;
1526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1528
1529 /*
1530 * struct {
1531 * ProtocolVersion server_version;
1532 * opaque cookie<0..2^8-1>;
1533 * } HelloVerifyRequest;
1534 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1535 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1536 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1537 p += 2;
1538
Manuel Pégourié-Gonnardb35fe562014-08-09 17:00:46 +0200[diff] [blame]1539 /*
1540 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1541 * even is lower than our min version.
1542 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1544 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1545 major_ver > ssl->conf->max_major_ver ||
1546 minor_ver > ssl->conf->max_minor_ver )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1547 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1551 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1553 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1554 }
1555
1556 cookie_len = *p++;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1558
Andres AG5a87c932016-09-26 14:53:05 +0100[diff] [blame]1559 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1560 {
1561 MBEDTLS_SSL_DEBUG_MSG( 1,
1562 ( "cookie length does not match incoming message size" ) );
1563 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1564 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1565 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1566 }
1567
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1568 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1569
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]1570 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1571 if( ssl->handshake->verify_cookie == NULL )
1572 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]1573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]1574 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1575 }
1576
1577 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1578 ssl->handshake->verify_cookie_len = cookie_len;
1579
Manuel Pégourié-Gonnard67427c02014-07-11 13:45:34 +0200[diff] [blame]1580 /* Start over at ClientHello */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1582 mbedtls_ssl_reset_checksum( ssl );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]1585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1586 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1587
1588 return( 0 );
1589}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1592static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1593{
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1594 int ret, i;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1595 size_t n;
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1596 size_t ext_len;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1597 unsigned char *buf, *ext;
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1598 unsigned char comp;
1599#if defined(MBEDTLS_ZLIB_SUPPORT)
1600 int accept_comp;
1601#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1602#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1603 int renegotiation_info_seen = 0;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1604#endif
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]1605#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1606 int extended_ms_seen = 0;
1607#endif
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]1608 int handshake_failure = 0;
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1609
1610 /* The ciphersuite chosen by the server. */
1611 mbedtls_ssl_ciphersuite_handle_t server_suite_info;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1612
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1614
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]1615 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1616 {
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1617 /* No alert on a read error. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1618 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1619 return( ret );
1620 }
1621
Hanno Beckerf5970a02019-05-08 09:38:41 +0100[diff] [blame]1622 buf = ssl->in_msg;
1623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1624 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1625 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626#if defined(MBEDTLS_SSL_RENEGOTIATION)
1627 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1628 {
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1629 ssl->renego_records_seen++;
1630
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1631 if( ssl->conf->renego_max_records >= 0 &&
1632 ssl->renego_records_seen > ssl->conf->renego_max_records )
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1633 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1635 "but not honored by server" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard44ade652014-08-19 13:58:40 +0200[diff] [blame]1637 }
1638
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]1640
1641 ssl->keep_current_message = 1;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1642 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1643 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644#endif /* MBEDTLS_SSL_RENEGOTIATION */
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1647 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1648 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1650 }
1651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1652#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]1653 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1654 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1656 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1658 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1659 return( ssl_parse_hello_verify_request( ssl ) );
1660 }
1661 else
1662 {
1663 /* We made it through the verification process */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1664 mbedtls_free( ssl->handshake->verify_cookie );
Manuel Pégourié-Gonnard74848812014-07-11 02:43:49 +0200[diff] [blame]1665 ssl->handshake->verify_cookie = NULL;
1666 ssl->handshake->verify_cookie_len = 0;
1667 }
1668 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1669#endif /* MBEDTLS_SSL_PROTO_DTLS */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1672 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1673 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1674 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1675 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1676 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 }
1679
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1680 /*
1681 * 0 . 1 server_version
1682 * 2 . 33 random (maybe including 4 bytes of Unix time)
1683 * 34 . 34 session_id length = n
1684 * 35 . 34+n session_id
1685 * 35+n . 36+n cipher_suite
1686 * 37+n . 37+n compression_method
1687 *
1688 * 38+n . 39+n extensions length (optional)
1689 * 40+n . .. extensions
1690 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1691 buf += mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1692
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1693 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1694 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1695 ssl->conf->transport, buf + 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1697 if( ssl->major_ver < ssl->conf->min_major_ver ||
1698 ssl->minor_ver < ssl->conf->min_minor_ver ||
1699 ssl->major_ver > ssl->conf->max_major_ver ||
1700 ssl->minor_ver > ssl->conf->max_minor_ver )
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1701 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1703 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1704 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Manuel Pégourié-Gonnardabc7e3b2014-02-11 18:15:03 +0100[diff] [blame]1705 ssl->major_ver, ssl->minor_ver,
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]1706 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1708 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1709 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Paul Bakker1d29fb52012-09-28 13:28:45 +0000[diff] [blame]1712 }
1713
Andres Amaya Garcia6bce9cb2017-09-06 15:33:34 +0100[diff] [blame]1714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1715 ( (uint32_t) buf[2] << 24 ) |
1716 ( (uint32_t) buf[3] << 16 ) |
1717 ( (uint32_t) buf[4] << 8 ) |
1718 ( (uint32_t) buf[5] ) ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1720 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1722 n = buf[34];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1725
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1726 if( n > 32 )
1727 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1730 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1731 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1732 }
1733
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1734 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1735 {
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1736 ext_len = ( ( buf[38 + n] << 8 )
1737 | ( buf[39 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1739 if( ( ext_len > 0 && ext_len < 4 ) ||
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1740 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1741 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1744 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1746 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747 }
Manuel Pégourié-Gonnarda6e5bd52015-07-23 12:14:13 +0200[diff] [blame]1748 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1749 {
1750 ext_len = 0;
1751 }
1752 else
1753 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1754 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1755 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1756 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1757 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Manuel Pégourié-Gonnardf7cdbc02014-10-17 17:02:10 +0200[diff] [blame]1758 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1760 /* ciphersuite (used later) */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1761 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1762
1763 /*
1764 * Read and check compression
1765 */
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1766 comp = buf[37 + n];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1768#if defined(MBEDTLS_ZLIB_SUPPORT)
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1769 /* See comments in ssl_write_client_hello() */
Manuel Pégourié-Gonnardff4bd9f2019-06-06 10:34:48 +0200[diff] [blame]1770 accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1771
Manuel Pégourié-Gonnard1cf7b302015-06-24 22:28:19 +0200[diff] [blame]1772 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1773 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1774#else /* MBEDTLS_ZLIB_SUPPORT */
1775 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1776#endif/* MBEDTLS_ZLIB_SUPPORT */
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1777 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1779 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1780 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +0200[diff] [blame]1782 }
1783
Paul Bakker380da532012-04-18 16:10:25 +0000[diff] [blame]1784 /*
1785 * Initialize update checksum functions
1786 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1787 server_suite_info = mbedtls_ssl_ciphersuite_from_id( i );
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1788#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1789 ssl->handshake->ciphersuite_info = server_suite_info;
1790#endif
1791 if( server_suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1792 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1794 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1795 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker68884e32013-01-07 18:20:04 +0100[diff] [blame]1797 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1798 mbedtls_ssl_optimize_checksum( ssl, server_suite_info );
Manuel Pégourié-Gonnard3c599f12014-03-10 13:25:07 +0100[diff] [blame]1799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1800 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1801 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802
1803 /*
1804 * Check if the session can be resumed
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1805 *
1806 * We're only resuming a session if it was requested (handshake->resume
1807 * already set to 1 by mbedtls_ssl_set_session()), and further conditions
1808 * are satisfied (not renegotiating, ID and ciphersuite match, etc).
1809 *
1810 * Update handshake->resume to the value it will keep for the rest of the
1811 * handshake, and that will be used to determine the relative order
1812 * client/server last flights, as well as in handshake_wrapup().
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813 */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1814#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
1815 if( n == 0 ||
Manuel Pégourié-Gonnard754b9f32019-07-01 12:20:54 +0200[diff] [blame]1816 mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Hanno Beckere02758c2019-06-26 15:31:31 +0100[diff] [blame]1817 mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1818 ssl->session_negotiate->compression != comp ||
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]1819 ssl->session_negotiate->id_len != n ||
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1820 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1821 {
Paul Bakker0a597072012-09-25 21:55:46 +0000[diff] [blame]1822 ssl->handshake->resume = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823 }
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1824#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
1825
1826 if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1828 /* Resume a session */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1829 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1832 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1834 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1835 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1836 return( ret );
1837 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838 }
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1839 else
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1840 {
Manuel Pégourié-Gonnard93c82622019-07-01 12:47:27 +0200[diff] [blame]1841 /* Start a new session */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1842 ssl->state++;
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1843#if defined(MBEDTLS_HAVE_TIME)
1844 ssl->session_negotiate->start = mbedtls_time( NULL );
1845#endif
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1846#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1847 ssl->session_negotiate->ciphersuite = i;
Hanno Becker73f4cb12019-06-27 13:51:07 +0100[diff] [blame]1848#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1849 ssl->session_negotiate->compression = comp;
1850 ssl->session_negotiate->id_len = n;
1851 memcpy( ssl->session_negotiate->id, buf + 35, n );
1852 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Manuel Pégourié-Gonnard3652e992019-07-01 12:09:22 +0200[diff] [blame]1855 mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
Manuel Pégourié-Gonnard60884a12015-09-16 11:13:41 +0200[diff] [blame]1857 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
Andrzej Kurek03bac442018-04-25 05:06:07 -0400[diff] [blame]1860 /*
1861 * Perform cipher suite validation in same way as in ssl_write_client_hello.
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1862 */
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1863 MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
1864 ssl->minor_ver,
1865 ciphersuite_info )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866 {
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1867 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1868 ssl->conf->min_minor_ver,
1869 ssl->conf->max_minor_ver ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1870 {
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1871 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872 }
1873
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1874 if( ciphersuite_info != server_suite_info )
Hanno Beckerf4d6b492019-07-02 17:13:14 +0100[diff] [blame]1875 continue;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1877 goto server_picked_valid_suite;
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1878 }
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1879 MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
1880
1881 /* If we reach this code-path, the server's chosen ciphersuite
1882 * wasn't among those advertised by us. */
1883 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1884 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1885 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1886 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1887
1888server_picked_valid_suite:
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1889
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1891 mbedtls_ssl_suite_get_name( server_suite_info ) ) );
Mohammad Azim Khan1d3b5082018-04-18 19:35:00 +0100[diff] [blame]1892
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1893#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Hanno Becker14990272019-06-26 11:47:15 +0100[diff] [blame]1894 if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]1895 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
Manuel Pégourié-Gonnardda19f4c2018-06-12 12:40:54 +0200[diff] [blame]1896 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1897 {
1898 ssl->handshake->ecrs_enabled = 1;
1899 }
1900#endif
1901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1903#if defined(MBEDTLS_ZLIB_SUPPORT)
1904 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Paul Bakker2770fbd2012-07-03 13:30:23 +0000[diff] [blame]1905#endif
1906 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1909 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1910 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 }
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1913 ssl->session_negotiate->compression = comp;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914
Manuel Pégourié-Gonnard0b3400d2014-09-10 21:23:41 +0200[diff] [blame]1915 ext = buf + 40 + n;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1917 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Manuel Pégourié-Gonnarda0528492013-07-16 17:26:28 +0200[diff] [blame]1918
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1919 while( ext_len )
1920 {
1921 unsigned int ext_id = ( ( ext[0] << 8 )
1922 | ( ext[1] ) );
1923 unsigned int ext_size = ( ( ext[2] << 8 )
1924 | ( ext[3] ) );
1925
1926 if( ext_size + 4 > ext_len )
1927 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1928 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1929 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1930 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1931 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1932 }
1933
1934 switch( ext_id )
1935 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1937 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1938#if defined(MBEDTLS_SSL_RENEGOTIATION)
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1939 renegotiation_info_seen = 1;
Manuel Pégourié-Gonnardeaecbd32014-11-06 02:38:02 +0100[diff] [blame]1940#endif
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1941
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1942 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1943 ext_size ) ) != 0 )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]1944 return( ret );
1945
1946 break;
1947
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1948#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1949 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1950 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1951
1952 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1953 ext + 4, ext_size ) ) != 0 )
1954 {
1955 return( ret );
1956 }
1957
1958 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1959#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Manuel Pégourié-Gonnardde600e52013-07-17 10:14:38 +0200[diff] [blame]1960
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1961#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1962 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1963 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1964
1965 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1966 ext + 4, ext_size ) ) != 0 )
1967 {
1968 return( ret );
1969 }
1970
1971 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Manuel Pégourié-Gonnard57c28522013-07-19 11:41:43 +0200[diff] [blame]1973
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1974#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1975 case MBEDTLS_TLS_EXT_CID:
1976 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
1977
1978 if( ( ret = ssl_parse_cid_ext( ssl,
1979 ext + 4,
1980 ext_size ) ) != 0 )
1981 {
1982 return( ret );
1983 }
1984
1985 break;
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1986#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
Hanno Becker1ba81f62019-04-26 15:37:26 +0100[diff] [blame]1987
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1988#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1989 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1990 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1991
1992 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1993 ext + 4, ext_size ) ) != 0 )
1994 {
1995 return( ret );
1996 }
1997
1998 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2000
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2002 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2004
2005 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2006 ext + 4, ext_size ) ) != 0 )
2007 {
2008 return( ret );
2009 }
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2010 extended_ms_seen = 1;
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2011
2012 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2016 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2018
2019 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2020 ext + 4, ext_size ) ) != 0 )
2021 {
2022 return( ret );
2023 }
2024
2025 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnard60182ef2013-08-02 14:44:54 +0200[diff] [blame]2027
Robert Cragie136884c2015-10-02 13:34:31 +0100[diff] [blame]2028#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2029 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2030 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2031 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2032
2033 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2034 ext + 4, ext_size ) ) != 0 )
2035 {
2036 return( ret );
2037 }
2038
2039 break;
Robert Cragieae8535d2015-10-06 17:11:18 +0100[diff] [blame]2040#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2041 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Manuel Pégourié-Gonnard7b19c162013-08-15 18:01:11 +0200[diff] [blame]2042
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]2043#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2044 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2045 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2046
2047 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2048 ext + 4, ext_size ) ) != 0 )
2049 {
2050 return( ret );
2051 }
2052
2053 break;
2054#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056#if defined(MBEDTLS_SSL_ALPN)
2057 case MBEDTLS_TLS_EXT_ALPN:
2058 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2059
2060 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2061 return( ret );
2062
2063 break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2064#endif /* MBEDTLS_SSL_ALPN */
Manuel Pégourié-Gonnard0b874dc2014-04-07 10:57:45 +0200[diff] [blame]2065
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2066 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2067 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2068 ext_id ) );
2069 }
2070
2071 ext_len -= 4 + ext_size;
2072 ext += 4 + ext_size;
2073
2074 if( ext_len > 0 && ext_len < 4 )
2075 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2077 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2078 }
2079 }
2080
2081 /*
2082 * Renegotiation security checks
2083 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2084 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2085 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2086 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2087 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2089 handshake_failure = 1;
2090 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2091#if defined(MBEDTLS_SSL_RENEGOTIATION)
2092 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2093 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2094 renegotiation_info_seen == 0 )
2095 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2097 handshake_failure = 1;
2098 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2100 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]2101 mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
2102 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2103 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2105 handshake_failure = 1;
2106 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2108 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2109 renegotiation_info_seen == 1 )
2110 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2112 handshake_failure = 1;
2113 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114#endif /* MBEDTLS_SSL_RENEGOTIATION */
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2115
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2116 /*
2117 * Check if extended master secret is being enforced
2118 */
2119#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Hanno Beckeraabbb582019-06-11 13:43:27 +0100[diff] [blame]2120 if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2121 MBEDTLS_SSL_EXTENDED_MS_ENABLED )
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2122 {
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2123 if( extended_ms_seen )
2124 {
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2125#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2126 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Hanno Becker1ab322b2019-06-11 14:50:54 +0100[diff] [blame]2127#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2128 }
2129 else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
2130 MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
2131 {
2132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2133 "secret, while it is enforced") );
Hanno Becker03b64fa2019-06-11 14:39:38 +0100[diff] [blame]2134 handshake_failure = 1;
2135 }
Jarno Lamsa842be162019-06-10 15:05:33 +0300[diff] [blame]2136 }
2137#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2138
Paul Bakkerd0f6fa72012-09-17 09:18:12 +0000[diff] [blame]2139 if( handshake_failure == 1 )
2140 {
Gilles Peskinec94f7352017-05-10 16:37:56 +0200[diff] [blame]2141 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2142 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2143 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]2144 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2147
2148 return( 0 );
2149}
2150
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2151#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2152 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2153static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2154 unsigned char *end )
2155{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2156 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2157
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2158 /*
2159 * Ephemeral DH parameters:
2160 *
2161 * struct {
2162 * opaque dh_p<1..2^16-1>;
2163 * opaque dh_g<1..2^16-1>;
2164 * opaque dh_Ys<1..2^16-1>;
2165 * } ServerDHParams;
2166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2168 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2169 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2170 return( ret );
2171 }
2172
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2173 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2174 {
Manuel Pégourié-Gonnardbd990d62015-06-11 14:49:42 +0200[diff] [blame]2175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2176 ssl->handshake->dhm_ctx.len * 8,
2177 ssl->conf->dhm_min_bitlen ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2178 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2179 }
2180
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2181 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2182 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2183 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2184
2185 return( ret );
2186}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2187#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2188 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2189
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2190#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2191 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2192 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2193 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2194 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2195static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2196{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197 const mbedtls_ecp_curve_info *curve_info;
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2198 mbedtls_ecp_group_id grp_id;
2199#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2200 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2201#else
2202 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2203#endif
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2204
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2205 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2206 if( curve_info == NULL )
2207 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2209 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardc3f6b62c2014-02-06 10:13:09 +0100[diff] [blame]2210 }
2211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2213
Manuel Pégourié-Gonnardb541da62015-06-17 11:43:30 +0200[diff] [blame]2214#if defined(MBEDTLS_ECP_C)
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2215 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2216#else
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2217 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2218 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2219#endif
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2220 return( -1 );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2221
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]2222 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2223 MBEDTLS_DEBUG_ECDH_QP );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2224
2225 return( 0 );
2226}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2227#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2228 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2229 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2230 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2231 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2234 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2235 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2236static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2237 unsigned char **p,
2238 unsigned char *end )
2239{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2240 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2241
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2242 /*
2243 * Ephemeral ECDH parameters:
2244 *
2245 * struct {
2246 * ECParameters curve_params;
2247 * ECPoint public;
2248 * } ServerECDHParams;
2249 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2250 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2251 (const unsigned char **) p, end ) ) != 0 )
2252 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2253 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2254#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnard1c1c20e2018-09-12 10:34:43 +0200[diff] [blame]2255 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2256 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2257#endif
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2258 return( ret );
2259 }
2260
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2261 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2262 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2264 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2265 }
2266
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2267 return( ret );
2268}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2270 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2271 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2273#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2274static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2275 unsigned char **p,
2276 unsigned char *end )
2277{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2278 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2279 size_t len;
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2280 ((void) ssl);
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2281
2282 /*
2283 * PSK parameters:
2284 *
2285 * opaque psk_identity_hint<0..2^16-1>;
2286 */
Hanno Becker0c161d12018-10-08 13:40:50 +0100[diff] [blame]2287 if( end - (*p) < 2 )
Krzysztof Stachowiak740b2182018-03-13 11:31:14 +0100[diff] [blame]2288 {
2289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2290 "(psk_identity_hint length)" ) );
2291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2292 }
Manuel Pégourié-Gonnard59b9fe22013-10-15 11:55:33 +0200[diff] [blame]2293 len = (*p)[0] << 8 | (*p)[1];
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2294 *p += 2;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2295
Hanno Becker8df10232018-10-10 15:48:39 +0100[diff] [blame]2296 if( end - (*p) < (int) len )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2297 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]2298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2299 "(psk_identity_hint length)" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2300 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2301 }
2302
Manuel Pégourié-Gonnard9d624122016-02-22 11:10:14 +0100[diff] [blame]2303 /*
2304 * Note: we currently ignore the PKS identity hint, as we only allow one
2305 * PSK to be provisionned on the client. This could be changed later if
2306 * someone needs that feature.
2307 */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2308 *p += len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2309 ret = 0;
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2310
2311 return( ret );
2312}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2313#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2315#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2316 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2317/*
2318 * Generate a pre-master secret and encrypt it with the server's RSA key
2319 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2320static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2321 size_t offset, size_t *olen,
2322 size_t pms_offset )
2323{
2324 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2325 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2326 unsigned char *p = ssl->handshake->premaster + pms_offset;
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2327 mbedtls_pk_context *peer_pk = NULL;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2328
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2329 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]2330 {
2331 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2332 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2333 }
2334
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2335 /*
2336 * Generate (part of) the pre-master as
2337 * struct {
2338 * ProtocolVersion client_version;
2339 * opaque random[46];
2340 * } PreMasterSecret;
2341 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]2342 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2343 ssl->conf->transport, p );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2344
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2345 if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
2346 ( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2347 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2348 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2349 return( ret );
2350 }
2351
2352 ssl->handshake->pmslen = 48;
2353
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2354#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2355 /* Because the peer CRT pubkey is embedded into the handshake
2356 * params currently, and there's no 'is_init' functions for PK
2357 * contexts, we need to break the abstraction and peek into
2358 * the PK context to see if it has been initialized. */
2359 if( ssl->handshake->peer_pubkey.pk_info != NULL )
2360 peer_pk = &ssl->handshake->peer_pubkey;
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2361#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2362 if( ssl->session_negotiate->peer_cert != NULL )
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2363 {
2364 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2365 &peer_pk );
2366 if( ret != 0 )
2367 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2368 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2369 return( ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2370 }
2371 }
Hanno Becker5882dd02019-06-06 16:25:57 +0100[diff] [blame]2372#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2373
2374 if( peer_pk == NULL )
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2375 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2376 /* Should never happen */
Hanno Beckere9839c02019-02-26 11:51:06 +0000[diff] [blame]2377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2378 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2379 }
2380
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2381 /*
2382 * Now write it out, encrypted
2383 */
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2384 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2385 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2387 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2388 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2389 }
2390
Hanno Becker374800a2019-02-06 16:49:54 +0000[diff] [blame]2391 if( ( ret = mbedtls_pk_encrypt( peer_pk,
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2392 p, ssl->handshake->pmslen,
2393 ssl->out_msg + offset + len_bytes, olen,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]2394 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]2395 mbedtls_ssl_conf_get_frng( ssl->conf ),
2396 ssl->conf->p_rng ) ) != 0 )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2397 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2399 goto cleanup;
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2400 }
2401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2402#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2403 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2404 if( len_bytes == 2 )
2405 {
2406 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2407 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2408 *olen += 2;
2409 }
2410#endif
2411
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2412cleanup:
2413
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2414#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2415 /* We don't need the peer's public key anymore. Free it. */
2416 mbedtls_pk_free( peer_pk );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2417#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2418 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker0c168162019-02-28 14:02:30 +0000[diff] [blame]2419#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2420
2421 return( ret );
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]2422}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2423#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2424 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2426#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2427#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2428 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2429 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2430static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2431 unsigned char **p,
2432 unsigned char *end,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2433 mbedtls_md_type_t *md_alg,
2434 mbedtls_pk_type_t *pk_alg )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2435{
Paul Bakkerc5a79cc2013-06-26 15:08:35 +0200[diff] [blame]2436 ((void) ssl);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2437 *md_alg = MBEDTLS_MD_NONE;
2438 *pk_alg = MBEDTLS_PK_NONE;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2439
2440 /* Only in TLS 1.2 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2441 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2442 {
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2443 return( 0 );
2444 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2445
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2446 if( (*p) + 2 > end )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2448
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2449 /*
2450 * Get hash algorithm
2451 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2452 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2453 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2455 "HashAlgorithm %d", *(p)[0] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2457 }
2458
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2459 /*
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2460 * Get signature algorithm
2461 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2463 {
Manuel Pégourié-Gonnardd8053242015-12-08 09:53:51 +0100[diff] [blame]2464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
Manuel Pégourié-Gonnarda20c58c2013-08-22 13:52:48 +0200[diff] [blame]2465 "SignatureAlgorithm %d", (*p)[1] ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2466 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2467 }
2468
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2469 /*
2470 * Check if the hash is acceptable
2471 */
2472 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2473 {
Gilles Peskinecd3c8452017-05-09 14:57:45 +0200[diff] [blame]2474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2475 *(p)[0] ) );
Manuel Pégourié-Gonnard7bfc1222015-06-17 14:34:48 +0200[diff] [blame]2476 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2477 }
2478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2479 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2480 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2481 *p += 2;
2482
2483 return( 0 );
2484}
Manuel Pégourié-Gonnard5c2a7ca2015-10-23 08:48:41 +0200[diff] [blame]2485#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2486 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2487 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2488#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2490#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2491 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2492static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2493{
2494 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2495 const mbedtls_ecp_keypair *peer_key;
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2496 mbedtls_pk_context * peer_pk;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2497
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2498#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2499 peer_pk = &ssl->handshake->peer_pubkey;
2500#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2501 if( ssl->session_negotiate->peer_cert == NULL )
2502 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2503 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2505 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2506 }
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2507
2508 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2509 &peer_pk );
2510 if( ret != 0 )
2511 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2512 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2513 return( ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2514 }
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2515#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2516
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2517 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2518 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2520 ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2521 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2522 }
2523
Hanno Becker53b6b7e2019-02-06 17:44:07 +0000[diff] [blame]2524 peer_key = mbedtls_pk_ec( *peer_pk );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2526 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2527 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2528 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2529 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2530 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2531 }
2532
2533 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2534 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2535 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2536 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
2537 goto cleanup;
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2538 }
2539
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2540cleanup:
2541
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2542#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2543 /* We don't need the peer's public key anymore. Free it,
2544 * so that more RAM is available for upcoming expensive
2545 * operations like ECDHE. */
2546 mbedtls_pk_free( peer_pk );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2547#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2548 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker39ae65c2019-02-28 14:03:20 +0000[diff] [blame]2549#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2550
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2551 return( ret );
2552}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2553#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2554 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2555
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2556static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2557{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]2558 int ret;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2559 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2560 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Andres Amaya Garcia53c77cc2017-06-27 16:15:06 +0100[diff] [blame]2561 unsigned char *p = NULL, *end = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2563 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2565#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2566 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2567 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2568 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2569 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2570 ssl->state++;
2571 return( 0 );
2572 }
Manuel Pégourié-Gonnardbac0e3b2013-10-15 11:54:47 +0200[diff] [blame]2573 ((void) p);
2574 ((void) end);
2575#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2577#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2578 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2579 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2580 MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2581 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
2582 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2583 {
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2584 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2585 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2587 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2588 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Manuel Pégourié-Gonnardab240102014-02-04 16:18:07 +0100[diff] [blame]2589 return( ret );
2590 }
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2592 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2593 ssl->state++;
2594 return( 0 );
2595 }
2596 ((void) p);
2597 ((void) end);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2598#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2599 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Manuel Pégourié-Gonnardd18cc572013-12-11 17:45:46 +0100[diff] [blame]2600
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2601#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2602 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2603 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2604 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2605 goto start_processing;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2606 }
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2607#endif
2608
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2609 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2610 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2611 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2612 return( ret );
2613 }
2614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2615 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2616 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2617 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2618 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2619 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2620 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2621 }
2622
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2623 /*
2624 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2625 * doesn't use a psk_identity_hint
2626 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2627 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2628 {
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2629 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2630 == MBEDTLS_KEY_EXCHANGE_PSK ||
2631 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2632 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2633 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2634 /* Current message is probably either
2635 * CertificateRequest or ServerHelloDone */
2636 ssl->keep_current_message = 1;
Paul Bakker188c8de2013-04-19 09:13:37 +0200[diff] [blame]2637 goto exit;
2638 }
2639
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2641 "not be skipped" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2642 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2643 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2645 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2646 }
2647
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]2648#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2649 if( ssl->handshake->ecrs_enabled )
2650 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2651
2652start_processing:
2653#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2654 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2655 end = ssl->in_msg + ssl->in_hslen;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2656 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Paul Bakker3b6a07b2013-03-21 11:56:50 +0100[diff] [blame]2657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2658#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2659 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2660 == MBEDTLS_KEY_EXCHANGE_PSK ||
2661 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2662 == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2663 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2664 == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2665 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2666 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2667 {
2668 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2669 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2671 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2672 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2673 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2674 }
2675 } /* FALLTROUGH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2676#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2678#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2679 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2680 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2681 == MBEDTLS_KEY_EXCHANGE_PSK ||
2682 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2683 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2684 {
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2685 ; /* nothing more to do */
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2686 }
Manuel Pégourié-Gonnard09258b92013-10-15 10:43:36 +0200[diff] [blame]2687 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2688#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2689 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2690#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2691 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2692 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2693 == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2694 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2695 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2696 {
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2697 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2700 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2701 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2702 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2703 }
2704 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2705 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2706#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2707 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2708#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2710 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2711 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2712 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2713 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2714 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2715 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2716 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2717 {
2718 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2719 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2722 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2723 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2724 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2725 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2726 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2727#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2728 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2729 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2730#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2731 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
2732 == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2733 {
2734 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2735 p, end - p );
2736 if( ret != 0 )
2737 {
2738 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2739 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2740 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]2741 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2742 }
2743 }
2744 else
2745#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2746 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]2749 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2750
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2751#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2752 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2753 {
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2754 size_t sig_len, hashlen;
2755 unsigned char hash[64];
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2756 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2757 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2758 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnardd92d6a12014-09-10 15:25:02 +0000[diff] [blame]2759 size_t params_len = p - params;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2760 void *rs_ctx = NULL;
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2761
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2762 mbedtls_pk_context * peer_pk;
2763
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2764 /*
2765 * Handle the digitally-signed structure
2766 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2767#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2768 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2769 {
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2770 if( ssl_parse_signature_algorithm( ssl, &p, end,
2771 &md_alg, &pk_alg ) != 0 )
2772 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2774 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2775 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2776 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2777 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2778
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2779 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2780 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2781 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2782 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2783 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2784 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2785 }
2786 }
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2787 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2788#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2789#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2790 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2791 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Manuel Pégourié-Gonnard09edda82013-08-19 13:50:33 +0200[diff] [blame]2792 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2793 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2794
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2795 /* Default hash for ECDSA is SHA-1 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2796 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2797 md_alg = MBEDTLS_MD_SHA1;
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2798 }
2799 else
2800#endif
2801 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2802 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2803 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker9659dae2013-08-28 16:21:34 +0200[diff] [blame]2804 }
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2805
2806 /*
2807 * Read signature
2808 */
Krzysztof Stachowiaka1098f82018-03-13 11:28:49 +0100[diff] [blame]2809
2810 if( p > end - 2 )
2811 {
2812 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2813 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2814 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2815 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2816 }
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2817 sig_len = ( p[0] << 8 ) | p[1];
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2818 p += 2;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]2819
Krzysztof Stachowiak027f84c2018-03-13 11:29:24 +0100[diff] [blame]2820 if( p != end - sig_len )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2821 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2823 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2824 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2825 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]2826 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2827
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2828 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Manuel Pégourié-Gonnardff56da32013-07-11 10:46:21 +0200[diff] [blame]2829
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2830 /*
2831 * Compute the hash that has been signed
2832 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2833#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2834 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2835 if( md_alg == MBEDTLS_MD_NONE )
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2836 {
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]2837 hashlen = 36;
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2838 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2839 params_len );
2840 if( ret != 0 )
Andres Amaya Garciaf0e521e2017-06-28 12:11:42 +0100[diff] [blame]2841 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2842 }
2843 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2844#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2845 MBEDTLS_SSL_PROTO_TLS1_1 */
2846#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2847 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2848 if( md_alg != MBEDTLS_MD_NONE )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2849 {
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2850 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2851 params, params_len,
2852 md_alg );
Andres Amaya Garcia46f5a3e2017-07-20 16:17:51 +0100[diff] [blame]2853 if( ret != 0 )
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2854 return( ret );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2855 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2856 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2857#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2858 MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2859 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2861 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]2862 }
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2863
Gilles Peskineca1d7422018-04-24 11:53:22 +0200[diff] [blame]2864 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
Paul Bakker29e1f122013-04-16 13:07:56 +0200[diff] [blame]2865
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2866#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2867 peer_pk = &ssl->handshake->peer_pubkey;
2868#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2869 if( ssl->session_negotiate->peer_cert == NULL )
2870 {
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2871 /* Should never happen */
Hanno Beckerc39e23e2019-02-26 12:36:01 +0000[diff] [blame]2872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Hanno Beckerf02d5502019-02-06 17:37:32 +0000[diff] [blame]2873 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2874 }
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2875
2876 ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
2877 &peer_pk );
2878 if( ret != 0 )
2879 {
Hanno Becker2224ccf2019-06-28 10:52:45 +0100[diff] [blame]2880 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
2881 return( ret );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2882 }
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2883#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard7f2f0622015-09-03 10:44:32 +0200[diff] [blame]2884
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2885 /*
2886 * Verify signature
2887 */
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2888 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2889 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2891 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2892 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2893#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2894 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2895#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2896 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2897 }
2898
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2899#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]2900 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]2901 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2902#endif
2903
Hanno Becker69fad132019-02-06 18:26:03 +0000[diff] [blame]2904 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2905 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnardefebb0a2013-08-19 12:06:38 +0200[diff] [blame]2906 {
Manuel Pégourié-Gonnard1f1f2a12017-05-18 11:27:06 +0200[diff] [blame]2907#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2908 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2909#endif
2910 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2911 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2912 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]2913#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2914 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2915 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2916#endif
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2917#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2918 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2919#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakkerc70b9822013-04-07 22:00:46 +0200[diff] [blame]2920 return( ret );
Paul Bakkerc3f177a2012-04-11 16:11:49 +0000[diff] [blame]2921 }
Hanno Becker6c83db72019-02-08 14:06:00 +0000[diff] [blame]2922
2923#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2924 /* We don't need the peer's public key anymore. Free it,
2925 * so that more RAM is available for upcoming expensive
2926 * operations like ECDHE. */
2927 mbedtls_pk_free( peer_pk );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2928#else
Hanno Beckerc6d1c3e2019-03-05 13:50:56 +0000[diff] [blame]2929 mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert );
Hanno Becker2fefa482019-02-28 14:03:46 +0000[diff] [blame]2930#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2931 }
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2932#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2933
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]2934exit:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2935 ssl->state++;
2936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2938
2939 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2940}
2941
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2942#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2943static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2944{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2945 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2946 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2947
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2949
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2950 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2951 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2952 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2953 ssl->state++;
2954 return( 0 );
2955 }
2956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2958 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2959}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2960#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2961static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2962{
2963 int ret;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]2964 unsigned char *buf;
2965 size_t n = 0;
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]2966 size_t cert_type_len = 0, dn_len = 0;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]2967 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]2968 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2971
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]2972 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2973 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Manuel Pégourié-Gonnardda1ff382013-11-25 17:38:36 +0100[diff] [blame]2975 ssl->state++;
2976 return( 0 );
2977 }
2978
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]2979 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2980 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2981 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2982 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2983 }
2984
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2985 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2986 {
2987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2988 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2989 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2990 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2991 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2992
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]2993 ssl->state++;
2994 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2996 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2997 ssl->client_auth ? "a" : "no" ) );
2998
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]2999 if( ssl->client_auth == 0 )
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3000 {
3001 /* Current message is probably the ServerHelloDone */
3002 ssl->keep_current_message = 1;
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3003 goto exit;
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3004 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3005
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3006 /*
3007 * struct {
3008 * ClientCertificateType certificate_types<1..2^8-1>;
3009 * SignatureAndHashAlgorithm
3010 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3011 * DistinguishedName certificate_authorities<0..2^16-1>;
3012 * } CertificateRequest;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3013 *
3014 * Since we only support a single certificate on clients, let's just
3015 * ignore all the information that's supposed to help us pick a
3016 * certificate.
3017 *
3018 * We could check that our certificate matches the request, and bail out
3019 * if it doesn't, but it's simpler to just send the certificate anyway,
3020 * and give the server the opportunity to decide if it should terminate
3021 * the connection when it doesn't like our certificate.
3022 *
3023 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3024 * point we only have one hash available (see comments in
Simon Butcherc0957bd2016-03-01 13:16:57 +0000[diff] [blame]3025 * write_certificate_verify), so let's just use what we have.
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3026 *
3027 * However, we still minimally parse the message to check it is at least
3028 * superficially sane.
Manuel Pégourié-Gonnard04c1b4e2014-09-10 19:25:43 +0200[diff] [blame]3029 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3030 buf = ssl->in_msg;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3031
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3032 /* certificate_types */
Krzysztof Stachowiak73b183c2018-04-05 10:20:09 +0200[diff] [blame]3033 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3034 {
3035 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3036 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3037 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3038 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3039 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3040 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3041 n = cert_type_len;
3042
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3043 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3044 * In the subsequent code there are two paths that read from buf:
Krzysztof Stachowiakbc145f72018-03-20 11:19:50 +0100[diff] [blame]3045 * * the length of the signature algorithms field (if minor version of
3046 * SSL is 3),
3047 * * distinguished name length otherwise.
3048 * Both reach at most the index:
3049 * ...hdr_len + 2 + n,
3050 * therefore the buffer length at this point must be greater than that
3051 * regardless of the actual code path.
3052 */
3053 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3054 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3056 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3057 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3058 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3059 }
3060
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3061 /* supported_signature_algorithms */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3062#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3063 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3064 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3065 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3066 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3067#if defined(MBEDTLS_DEBUG_C)
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3068 unsigned char* sig_alg;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3069 size_t i;
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3070#endif
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3071
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3072 /*
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3073 * The furthest access in buf is in the loop few lines below:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3074 * sig_alg[i + 1],
3075 * where:
3076 * sig_alg = buf + ...hdr_len + 3 + n,
3077 * max(i) = sig_alg_len - 1.
Krzysztof Stachowiak94d49972018-04-05 14:48:55 +0200[diff] [blame]3078 * Therefore the furthest access is:
Krzysztof Stachowiakbc231cc2018-03-20 14:09:53 +0100[diff] [blame]3079 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3080 * which reduces to:
3081 * buf[...hdr_len + 3 + n + sig_alg_len],
3082 * which is one less than we need the buf to be.
3083 */
3084 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3085 {
3086 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3087 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3088 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3089 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3090 }
3091
3092#if defined(MBEDTLS_DEBUG_C)
3093 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3094 for( i = 0; i < sig_alg_len; i += 2 )
3095 {
Hanno Becker0d0cd4b2017-05-11 14:06:43 +0100[diff] [blame]3096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3097 ",%d", sig_alg[i], sig_alg[i + 1] ) );
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3098 }
3099#endif
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3100
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3101 n += 2 + sig_alg_len;
Paul Bakkerf7abd422013-04-16 13:15:56 +0200[diff] [blame]3102 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3103#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3104
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3105 /* certificate_authorities */
3106 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3107 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3108
3109 n += dn_len;
Manuel Pégourié-Gonnardd1b7f2b2016-02-24 14:13:22 +0000[diff] [blame]3110 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3111 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3112 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3113 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3114 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3115 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3116 }
3117
3118exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3120
3121 return( 0 );
3122}
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3123#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3124
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3125static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3126{
3127 int ret;
3128
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3129 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3130
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3131 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3132 {
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3134 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3135 }
Hanno Beckeraf0665d2017-05-24 09:16:26 +0100[diff] [blame]3136
3137 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3138 {
3139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3140 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3141 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3142
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3143 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3144 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3145 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3146 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3147 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3148 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3149 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3150 }
3151
3152 ssl->state++;
3153
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3154#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3155 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3156 mbedtls_ssl_recv_flight_completed( ssl );
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3157#endif
3158
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3159 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3160
3161 return( 0 );
3162}
3163
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3164static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3165{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]3166 int ret;
3167 size_t i, n;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3168 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3169 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3171 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3172
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3173#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3174 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3175 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3176 /*
3177 * DHM key exchange -- send G^X mod P
3178 */
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3179 n = ssl->handshake->dhm_ctx.len;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3180
3181 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3182 ssl->out_msg[5] = (unsigned char)( n );
3183 i = 6;
3184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3185 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3186 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3187 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3188 mbedtls_ssl_conf_get_frng( ssl->conf ),
3189 ssl->conf->p_rng );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3190 if( ret != 0 )
3191 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3192 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3193 return( ret );
3194 }
3195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3197 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3199 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3200 ssl->handshake->premaster,
Manuel Pégourié-Gonnard33352052015-06-02 16:17:08 +0100[diff] [blame]3201 MBEDTLS_PREMASTER_SIZE,
Manuel Pégourié-Gonnard2d627642013-09-04 14:22:07 +0200[diff] [blame]3202 &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3203 mbedtls_ssl_conf_get_frng( ssl->conf ),
3204 ssl->conf->p_rng ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3205 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3206 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3207 return( ret );
3208 }
3209
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3210 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3211 }
3212 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3213#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3214#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3215 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3216 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3217 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3218 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3219 == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3220 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3221 == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3222 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3223 == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3224 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3225 == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3226 {
3227 /*
3228 * ECDH key exchange -- send client public value
3229 */
3230 i = 4;
3231
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3232#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3233 if( ssl->handshake->ecrs_enabled )
3234 {
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3235 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3236 goto ecdh_calc_secret;
Manuel Pégourié-Gonnard23e41622017-05-18 12:35:37 +0200[diff] [blame]3237
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3238 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3239 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3240#endif
3241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3242 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3243 &n,
3244 &ssl->out_msg[i], 1000,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3245 mbedtls_ssl_conf_get_frng( ssl->conf ),
3246 ssl->conf->p_rng );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3247 if( ret != 0 )
3248 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3249 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3250#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3251 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3252 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3253#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3254 return( ret );
3255 }
3256
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3257 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3258 MBEDTLS_DEBUG_ECDH_Q );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3259
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3260#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3261 if( ssl->handshake->ecrs_enabled )
3262 {
3263 ssl->handshake->ecrs_n = n;
Manuel Pégourié-Gonnardc37423f2018-10-16 10:28:17 +0200[diff] [blame]3264 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3265 }
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3266
3267ecdh_calc_secret:
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3268 if( ssl->handshake->ecrs_enabled )
3269 n = ssl->handshake->ecrs_n;
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]3270#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3271 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3272 &ssl->handshake->pmslen,
3273 ssl->handshake->premaster,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3274 MBEDTLS_MPI_MAX_SIZE,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3275 mbedtls_ssl_conf_get_frng( ssl->conf ),
3276 ssl->conf->p_rng ) ) != 0 )
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3277 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3278 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3279#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3280 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3281 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3282#endif
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3283 return( ret );
3284 }
3285
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3286 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3287 MBEDTLS_DEBUG_ECDH_Z );
Paul Bakker41c83d32013-03-20 14:39:14 +0100[diff] [blame]3288 }
3289 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3290#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3291 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3292 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3293 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3294#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Hanno Becker1aa267c2017-04-28 17:08:27 +0100[diff] [blame]3295 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3296 {
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3297 /*
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3298 * opaque psk_identity<0..2^16-1>;
3299 */
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3300 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3301 {
3302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3303 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3304 }
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200[diff] [blame]3305
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3306 i = 4;
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3307 n = ssl->conf->psk_identity_len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3308
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3309 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3310 {
3311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3312 "SSL buffer too short" ) );
3313 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3314 }
3315
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3316 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3317 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3318
Manuel Pégourié-Gonnard7ca4e4d2015-05-04 10:55:58 +0200[diff] [blame]3319 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
3320 i += ssl->conf->psk_identity_len;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3322#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3323 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3324 == MBEDTLS_KEY_EXCHANGE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3325 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3326 n = 0;
Manuel Pégourié-Gonnardbd1ae242013-10-14 13:09:25 +0200[diff] [blame]3327 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3328 else
3329#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3330#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3331 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3332 == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3333 {
3334 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3335 return( ret );
3336 }
3337 else
3338#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3339#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3340 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3341 == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3342 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3343 /*
3344 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3345 */
3346 n = ssl->handshake->dhm_ctx.len;
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3347
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3348 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
Manuel Pégourié-Gonnardc6b5d832015-08-27 16:37:35 +0200[diff] [blame]3349 {
3350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3351 " or SSL buffer too short" ) );
3352 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3353 }
3354
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3355 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3356 ssl->out_msg[i++] = (unsigned char)( n );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3358 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3359 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3360 &ssl->out_msg[i], n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3361 mbedtls_ssl_conf_get_frng( ssl->conf ),
3362 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3363 if( ret != 0 )
3364 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3366 return( ret );
3367 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3368 }
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3369 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3370#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3371#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3372 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
3373 == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3374 {
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3375 /*
3376 * ClientECDiffieHellmanPublic public;
3377 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3378 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3379 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3380 mbedtls_ssl_conf_get_frng( ssl->conf ),
3381 ssl->conf->p_rng );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3382 if( ret != 0 )
3383 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3385 return( ret );
3386 }
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200[diff] [blame]3387
Janos Follath3fbdada2018-08-15 10:26:53 +0100[diff] [blame]3388 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3389 MBEDTLS_DEBUG_ECDH_Q );
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3390 }
3391 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3392#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Manuel Pégourié-Gonnard72fb62d2013-10-14 14:01:58 +0200[diff] [blame]3393 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3395 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3396 }
3397
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3398 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3399 mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3400 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3401 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3402 return( ret );
3403 }
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3404 }
3405 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3406#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3407#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3408 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3409 MBEDTLS_KEY_EXCHANGE_RSA )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3410 {
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200[diff] [blame]3411 i = 4;
3412 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Paul Bakkera3d195c2011-11-27 21:07:34 +0000[diff] [blame]3413 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3414 }
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3415 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3416#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3417#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3418 if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
3419 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3420 {
3421 i = 4;
3422
3423 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Angus Grattond8213d02016-05-25 20:56:48 +1000[diff] [blame]3424 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3425 mbedtls_ssl_conf_get_frng( ssl->conf ),
3426 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3427 if( ret != 0 )
3428 {
3429 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3430 return( ret );
3431 }
3432
3433 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3434 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3435 mbedtls_ssl_conf_get_frng( ssl->conf ),
3436 ssl->conf->p_rng );
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3437 if( ret != 0 )
3438 {
3439 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3440 return( ret );
3441 }
3442 }
3443 else
3444#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3445 {
3446 ((void) ciphersuite_info);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3448 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3449 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3450
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3451 ssl->out_msglen = i + n;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3452 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3453 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3454
3455 ssl->state++;
3456
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3457 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3458 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3459 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3460 return( ret );
3461 }
3462
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3463 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3464
3465 return( 0 );
3466}
3467
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3468#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3469static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3470{
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3471 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3472 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3473 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3475 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3477 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3478 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3479 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3480 return( ret );
3481 }
3482
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3483 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3484 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3486 ssl->state++;
3487 return( 0 );
3488 }
3489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3491 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3492}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3493#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3494static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3495{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3496 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3497 mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3498 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3499 size_t n = 0, offset = 0;
3500 unsigned char hash[48];
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3501 unsigned char *hash_start = hash;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3502 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3503 size_t hashlen;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3504 void *rs_ctx = NULL;
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3505
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3506 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3507
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3508#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3509 if( ssl->handshake->ecrs_enabled &&
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3510 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3511 {
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3512 goto sign;
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3513 }
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3514#endif
3515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3516 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3517 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3518 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Manuel Pégourié-Gonnardada30302014-10-20 20:33:10 +0200[diff] [blame]3519 return( ret );
3520 }
3521
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3522 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3523 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker48f7a5d2013-04-19 14:30:58 +0200[diff] [blame]3525 ssl->state++;
3526 return( 0 );
3527 }
3528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3529 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3530 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3532 ssl->state++;
3533 return( 0 );
3534 }
3535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3536 if( mbedtls_ssl_own_key( ssl ) == NULL )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3537 {
Manuel Pégourié-Gonnardb4b19f32015-07-07 11:41:21 +0200[diff] [blame]3538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3539 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3540 }
3541
3542 /*
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3543 * Make a signature of the handshake digests
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3544 */
Manuel Pégourié-Gonnard0b23f162017-08-24 12:08:33 +0200[diff] [blame]3545#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3546 if( ssl->handshake->ecrs_enabled )
3547 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3548
3549sign:
3550#endif
3551
Manuel Pégourié-Gonnarda5759752019-05-03 11:43:28 +0200[diff] [blame]3552 ssl->handshake->calc_verify( ssl, hash, &hashlen );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3554#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3555 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3556 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3557 {
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3558 /*
3559 * digitally-signed struct {
3560 * opaque md5_hash[16];
3561 * opaque sha_hash[20];
3562 * };
3563 *
3564 * md5_hash
3565 * MD5(handshake_messages);
3566 *
3567 * sha_hash
3568 * SHA(handshake_messages);
3569 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3570 md_alg = MBEDTLS_MD_NONE;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3571
3572 /*
3573 * For ECDSA, default hash is SHA-1 only
3574 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3575 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3576 {
3577 hash_start += 16;
3578 hashlen -= 16;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3579 md_alg = MBEDTLS_MD_SHA1;
Manuel Pégourié-Gonnard4bd12842013-08-27 13:31:28 +0200[diff] [blame]3580 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3581 }
3582 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3583#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3584 MBEDTLS_SSL_PROTO_TLS1_1 */
3585#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3586 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3587 {
3588 /*
3589 * digitally-signed struct {
3590 * opaque handshake_messages[handshake_messages_length];
3591 * };
3592 *
3593 * Taking shortcut here. We assume that the server always allows the
3594 * PRF Hash function and has sent it in the allowed signature
3595 * algorithms list received in the Certificate Request message.
3596 *
3597 * Until we encounter a server that does not, we will take this
3598 * shortcut.
3599 *
3600 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3601 * in order to satisfy 'weird' needs from the server side.
3602 */
Hanno Beckerdf645962019-06-26 13:02:22 +0100[diff] [blame]3603 if( mbedtls_ssl_suite_get_mac(
3604 mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
Hanno Becker473f98f2019-06-26 10:27:32 +0100[diff] [blame]3605 == MBEDTLS_MD_SHA384 )
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3606 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3607 md_alg = MBEDTLS_MD_SHA384;
3608 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3609 }
3610 else
3611 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3612 md_alg = MBEDTLS_MD_SHA256;
3613 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Paul Bakkerca4ab492012-04-18 14:23:57 +0000[diff] [blame]3614 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3615 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3616
Manuel Pégourié-Gonnardbfe32ef2013-08-22 14:55:30 +0200[diff] [blame]3617 /* Info from md_alg will be used instead */
3618 hashlen = 0;
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3619 offset = 2;
3620 }
Paul Bakkerd2f068e2013-08-27 21:19:20 +0200[diff] [blame]3621 else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3622#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3623 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3625 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Paul Bakker577e0062013-08-28 11:57:20 +0200[diff] [blame]3626 }
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3627
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3628#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
Manuel Pégourié-Gonnardd27d1a52017-08-15 11:49:08 +0200[diff] [blame]3629 if( ssl->handshake->ecrs_enabled )
Manuel Pégourié-Gonnard15d7df22017-08-17 14:33:31 +0200[diff] [blame]3630 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]3631#endif
3632
3633 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3634 md_alg, hash_start, hashlen,
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3635 ssl->out_msg + 6 + offset, &n,
Hanno Beckerece325c2019-06-13 15:39:27 +0100[diff] [blame]3636 mbedtls_ssl_conf_get_frng( ssl->conf ),
3637 ssl->conf->p_rng, rs_ctx ) ) != 0 )
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3638 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3639 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Manuel Pégourié-Gonnard558da9c2018-06-13 12:02:12 +0200[diff] [blame]3640#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3641 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3642 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3643#endif
Manuel Pégourié-Gonnard0d420492013-08-21 16:14:26 +0200[diff] [blame]3644 return( ret );
Manuel Pégourié-Gonnard76c18a12013-08-20 16:50:40 +0200[diff] [blame]3645 }
Paul Bakker926af752012-11-23 13:38:07 +0100[diff] [blame]3646
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3647 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3648 ssl->out_msg[5 + offset] = (unsigned char)( n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3649
Paul Bakker1ef83d62012-04-11 12:09:53 +0000[diff] [blame]3650 ssl->out_msglen = 6 + n + offset;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3651 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3652 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3653
3654 ssl->state++;
3655
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3656 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3657 {
Manuel Pégourié-Gonnard31c15862017-09-13 09:38:11 +0200[diff] [blame]3658 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3659 return( ret );
3660 }
3661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3663
Paul Bakkered27a042013-04-18 22:46:23 +0200[diff] [blame]3664 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3665}
Hanno Beckerae39b9e2019-02-07 12:32:43 +0000[diff] [blame]3666#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3668#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3669static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3670{
3671 int ret;
3672 uint32_t lifetime;
3673 size_t ticket_len;
3674 unsigned char *ticket;
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3675 const unsigned char *msg;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3677 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3678
Hanno Becker327c93b2018-08-15 13:56:18 +0100[diff] [blame]3679 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3680 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3681 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3682 return( ret );
3683 }
3684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3685 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3686 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3687 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3688 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3689 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3690 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3691 }
3692
3693 /*
3694 * struct {
3695 * uint32 ticket_lifetime_hint;
3696 * opaque ticket<0..2^16-1>;
3697 * } NewSessionTicket;
3698 *
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3699 * 0 . 3 ticket_lifetime_hint
3700 * 4 . 5 ticket_len (n)
3701 * 6 . 5+n ticket content
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3702 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3704 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3705 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3706 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3707 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3708 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3709 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3710 }
3711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3712 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3713
Philippe Antoineb5b25432018-05-11 11:06:29 +0200[diff] [blame]3714 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3715 ( msg[2] << 8 ) | ( msg[3] );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3716
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3717 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3719 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3720 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3722 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3723 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3724 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3725 }
3726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3728
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3729 /* We're not waiting for a NewSessionTicket message any more */
3730 ssl->handshake->new_session_ticket = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3731 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Manuel Pégourié-Gonnard7cd59242013-08-02 13:24:41 +0200[diff] [blame]3732
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3733 /*
3734 * Zero-length ticket means the server changed his mind and doesn't want
3735 * to send a ticket after all, so just forget it
3736 */
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]3737 if( ticket_len == 0 )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3738 return( 0 );
3739
Hanno Becker3d699e42019-01-30 14:46:35 +0000[diff] [blame]3740 if( ssl->session != NULL && ssl->session->ticket != NULL )
3741 {
3742 mbedtls_platform_zeroize( ssl->session->ticket,
3743 ssl->session->ticket_len );
3744 mbedtls_free( ssl->session->ticket );
3745 ssl->session->ticket = NULL;
3746 ssl->session->ticket_len = 0;
3747 }
3748
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]3749 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3750 ssl->session_negotiate->ticket_len );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3751 mbedtls_free( ssl->session_negotiate->ticket );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3752 ssl->session_negotiate->ticket = NULL;
3753 ssl->session_negotiate->ticket_len = 0;
3754
Manuel Pégourié-Gonnard7551cb92015-05-26 16:04:06 +0200[diff] [blame]3755 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3756 {
Manuel Pégourié-Gonnardb2a18a22015-05-27 16:29:56 +0200[diff] [blame]3757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3758 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3759 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200[diff] [blame]3760 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3761 }
3762
Manuel Pégourié-Gonnard000d5ae2014-09-10 21:52:12 +0200[diff] [blame]3763 memcpy( ticket, msg + 6, ticket_len );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3764
3765 ssl->session_negotiate->ticket = ticket;
3766 ssl->session_negotiate->ticket_len = ticket_len;
3767 ssl->session_negotiate->ticket_lifetime = lifetime;
3768
3769 /*
3770 * RFC 5077 section 3.4:
3771 * "If the client receives a session ticket from the server, then it
3772 * discards any Session ID that was sent in the ServerHello."
3773 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Manuel Pégourié-Gonnard12ad7982015-06-18 15:50:37 +0200[diff] [blame]3775 ssl->session_negotiate->id_len = 0;
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3777 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3778
3779 return( 0 );
3780}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3781#endif /* MBEDTLS_SSL_SESSION_TICKETS */
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3782
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3783/*
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3784 * SSL handshake -- client side -- single step
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3785 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3786int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3787{
3788 int ret = 0;
3789
Manuel Pégourié-Gonnarddba460f2015-06-24 22:59:30 +0200[diff] [blame]3790 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3791 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3792
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3794
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3795 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3796 return( ret );
3797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3798#if defined(MBEDTLS_SSL_PROTO_DTLS)
Manuel Pégourié-Gonnard64c16812019-06-06 12:43:51 +0200[diff] [blame]3799 if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3800 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3801 {
Manuel Pégourié-Gonnard87a346f2017-09-13 12:45:21 +0200[diff] [blame]3802 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3803 return( ret );
3804 }
Hanno Beckerbc2498a2018-08-28 10:13:29 +0100[diff] [blame]3805#endif /* MBEDTLS_SSL_PROTO_DTLS */
Manuel Pégourié-Gonnard5d8ba532014-09-19 15:09:21 +0200[diff] [blame]3806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3807 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3808 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3809#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3810 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3811 ssl->handshake->new_session_ticket != 0 )
3812 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3813 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3814 }
3815#endif
3816
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3817 switch( ssl->state )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3818 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3819 case MBEDTLS_SSL_HELLO_REQUEST:
3820 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3821 break;
3822
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3823 /*
3824 * ==> ClientHello
3825 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3826 case MBEDTLS_SSL_CLIENT_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3827 ret = ssl_write_client_hello( ssl );
3828 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3829
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3830 /*
3831 * <== ServerHello
3832 * Certificate
3833 * ( ServerKeyExchange )
3834 * ( CertificateRequest )
3835 * ServerHelloDone
3836 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3837 case MBEDTLS_SSL_SERVER_HELLO:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3838 ret = ssl_parse_server_hello( ssl );
3839 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3840
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3841 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3842 ret = mbedtls_ssl_parse_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3843 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3845 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3846 ret = ssl_parse_server_key_exchange( ssl );
3847 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3849 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3850 ret = ssl_parse_certificate_request( ssl );
3851 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3853 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3854 ret = ssl_parse_server_hello_done( ssl );
3855 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3856
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3857 /*
3858 * ==> ( Certificate/Alert )
3859 * ClientKeyExchange
3860 * ( CertificateVerify )
3861 * ChangeCipherSpec
3862 * Finished
3863 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3864 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3865 ret = mbedtls_ssl_write_certificate( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3866 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3867
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3868 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3869 ret = ssl_write_client_key_exchange( ssl );
3870 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3871
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3872 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3873 ret = ssl_write_certificate_verify( ssl );
3874 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3876 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3877 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3878 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3879
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3880 case MBEDTLS_SSL_CLIENT_FINISHED:
3881 ret = mbedtls_ssl_write_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3882 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3883
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3884 /*
Manuel Pégourié-Gonnarda5cc6022013-07-31 12:58:16 +0200[diff] [blame]3885 * <== ( NewSessionTicket )
3886 * ChangeCipherSpec
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3887 * Finished
3888 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3889#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3890 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3891 ret = ssl_parse_new_session_ticket( ssl );
3892 break;
Paul Bakkera503a632013-08-14 13:48:06 +0200[diff] [blame]3893#endif
Manuel Pégourié-Gonnardcd32a502014-09-20 13:54:12 +0200[diff] [blame]3894
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3895 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3896 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3897 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3898
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3899 case MBEDTLS_SSL_SERVER_FINISHED:
3900 ret = mbedtls_ssl_parse_finished( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3901 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3902
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3903 case MBEDTLS_SSL_FLUSH_BUFFERS:
3904 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3905 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3906 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3907
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3908 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3909 mbedtls_ssl_handshake_wrapup( ssl );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3910 break;
Paul Bakker48916f92012-09-16 19:57:18 +0000[diff] [blame]3911
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3912 default:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3914 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Paul Bakker1961b702013-01-25 14:49:24 +0100[diff] [blame]3915 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]3916
3917 return( ret );
3918}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3919#endif /* MBEDTLS_SSL_CLI_C */