mbedtls ported to mbed-classic

Fork of mbedtls by Christopher Haster

Committer:
Christopher Haster
Date:
Fri Jan 22 16:44:49 2016 -0600
Revision:
1:24750b9ad5ef
Initial move of mbedtls to mercurial

Who changed what in which revision?

UserRevisionLine numberNew contents of line
Christopher Haster 1:24750b9ad5ef 1 /*
Christopher Haster 1:24750b9ad5ef 2 * SSLv3/TLSv1 client-side functions
Christopher Haster 1:24750b9ad5ef 3 *
Christopher Haster 1:24750b9ad5ef 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Christopher Haster 1:24750b9ad5ef 5 * SPDX-License-Identifier: Apache-2.0
Christopher Haster 1:24750b9ad5ef 6 *
Christopher Haster 1:24750b9ad5ef 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
Christopher Haster 1:24750b9ad5ef 8 * not use this file except in compliance with the License.
Christopher Haster 1:24750b9ad5ef 9 * You may obtain a copy of the License at
Christopher Haster 1:24750b9ad5ef 10 *
Christopher Haster 1:24750b9ad5ef 11 * http://www.apache.org/licenses/LICENSE-2.0
Christopher Haster 1:24750b9ad5ef 12 *
Christopher Haster 1:24750b9ad5ef 13 * Unless required by applicable law or agreed to in writing, software
Christopher Haster 1:24750b9ad5ef 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
Christopher Haster 1:24750b9ad5ef 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Christopher Haster 1:24750b9ad5ef 16 * See the License for the specific language governing permissions and
Christopher Haster 1:24750b9ad5ef 17 * limitations under the License.
Christopher Haster 1:24750b9ad5ef 18 *
Christopher Haster 1:24750b9ad5ef 19 * This file is part of mbed TLS (https://tls.mbed.org)
Christopher Haster 1:24750b9ad5ef 20 */
Christopher Haster 1:24750b9ad5ef 21
Christopher Haster 1:24750b9ad5ef 22 #if !defined(MBEDTLS_CONFIG_FILE)
Christopher Haster 1:24750b9ad5ef 23 #include "mbedtls/config.h"
Christopher Haster 1:24750b9ad5ef 24 #else
Christopher Haster 1:24750b9ad5ef 25 #include MBEDTLS_CONFIG_FILE
Christopher Haster 1:24750b9ad5ef 26 #endif
Christopher Haster 1:24750b9ad5ef 27
Christopher Haster 1:24750b9ad5ef 28 #if defined(MBEDTLS_SSL_CLI_C)
Christopher Haster 1:24750b9ad5ef 29
Christopher Haster 1:24750b9ad5ef 30 #include "mbedtls/debug.h"
Christopher Haster 1:24750b9ad5ef 31 #include "mbedtls/ssl.h"
Christopher Haster 1:24750b9ad5ef 32 #include "mbedtls/ssl_internal.h"
Christopher Haster 1:24750b9ad5ef 33
Christopher Haster 1:24750b9ad5ef 34 #include <string.h>
Christopher Haster 1:24750b9ad5ef 35
Christopher Haster 1:24750b9ad5ef 36 #if defined(MBEDTLS_PLATFORM_C)
Christopher Haster 1:24750b9ad5ef 37 #include "mbedtls/platform.h"
Christopher Haster 1:24750b9ad5ef 38 #else
Christopher Haster 1:24750b9ad5ef 39 #include <stdlib.h>
Christopher Haster 1:24750b9ad5ef 40 #define mbedtls_calloc calloc
Christopher Haster 1:24750b9ad5ef 41 #define mbedtls_free free
Christopher Haster 1:24750b9ad5ef 42 #endif
Christopher Haster 1:24750b9ad5ef 43
Christopher Haster 1:24750b9ad5ef 44 #include <stdint.h>
Christopher Haster 1:24750b9ad5ef 45
Christopher Haster 1:24750b9ad5ef 46 #if defined(MBEDTLS_HAVE_TIME)
Christopher Haster 1:24750b9ad5ef 47 #include <time.h>
Christopher Haster 1:24750b9ad5ef 48 #endif
Christopher Haster 1:24750b9ad5ef 49
Christopher Haster 1:24750b9ad5ef 50 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 51 /* Implementation that should never be optimized out by the compiler */
Christopher Haster 1:24750b9ad5ef 52 static void mbedtls_zeroize( void *v, size_t n ) {
Christopher Haster 1:24750b9ad5ef 53 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
Christopher Haster 1:24750b9ad5ef 54 }
Christopher Haster 1:24750b9ad5ef 55 #endif
Christopher Haster 1:24750b9ad5ef 56
Christopher Haster 1:24750b9ad5ef 57 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Christopher Haster 1:24750b9ad5ef 58 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 59 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 60 size_t *olen )
Christopher Haster 1:24750b9ad5ef 61 {
Christopher Haster 1:24750b9ad5ef 62 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 63 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 64 size_t hostname_len;
Christopher Haster 1:24750b9ad5ef 65
Christopher Haster 1:24750b9ad5ef 66 *olen = 0;
Christopher Haster 1:24750b9ad5ef 67
Christopher Haster 1:24750b9ad5ef 68 if( ssl->hostname == NULL )
Christopher Haster 1:24750b9ad5ef 69 return;
Christopher Haster 1:24750b9ad5ef 70
Christopher Haster 1:24750b9ad5ef 71 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
Christopher Haster 1:24750b9ad5ef 72 ssl->hostname ) );
Christopher Haster 1:24750b9ad5ef 73
Christopher Haster 1:24750b9ad5ef 74 hostname_len = strlen( ssl->hostname );
Christopher Haster 1:24750b9ad5ef 75
Christopher Haster 1:24750b9ad5ef 76 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
Christopher Haster 1:24750b9ad5ef 77 {
Christopher Haster 1:24750b9ad5ef 78 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 79 return;
Christopher Haster 1:24750b9ad5ef 80 }
Christopher Haster 1:24750b9ad5ef 81
Christopher Haster 1:24750b9ad5ef 82 /*
Christopher Haster 1:24750b9ad5ef 83 * struct {
Christopher Haster 1:24750b9ad5ef 84 * NameType name_type;
Christopher Haster 1:24750b9ad5ef 85 * select (name_type) {
Christopher Haster 1:24750b9ad5ef 86 * case host_name: HostName;
Christopher Haster 1:24750b9ad5ef 87 * } name;
Christopher Haster 1:24750b9ad5ef 88 * } ServerName;
Christopher Haster 1:24750b9ad5ef 89 *
Christopher Haster 1:24750b9ad5ef 90 * enum {
Christopher Haster 1:24750b9ad5ef 91 * host_name(0), (255)
Christopher Haster 1:24750b9ad5ef 92 * } NameType;
Christopher Haster 1:24750b9ad5ef 93 *
Christopher Haster 1:24750b9ad5ef 94 * opaque HostName<1..2^16-1>;
Christopher Haster 1:24750b9ad5ef 95 *
Christopher Haster 1:24750b9ad5ef 96 * struct {
Christopher Haster 1:24750b9ad5ef 97 * ServerName server_name_list<1..2^16-1>
Christopher Haster 1:24750b9ad5ef 98 * } ServerNameList;
Christopher Haster 1:24750b9ad5ef 99 */
Christopher Haster 1:24750b9ad5ef 100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 102
Christopher Haster 1:24750b9ad5ef 103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 105
Christopher Haster 1:24750b9ad5ef 106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 108
Christopher Haster 1:24750b9ad5ef 109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 112
Christopher Haster 1:24750b9ad5ef 113 memcpy( p, ssl->hostname, hostname_len );
Christopher Haster 1:24750b9ad5ef 114
Christopher Haster 1:24750b9ad5ef 115 *olen = hostname_len + 9;
Christopher Haster 1:24750b9ad5ef 116 }
Christopher Haster 1:24750b9ad5ef 117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
Christopher Haster 1:24750b9ad5ef 118
Christopher Haster 1:24750b9ad5ef 119 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 121 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 122 size_t *olen )
Christopher Haster 1:24750b9ad5ef 123 {
Christopher Haster 1:24750b9ad5ef 124 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 126
Christopher Haster 1:24750b9ad5ef 127 *olen = 0;
Christopher Haster 1:24750b9ad5ef 128
Christopher Haster 1:24750b9ad5ef 129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Christopher Haster 1:24750b9ad5ef 130 return;
Christopher Haster 1:24750b9ad5ef 131
Christopher Haster 1:24750b9ad5ef 132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
Christopher Haster 1:24750b9ad5ef 133
Christopher Haster 1:24750b9ad5ef 134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
Christopher Haster 1:24750b9ad5ef 135 {
Christopher Haster 1:24750b9ad5ef 136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 137 return;
Christopher Haster 1:24750b9ad5ef 138 }
Christopher Haster 1:24750b9ad5ef 139
Christopher Haster 1:24750b9ad5ef 140 /*
Christopher Haster 1:24750b9ad5ef 141 * Secure renegotiation
Christopher Haster 1:24750b9ad5ef 142 */
Christopher Haster 1:24750b9ad5ef 143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 145
Christopher Haster 1:24750b9ad5ef 146 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
Christopher Haster 1:24750b9ad5ef 148 *p++ = ssl->verify_data_len & 0xFF;
Christopher Haster 1:24750b9ad5ef 149
Christopher Haster 1:24750b9ad5ef 150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
Christopher Haster 1:24750b9ad5ef 151
Christopher Haster 1:24750b9ad5ef 152 *olen = 5 + ssl->verify_data_len;
Christopher Haster 1:24750b9ad5ef 153 }
Christopher Haster 1:24750b9ad5ef 154 #endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster 1:24750b9ad5ef 155
Christopher Haster 1:24750b9ad5ef 156 /*
Christopher Haster 1:24750b9ad5ef 157 * Only if we handle at least one key exchange that needs signatures.
Christopher Haster 1:24750b9ad5ef 158 */
Christopher Haster 1:24750b9ad5ef 159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Christopher Haster 1:24750b9ad5ef 160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Christopher Haster 1:24750b9ad5ef 161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 162 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 163 size_t *olen )
Christopher Haster 1:24750b9ad5ef 164 {
Christopher Haster 1:24750b9ad5ef 165 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 167 size_t sig_alg_len = 0;
Christopher Haster 1:24750b9ad5ef 168 const int *md;
Christopher Haster 1:24750b9ad5ef 169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
Christopher Haster 1:24750b9ad5ef 170 unsigned char *sig_alg_list = buf + 6;
Christopher Haster 1:24750b9ad5ef 171 #endif
Christopher Haster 1:24750b9ad5ef 172
Christopher Haster 1:24750b9ad5ef 173 *olen = 0;
Christopher Haster 1:24750b9ad5ef 174
Christopher Haster 1:24750b9ad5ef 175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 176 return;
Christopher Haster 1:24750b9ad5ef 177
Christopher Haster 1:24750b9ad5ef 178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
Christopher Haster 1:24750b9ad5ef 179
Christopher Haster 1:24750b9ad5ef 180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
Christopher Haster 1:24750b9ad5ef 181 {
Christopher Haster 1:24750b9ad5ef 182 #if defined(MBEDTLS_ECDSA_C)
Christopher Haster 1:24750b9ad5ef 183 sig_alg_len += 2;
Christopher Haster 1:24750b9ad5ef 184 #endif
Christopher Haster 1:24750b9ad5ef 185 #if defined(MBEDTLS_RSA_C)
Christopher Haster 1:24750b9ad5ef 186 sig_alg_len += 2;
Christopher Haster 1:24750b9ad5ef 187 #endif
Christopher Haster 1:24750b9ad5ef 188 }
Christopher Haster 1:24750b9ad5ef 189
Christopher Haster 1:24750b9ad5ef 190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
Christopher Haster 1:24750b9ad5ef 191 {
Christopher Haster 1:24750b9ad5ef 192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 193 return;
Christopher Haster 1:24750b9ad5ef 194 }
Christopher Haster 1:24750b9ad5ef 195
Christopher Haster 1:24750b9ad5ef 196 /*
Christopher Haster 1:24750b9ad5ef 197 * Prepare signature_algorithms extension (TLS 1.2)
Christopher Haster 1:24750b9ad5ef 198 */
Christopher Haster 1:24750b9ad5ef 199 sig_alg_len = 0;
Christopher Haster 1:24750b9ad5ef 200
Christopher Haster 1:24750b9ad5ef 201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
Christopher Haster 1:24750b9ad5ef 202 {
Christopher Haster 1:24750b9ad5ef 203 #if defined(MBEDTLS_ECDSA_C)
Christopher Haster 1:24750b9ad5ef 204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
Christopher Haster 1:24750b9ad5ef 205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
Christopher Haster 1:24750b9ad5ef 206 #endif
Christopher Haster 1:24750b9ad5ef 207 #if defined(MBEDTLS_RSA_C)
Christopher Haster 1:24750b9ad5ef 208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
Christopher Haster 1:24750b9ad5ef 209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
Christopher Haster 1:24750b9ad5ef 210 #endif
Christopher Haster 1:24750b9ad5ef 211 }
Christopher Haster 1:24750b9ad5ef 212
Christopher Haster 1:24750b9ad5ef 213 /*
Christopher Haster 1:24750b9ad5ef 214 * enum {
Christopher Haster 1:24750b9ad5ef 215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
Christopher Haster 1:24750b9ad5ef 216 * sha512(6), (255)
Christopher Haster 1:24750b9ad5ef 217 * } HashAlgorithm;
Christopher Haster 1:24750b9ad5ef 218 *
Christopher Haster 1:24750b9ad5ef 219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
Christopher Haster 1:24750b9ad5ef 220 * SignatureAlgorithm;
Christopher Haster 1:24750b9ad5ef 221 *
Christopher Haster 1:24750b9ad5ef 222 * struct {
Christopher Haster 1:24750b9ad5ef 223 * HashAlgorithm hash;
Christopher Haster 1:24750b9ad5ef 224 * SignatureAlgorithm signature;
Christopher Haster 1:24750b9ad5ef 225 * } SignatureAndHashAlgorithm;
Christopher Haster 1:24750b9ad5ef 226 *
Christopher Haster 1:24750b9ad5ef 227 * SignatureAndHashAlgorithm
Christopher Haster 1:24750b9ad5ef 228 * supported_signature_algorithms<2..2^16-2>;
Christopher Haster 1:24750b9ad5ef 229 */
Christopher Haster 1:24750b9ad5ef 230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 232
Christopher Haster 1:24750b9ad5ef 233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 235
Christopher Haster 1:24750b9ad5ef 236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 238
Christopher Haster 1:24750b9ad5ef 239 *olen = 6 + sig_alg_len;
Christopher Haster 1:24750b9ad5ef 240 }
Christopher Haster 1:24750b9ad5ef 241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
Christopher Haster 1:24750b9ad5ef 242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
Christopher Haster 1:24750b9ad5ef 243
Christopher Haster 1:24750b9ad5ef 244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Christopher Haster 1:24750b9ad5ef 245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 247 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 248 size_t *olen )
Christopher Haster 1:24750b9ad5ef 249 {
Christopher Haster 1:24750b9ad5ef 250 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 252 unsigned char *elliptic_curve_list = p + 6;
Christopher Haster 1:24750b9ad5ef 253 size_t elliptic_curve_len = 0;
Christopher Haster 1:24750b9ad5ef 254 const mbedtls_ecp_curve_info *info;
Christopher Haster 1:24750b9ad5ef 255 #if defined(MBEDTLS_ECP_C)
Christopher Haster 1:24750b9ad5ef 256 const mbedtls_ecp_group_id *grp_id;
Christopher Haster 1:24750b9ad5ef 257 #else
Christopher Haster 1:24750b9ad5ef 258 ((void) ssl);
Christopher Haster 1:24750b9ad5ef 259 #endif
Christopher Haster 1:24750b9ad5ef 260
Christopher Haster 1:24750b9ad5ef 261 *olen = 0;
Christopher Haster 1:24750b9ad5ef 262
Christopher Haster 1:24750b9ad5ef 263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
Christopher Haster 1:24750b9ad5ef 264
Christopher Haster 1:24750b9ad5ef 265 #if defined(MBEDTLS_ECP_C)
Christopher Haster 1:24750b9ad5ef 266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Christopher Haster 1:24750b9ad5ef 267 {
Christopher Haster 1:24750b9ad5ef 268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Christopher Haster 1:24750b9ad5ef 269 #else
Christopher Haster 1:24750b9ad5ef 270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Christopher Haster 1:24750b9ad5ef 271 {
Christopher Haster 1:24750b9ad5ef 272 #endif
Christopher Haster 1:24750b9ad5ef 273 elliptic_curve_len += 2;
Christopher Haster 1:24750b9ad5ef 274 }
Christopher Haster 1:24750b9ad5ef 275
Christopher Haster 1:24750b9ad5ef 276 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
Christopher Haster 1:24750b9ad5ef 277 {
Christopher Haster 1:24750b9ad5ef 278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 279 return;
Christopher Haster 1:24750b9ad5ef 280 }
Christopher Haster 1:24750b9ad5ef 281
Christopher Haster 1:24750b9ad5ef 282 elliptic_curve_len = 0;
Christopher Haster 1:24750b9ad5ef 283
Christopher Haster 1:24750b9ad5ef 284 #if defined(MBEDTLS_ECP_C)
Christopher Haster 1:24750b9ad5ef 285 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
Christopher Haster 1:24750b9ad5ef 286 {
Christopher Haster 1:24750b9ad5ef 287 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
Christopher Haster 1:24750b9ad5ef 288 #else
Christopher Haster 1:24750b9ad5ef 289 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
Christopher Haster 1:24750b9ad5ef 290 {
Christopher Haster 1:24750b9ad5ef 291 #endif
Christopher Haster 1:24750b9ad5ef 292
Christopher Haster 1:24750b9ad5ef 293 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
Christopher Haster 1:24750b9ad5ef 294 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
Christopher Haster 1:24750b9ad5ef 295 }
Christopher Haster 1:24750b9ad5ef 296
Christopher Haster 1:24750b9ad5ef 297 if( elliptic_curve_len == 0 )
Christopher Haster 1:24750b9ad5ef 298 return;
Christopher Haster 1:24750b9ad5ef 299
Christopher Haster 1:24750b9ad5ef 300 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 301 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 302
Christopher Haster 1:24750b9ad5ef 303 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 304 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 305
Christopher Haster 1:24750b9ad5ef 306 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 307 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 308
Christopher Haster 1:24750b9ad5ef 309 *olen = 6 + elliptic_curve_len;
Christopher Haster 1:24750b9ad5ef 310 }
Christopher Haster 1:24750b9ad5ef 311
Christopher Haster 1:24750b9ad5ef 312 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 313 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 314 size_t *olen )
Christopher Haster 1:24750b9ad5ef 315 {
Christopher Haster 1:24750b9ad5ef 316 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 317 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 318
Christopher Haster 1:24750b9ad5ef 319 *olen = 0;
Christopher Haster 1:24750b9ad5ef 320
Christopher Haster 1:24750b9ad5ef 321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
Christopher Haster 1:24750b9ad5ef 322
Christopher Haster 1:24750b9ad5ef 323 if( end < p || (size_t)( end - p ) < 6 )
Christopher Haster 1:24750b9ad5ef 324 {
Christopher Haster 1:24750b9ad5ef 325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 326 return;
Christopher Haster 1:24750b9ad5ef 327 }
Christopher Haster 1:24750b9ad5ef 328
Christopher Haster 1:24750b9ad5ef 329 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 330 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 331
Christopher Haster 1:24750b9ad5ef 332 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 333 *p++ = 2;
Christopher Haster 1:24750b9ad5ef 334
Christopher Haster 1:24750b9ad5ef 335 *p++ = 1;
Christopher Haster 1:24750b9ad5ef 336 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
Christopher Haster 1:24750b9ad5ef 337
Christopher Haster 1:24750b9ad5ef 338 *olen = 6;
Christopher Haster 1:24750b9ad5ef 339 }
Christopher Haster 1:24750b9ad5ef 340 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Christopher Haster 1:24750b9ad5ef 341 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 342
Christopher Haster 1:24750b9ad5ef 343 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 344 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 345 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 346 size_t *olen )
Christopher Haster 1:24750b9ad5ef 347 {
Christopher Haster 1:24750b9ad5ef 348 int ret;
Christopher Haster 1:24750b9ad5ef 349 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 350 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 351 size_t kkpp_len;
Christopher Haster 1:24750b9ad5ef 352
Christopher Haster 1:24750b9ad5ef 353 *olen = 0;
Christopher Haster 1:24750b9ad5ef 354
Christopher Haster 1:24750b9ad5ef 355 /* Skip costly extension if we can't use EC J-PAKE anyway */
Christopher Haster 1:24750b9ad5ef 356 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Christopher Haster 1:24750b9ad5ef 357 return;
Christopher Haster 1:24750b9ad5ef 358
Christopher Haster 1:24750b9ad5ef 359 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
Christopher Haster 1:24750b9ad5ef 360
Christopher Haster 1:24750b9ad5ef 361 if( end - p < 4 )
Christopher Haster 1:24750b9ad5ef 362 {
Christopher Haster 1:24750b9ad5ef 363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 364 return;
Christopher Haster 1:24750b9ad5ef 365 }
Christopher Haster 1:24750b9ad5ef 366
Christopher Haster 1:24750b9ad5ef 367 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 368 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 369
Christopher Haster 1:24750b9ad5ef 370 /*
Christopher Haster 1:24750b9ad5ef 371 * We may need to send ClientHello multiple times for Hello verification.
Christopher Haster 1:24750b9ad5ef 372 * We don't want to compute fresh values every time (both for performance
Christopher Haster 1:24750b9ad5ef 373 * and consistency reasons), so cache the extension content.
Christopher Haster 1:24750b9ad5ef 374 */
Christopher Haster 1:24750b9ad5ef 375 if( ssl->handshake->ecjpake_cache == NULL ||
Christopher Haster 1:24750b9ad5ef 376 ssl->handshake->ecjpake_cache_len == 0 )
Christopher Haster 1:24750b9ad5ef 377 {
Christopher Haster 1:24750b9ad5ef 378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
Christopher Haster 1:24750b9ad5ef 379
Christopher Haster 1:24750b9ad5ef 380 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
Christopher Haster 1:24750b9ad5ef 381 p + 2, end - p - 2, &kkpp_len,
Christopher Haster 1:24750b9ad5ef 382 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 383 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 384 {
Christopher Haster 1:24750b9ad5ef 385 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
Christopher Haster 1:24750b9ad5ef 386 return;
Christopher Haster 1:24750b9ad5ef 387 }
Christopher Haster 1:24750b9ad5ef 388
Christopher Haster 1:24750b9ad5ef 389 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
Christopher Haster 1:24750b9ad5ef 390 if( ssl->handshake->ecjpake_cache == NULL )
Christopher Haster 1:24750b9ad5ef 391 {
Christopher Haster 1:24750b9ad5ef 392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
Christopher Haster 1:24750b9ad5ef 393 return;
Christopher Haster 1:24750b9ad5ef 394 }
Christopher Haster 1:24750b9ad5ef 395
Christopher Haster 1:24750b9ad5ef 396 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
Christopher Haster 1:24750b9ad5ef 397 ssl->handshake->ecjpake_cache_len = kkpp_len;
Christopher Haster 1:24750b9ad5ef 398 }
Christopher Haster 1:24750b9ad5ef 399 else
Christopher Haster 1:24750b9ad5ef 400 {
Christopher Haster 1:24750b9ad5ef 401 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
Christopher Haster 1:24750b9ad5ef 402
Christopher Haster 1:24750b9ad5ef 403 kkpp_len = ssl->handshake->ecjpake_cache_len;
Christopher Haster 1:24750b9ad5ef 404
Christopher Haster 1:24750b9ad5ef 405 if( (size_t)( end - p - 2 ) < kkpp_len )
Christopher Haster 1:24750b9ad5ef 406 {
Christopher Haster 1:24750b9ad5ef 407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 408 return;
Christopher Haster 1:24750b9ad5ef 409 }
Christopher Haster 1:24750b9ad5ef 410
Christopher Haster 1:24750b9ad5ef 411 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
Christopher Haster 1:24750b9ad5ef 412 }
Christopher Haster 1:24750b9ad5ef 413
Christopher Haster 1:24750b9ad5ef 414 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 415 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 416
Christopher Haster 1:24750b9ad5ef 417 *olen = kkpp_len + 4;
Christopher Haster 1:24750b9ad5ef 418 }
Christopher Haster 1:24750b9ad5ef 419 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 420
Christopher Haster 1:24750b9ad5ef 421 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster 1:24750b9ad5ef 422 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 423 unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 424 size_t *olen )
Christopher Haster 1:24750b9ad5ef 425 {
Christopher Haster 1:24750b9ad5ef 426 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 427 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 428
Christopher Haster 1:24750b9ad5ef 429 *olen = 0;
Christopher Haster 1:24750b9ad5ef 430
Christopher Haster 1:24750b9ad5ef 431 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
Christopher Haster 1:24750b9ad5ef 432 return;
Christopher Haster 1:24750b9ad5ef 433 }
Christopher Haster 1:24750b9ad5ef 434
Christopher Haster 1:24750b9ad5ef 435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
Christopher Haster 1:24750b9ad5ef 436
Christopher Haster 1:24750b9ad5ef 437 if( end < p || (size_t)( end - p ) < 5 )
Christopher Haster 1:24750b9ad5ef 438 {
Christopher Haster 1:24750b9ad5ef 439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 440 return;
Christopher Haster 1:24750b9ad5ef 441 }
Christopher Haster 1:24750b9ad5ef 442
Christopher Haster 1:24750b9ad5ef 443 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 444 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 445
Christopher Haster 1:24750b9ad5ef 446 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 447 *p++ = 1;
Christopher Haster 1:24750b9ad5ef 448
Christopher Haster 1:24750b9ad5ef 449 *p++ = ssl->conf->mfl_code;
Christopher Haster 1:24750b9ad5ef 450
Christopher Haster 1:24750b9ad5ef 451 *olen = 5;
Christopher Haster 1:24750b9ad5ef 452 }
Christopher Haster 1:24750b9ad5ef 453 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster 1:24750b9ad5ef 454
Christopher Haster 1:24750b9ad5ef 455 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster 1:24750b9ad5ef 456 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 457 unsigned char *buf, size_t *olen )
Christopher Haster 1:24750b9ad5ef 458 {
Christopher Haster 1:24750b9ad5ef 459 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 460 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 461
Christopher Haster 1:24750b9ad5ef 462 *olen = 0;
Christopher Haster 1:24750b9ad5ef 463
Christopher Haster 1:24750b9ad5ef 464 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
Christopher Haster 1:24750b9ad5ef 465 {
Christopher Haster 1:24750b9ad5ef 466 return;
Christopher Haster 1:24750b9ad5ef 467 }
Christopher Haster 1:24750b9ad5ef 468
Christopher Haster 1:24750b9ad5ef 469 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
Christopher Haster 1:24750b9ad5ef 470
Christopher Haster 1:24750b9ad5ef 471 if( end < p || (size_t)( end - p ) < 4 )
Christopher Haster 1:24750b9ad5ef 472 {
Christopher Haster 1:24750b9ad5ef 473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 474 return;
Christopher Haster 1:24750b9ad5ef 475 }
Christopher Haster 1:24750b9ad5ef 476
Christopher Haster 1:24750b9ad5ef 477 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 478 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 479
Christopher Haster 1:24750b9ad5ef 480 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 481 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 482
Christopher Haster 1:24750b9ad5ef 483 *olen = 4;
Christopher Haster 1:24750b9ad5ef 484 }
Christopher Haster 1:24750b9ad5ef 485 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster 1:24750b9ad5ef 486
Christopher Haster 1:24750b9ad5ef 487 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster 1:24750b9ad5ef 488 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 489 unsigned char *buf, size_t *olen )
Christopher Haster 1:24750b9ad5ef 490 {
Christopher Haster 1:24750b9ad5ef 491 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 492 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 493
Christopher Haster 1:24750b9ad5ef 494 *olen = 0;
Christopher Haster 1:24750b9ad5ef 495
Christopher Haster 1:24750b9ad5ef 496 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Christopher Haster 1:24750b9ad5ef 497 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Christopher Haster 1:24750b9ad5ef 498 {
Christopher Haster 1:24750b9ad5ef 499 return;
Christopher Haster 1:24750b9ad5ef 500 }
Christopher Haster 1:24750b9ad5ef 501
Christopher Haster 1:24750b9ad5ef 502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
Christopher Haster 1:24750b9ad5ef 503 "extension" ) );
Christopher Haster 1:24750b9ad5ef 504
Christopher Haster 1:24750b9ad5ef 505 if( end < p || (size_t)( end - p ) < 4 )
Christopher Haster 1:24750b9ad5ef 506 {
Christopher Haster 1:24750b9ad5ef 507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 508 return;
Christopher Haster 1:24750b9ad5ef 509 }
Christopher Haster 1:24750b9ad5ef 510
Christopher Haster 1:24750b9ad5ef 511 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 512 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 513
Christopher Haster 1:24750b9ad5ef 514 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 515 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 516
Christopher Haster 1:24750b9ad5ef 517 *olen = 4;
Christopher Haster 1:24750b9ad5ef 518 }
Christopher Haster 1:24750b9ad5ef 519 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster 1:24750b9ad5ef 520
Christopher Haster 1:24750b9ad5ef 521 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster 1:24750b9ad5ef 522 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 523 unsigned char *buf, size_t *olen )
Christopher Haster 1:24750b9ad5ef 524 {
Christopher Haster 1:24750b9ad5ef 525 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 526 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 527
Christopher Haster 1:24750b9ad5ef 528 *olen = 0;
Christopher Haster 1:24750b9ad5ef 529
Christopher Haster 1:24750b9ad5ef 530 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Christopher Haster 1:24750b9ad5ef 531 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
Christopher Haster 1:24750b9ad5ef 532 {
Christopher Haster 1:24750b9ad5ef 533 return;
Christopher Haster 1:24750b9ad5ef 534 }
Christopher Haster 1:24750b9ad5ef 535
Christopher Haster 1:24750b9ad5ef 536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
Christopher Haster 1:24750b9ad5ef 537 "extension" ) );
Christopher Haster 1:24750b9ad5ef 538
Christopher Haster 1:24750b9ad5ef 539 if( end < p || (size_t)( end - p ) < 4 )
Christopher Haster 1:24750b9ad5ef 540 {
Christopher Haster 1:24750b9ad5ef 541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 542 return;
Christopher Haster 1:24750b9ad5ef 543 }
Christopher Haster 1:24750b9ad5ef 544
Christopher Haster 1:24750b9ad5ef 545 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 546 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 547
Christopher Haster 1:24750b9ad5ef 548 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 549 *p++ = 0x00;
Christopher Haster 1:24750b9ad5ef 550
Christopher Haster 1:24750b9ad5ef 551 *olen = 4;
Christopher Haster 1:24750b9ad5ef 552 }
Christopher Haster 1:24750b9ad5ef 553 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster 1:24750b9ad5ef 554
Christopher Haster 1:24750b9ad5ef 555 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 556 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 557 unsigned char *buf, size_t *olen )
Christopher Haster 1:24750b9ad5ef 558 {
Christopher Haster 1:24750b9ad5ef 559 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 560 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 561 size_t tlen = ssl->session_negotiate->ticket_len;
Christopher Haster 1:24750b9ad5ef 562
Christopher Haster 1:24750b9ad5ef 563 *olen = 0;
Christopher Haster 1:24750b9ad5ef 564
Christopher Haster 1:24750b9ad5ef 565 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
Christopher Haster 1:24750b9ad5ef 566 {
Christopher Haster 1:24750b9ad5ef 567 return;
Christopher Haster 1:24750b9ad5ef 568 }
Christopher Haster 1:24750b9ad5ef 569
Christopher Haster 1:24750b9ad5ef 570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
Christopher Haster 1:24750b9ad5ef 571
Christopher Haster 1:24750b9ad5ef 572 if( end < p || (size_t)( end - p ) < 4 + tlen )
Christopher Haster 1:24750b9ad5ef 573 {
Christopher Haster 1:24750b9ad5ef 574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 575 return;
Christopher Haster 1:24750b9ad5ef 576 }
Christopher Haster 1:24750b9ad5ef 577
Christopher Haster 1:24750b9ad5ef 578 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 579 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 580
Christopher Haster 1:24750b9ad5ef 581 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 582 *p++ = (unsigned char)( ( tlen ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 583
Christopher Haster 1:24750b9ad5ef 584 *olen = 4;
Christopher Haster 1:24750b9ad5ef 585
Christopher Haster 1:24750b9ad5ef 586 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
Christopher Haster 1:24750b9ad5ef 587 {
Christopher Haster 1:24750b9ad5ef 588 return;
Christopher Haster 1:24750b9ad5ef 589 }
Christopher Haster 1:24750b9ad5ef 590
Christopher Haster 1:24750b9ad5ef 591 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
Christopher Haster 1:24750b9ad5ef 592
Christopher Haster 1:24750b9ad5ef 593 memcpy( p, ssl->session_negotiate->ticket, tlen );
Christopher Haster 1:24750b9ad5ef 594
Christopher Haster 1:24750b9ad5ef 595 *olen += tlen;
Christopher Haster 1:24750b9ad5ef 596 }
Christopher Haster 1:24750b9ad5ef 597 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster 1:24750b9ad5ef 598
Christopher Haster 1:24750b9ad5ef 599 #if defined(MBEDTLS_SSL_ALPN)
Christopher Haster 1:24750b9ad5ef 600 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 601 unsigned char *buf, size_t *olen )
Christopher Haster 1:24750b9ad5ef 602 {
Christopher Haster 1:24750b9ad5ef 603 unsigned char *p = buf;
Christopher Haster 1:24750b9ad5ef 604 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
Christopher Haster 1:24750b9ad5ef 605 size_t alpnlen = 0;
Christopher Haster 1:24750b9ad5ef 606 const char **cur;
Christopher Haster 1:24750b9ad5ef 607
Christopher Haster 1:24750b9ad5ef 608 *olen = 0;
Christopher Haster 1:24750b9ad5ef 609
Christopher Haster 1:24750b9ad5ef 610 if( ssl->conf->alpn_list == NULL )
Christopher Haster 1:24750b9ad5ef 611 {
Christopher Haster 1:24750b9ad5ef 612 return;
Christopher Haster 1:24750b9ad5ef 613 }
Christopher Haster 1:24750b9ad5ef 614
Christopher Haster 1:24750b9ad5ef 615 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
Christopher Haster 1:24750b9ad5ef 616
Christopher Haster 1:24750b9ad5ef 617 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Christopher Haster 1:24750b9ad5ef 618 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
Christopher Haster 1:24750b9ad5ef 619
Christopher Haster 1:24750b9ad5ef 620 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
Christopher Haster 1:24750b9ad5ef 621 {
Christopher Haster 1:24750b9ad5ef 622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
Christopher Haster 1:24750b9ad5ef 623 return;
Christopher Haster 1:24750b9ad5ef 624 }
Christopher Haster 1:24750b9ad5ef 625
Christopher Haster 1:24750b9ad5ef 626 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 627 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 628
Christopher Haster 1:24750b9ad5ef 629 /*
Christopher Haster 1:24750b9ad5ef 630 * opaque ProtocolName<1..2^8-1>;
Christopher Haster 1:24750b9ad5ef 631 *
Christopher Haster 1:24750b9ad5ef 632 * struct {
Christopher Haster 1:24750b9ad5ef 633 * ProtocolName protocol_name_list<2..2^16-1>
Christopher Haster 1:24750b9ad5ef 634 * } ProtocolNameList;
Christopher Haster 1:24750b9ad5ef 635 */
Christopher Haster 1:24750b9ad5ef 636
Christopher Haster 1:24750b9ad5ef 637 /* Skip writing extension and list length for now */
Christopher Haster 1:24750b9ad5ef 638 p += 4;
Christopher Haster 1:24750b9ad5ef 639
Christopher Haster 1:24750b9ad5ef 640 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
Christopher Haster 1:24750b9ad5ef 641 {
Christopher Haster 1:24750b9ad5ef 642 *p = (unsigned char)( strlen( *cur ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 643 memcpy( p + 1, *cur, *p );
Christopher Haster 1:24750b9ad5ef 644 p += 1 + *p;
Christopher Haster 1:24750b9ad5ef 645 }
Christopher Haster 1:24750b9ad5ef 646
Christopher Haster 1:24750b9ad5ef 647 *olen = p - buf;
Christopher Haster 1:24750b9ad5ef 648
Christopher Haster 1:24750b9ad5ef 649 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
Christopher Haster 1:24750b9ad5ef 650 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 651 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 652
Christopher Haster 1:24750b9ad5ef 653 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
Christopher Haster 1:24750b9ad5ef 654 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 655 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 656 }
Christopher Haster 1:24750b9ad5ef 657 #endif /* MBEDTLS_SSL_ALPN */
Christopher Haster 1:24750b9ad5ef 658
Christopher Haster 1:24750b9ad5ef 659 /*
Christopher Haster 1:24750b9ad5ef 660 * Generate random bytes for ClientHello
Christopher Haster 1:24750b9ad5ef 661 */
Christopher Haster 1:24750b9ad5ef 662 static int ssl_generate_random( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 663 {
Christopher Haster 1:24750b9ad5ef 664 int ret;
Christopher Haster 1:24750b9ad5ef 665 unsigned char *p = ssl->handshake->randbytes;
Christopher Haster 1:24750b9ad5ef 666 #if defined(MBEDTLS_HAVE_TIME)
Christopher Haster 1:24750b9ad5ef 667 time_t t;
Christopher Haster 1:24750b9ad5ef 668 #endif
Christopher Haster 1:24750b9ad5ef 669
Christopher Haster 1:24750b9ad5ef 670 /*
Christopher Haster 1:24750b9ad5ef 671 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
Christopher Haster 1:24750b9ad5ef 672 */
Christopher Haster 1:24750b9ad5ef 673 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 674 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster 1:24750b9ad5ef 675 ssl->handshake->verify_cookie != NULL )
Christopher Haster 1:24750b9ad5ef 676 {
Christopher Haster 1:24750b9ad5ef 677 return( 0 );
Christopher Haster 1:24750b9ad5ef 678 }
Christopher Haster 1:24750b9ad5ef 679 #endif
Christopher Haster 1:24750b9ad5ef 680
Christopher Haster 1:24750b9ad5ef 681 #if defined(MBEDTLS_HAVE_TIME)
Christopher Haster 1:24750b9ad5ef 682 t = time( NULL );
Christopher Haster 1:24750b9ad5ef 683 *p++ = (unsigned char)( t >> 24 );
Christopher Haster 1:24750b9ad5ef 684 *p++ = (unsigned char)( t >> 16 );
Christopher Haster 1:24750b9ad5ef 685 *p++ = (unsigned char)( t >> 8 );
Christopher Haster 1:24750b9ad5ef 686 *p++ = (unsigned char)( t );
Christopher Haster 1:24750b9ad5ef 687
Christopher Haster 1:24750b9ad5ef 688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
Christopher Haster 1:24750b9ad5ef 689 #else
Christopher Haster 1:24750b9ad5ef 690 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 691 return( ret );
Christopher Haster 1:24750b9ad5ef 692
Christopher Haster 1:24750b9ad5ef 693 p += 4;
Christopher Haster 1:24750b9ad5ef 694 #endif /* MBEDTLS_HAVE_TIME */
Christopher Haster 1:24750b9ad5ef 695
Christopher Haster 1:24750b9ad5ef 696 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 697 return( ret );
Christopher Haster 1:24750b9ad5ef 698
Christopher Haster 1:24750b9ad5ef 699 return( 0 );
Christopher Haster 1:24750b9ad5ef 700 }
Christopher Haster 1:24750b9ad5ef 701
Christopher Haster 1:24750b9ad5ef 702 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 703 {
Christopher Haster 1:24750b9ad5ef 704 int ret;
Christopher Haster 1:24750b9ad5ef 705 size_t i, n, olen, ext_len = 0;
Christopher Haster 1:24750b9ad5ef 706 unsigned char *buf;
Christopher Haster 1:24750b9ad5ef 707 unsigned char *p, *q;
Christopher Haster 1:24750b9ad5ef 708 unsigned char offer_compress;
Christopher Haster 1:24750b9ad5ef 709 const int *ciphersuites;
Christopher Haster 1:24750b9ad5ef 710 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 711
Christopher Haster 1:24750b9ad5ef 712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
Christopher Haster 1:24750b9ad5ef 713
Christopher Haster 1:24750b9ad5ef 714 if( ssl->conf->f_rng == NULL )
Christopher Haster 1:24750b9ad5ef 715 {
Christopher Haster 1:24750b9ad5ef 716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
Christopher Haster 1:24750b9ad5ef 717 return( MBEDTLS_ERR_SSL_NO_RNG );
Christopher Haster 1:24750b9ad5ef 718 }
Christopher Haster 1:24750b9ad5ef 719
Christopher Haster 1:24750b9ad5ef 720 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 721 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 722 #endif
Christopher Haster 1:24750b9ad5ef 723 {
Christopher Haster 1:24750b9ad5ef 724 ssl->major_ver = ssl->conf->min_major_ver;
Christopher Haster 1:24750b9ad5ef 725 ssl->minor_ver = ssl->conf->min_minor_ver;
Christopher Haster 1:24750b9ad5ef 726 }
Christopher Haster 1:24750b9ad5ef 727
Christopher Haster 1:24750b9ad5ef 728 if( ssl->conf->max_major_ver == 0 )
Christopher Haster 1:24750b9ad5ef 729 {
Christopher Haster 1:24750b9ad5ef 730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
Christopher Haster 1:24750b9ad5ef 731 "consider using mbedtls_ssl_config_defaults()" ) );
Christopher Haster 1:24750b9ad5ef 732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster 1:24750b9ad5ef 733 }
Christopher Haster 1:24750b9ad5ef 734
Christopher Haster 1:24750b9ad5ef 735 /*
Christopher Haster 1:24750b9ad5ef 736 * 0 . 0 handshake type
Christopher Haster 1:24750b9ad5ef 737 * 1 . 3 handshake length
Christopher Haster 1:24750b9ad5ef 738 * 4 . 5 highest version supported
Christopher Haster 1:24750b9ad5ef 739 * 6 . 9 current UNIX time
Christopher Haster 1:24750b9ad5ef 740 * 10 . 37 random bytes
Christopher Haster 1:24750b9ad5ef 741 */
Christopher Haster 1:24750b9ad5ef 742 buf = ssl->out_msg;
Christopher Haster 1:24750b9ad5ef 743 p = buf + 4;
Christopher Haster 1:24750b9ad5ef 744
Christopher Haster 1:24750b9ad5ef 745 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
Christopher Haster 1:24750b9ad5ef 746 ssl->conf->transport, p );
Christopher Haster 1:24750b9ad5ef 747 p += 2;
Christopher Haster 1:24750b9ad5ef 748
Christopher Haster 1:24750b9ad5ef 749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
Christopher Haster 1:24750b9ad5ef 750 buf[4], buf[5] ) );
Christopher Haster 1:24750b9ad5ef 751
Christopher Haster 1:24750b9ad5ef 752 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 753 {
Christopher Haster 1:24750b9ad5ef 754 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
Christopher Haster 1:24750b9ad5ef 755 return( ret );
Christopher Haster 1:24750b9ad5ef 756 }
Christopher Haster 1:24750b9ad5ef 757
Christopher Haster 1:24750b9ad5ef 758 memcpy( p, ssl->handshake->randbytes, 32 );
Christopher Haster 1:24750b9ad5ef 759 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
Christopher Haster 1:24750b9ad5ef 760 p += 32;
Christopher Haster 1:24750b9ad5ef 761
Christopher Haster 1:24750b9ad5ef 762 /*
Christopher Haster 1:24750b9ad5ef 763 * 38 . 38 session id length
Christopher Haster 1:24750b9ad5ef 764 * 39 . 39+n session id
Christopher Haster 1:24750b9ad5ef 765 * 39+n . 39+n DTLS only: cookie length (1 byte)
Christopher Haster 1:24750b9ad5ef 766 * 40+n . .. DTSL only: cookie
Christopher Haster 1:24750b9ad5ef 767 * .. . .. ciphersuitelist length (2 bytes)
Christopher Haster 1:24750b9ad5ef 768 * .. . .. ciphersuitelist
Christopher Haster 1:24750b9ad5ef 769 * .. . .. compression methods length (1 byte)
Christopher Haster 1:24750b9ad5ef 770 * .. . .. compression methods
Christopher Haster 1:24750b9ad5ef 771 * .. . .. extensions length (2 bytes)
Christopher Haster 1:24750b9ad5ef 772 * .. . .. extensions
Christopher Haster 1:24750b9ad5ef 773 */
Christopher Haster 1:24750b9ad5ef 774 n = ssl->session_negotiate->id_len;
Christopher Haster 1:24750b9ad5ef 775
Christopher Haster 1:24750b9ad5ef 776 if( n < 16 || n > 32 ||
Christopher Haster 1:24750b9ad5ef 777 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 778 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Christopher Haster 1:24750b9ad5ef 779 #endif
Christopher Haster 1:24750b9ad5ef 780 ssl->handshake->resume == 0 )
Christopher Haster 1:24750b9ad5ef 781 {
Christopher Haster 1:24750b9ad5ef 782 n = 0;
Christopher Haster 1:24750b9ad5ef 783 }
Christopher Haster 1:24750b9ad5ef 784
Christopher Haster 1:24750b9ad5ef 785 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 786 /*
Christopher Haster 1:24750b9ad5ef 787 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
Christopher Haster 1:24750b9ad5ef 788 * generate and include a Session ID in the TLS ClientHello."
Christopher Haster 1:24750b9ad5ef 789 */
Christopher Haster 1:24750b9ad5ef 790 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 791 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 792 #endif
Christopher Haster 1:24750b9ad5ef 793 {
Christopher Haster 1:24750b9ad5ef 794 if( ssl->session_negotiate->ticket != NULL &&
Christopher Haster 1:24750b9ad5ef 795 ssl->session_negotiate->ticket_len != 0 )
Christopher Haster 1:24750b9ad5ef 796 {
Christopher Haster 1:24750b9ad5ef 797 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
Christopher Haster 1:24750b9ad5ef 798
Christopher Haster 1:24750b9ad5ef 799 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 800 return( ret );
Christopher Haster 1:24750b9ad5ef 801
Christopher Haster 1:24750b9ad5ef 802 ssl->session_negotiate->id_len = n = 32;
Christopher Haster 1:24750b9ad5ef 803 }
Christopher Haster 1:24750b9ad5ef 804 }
Christopher Haster 1:24750b9ad5ef 805 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster 1:24750b9ad5ef 806
Christopher Haster 1:24750b9ad5ef 807 *p++ = (unsigned char) n;
Christopher Haster 1:24750b9ad5ef 808
Christopher Haster 1:24750b9ad5ef 809 for( i = 0; i < n; i++ )
Christopher Haster 1:24750b9ad5ef 810 *p++ = ssl->session_negotiate->id[i];
Christopher Haster 1:24750b9ad5ef 811
Christopher Haster 1:24750b9ad5ef 812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
Christopher Haster 1:24750b9ad5ef 813 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
Christopher Haster 1:24750b9ad5ef 814
Christopher Haster 1:24750b9ad5ef 815 /*
Christopher Haster 1:24750b9ad5ef 816 * DTLS cookie
Christopher Haster 1:24750b9ad5ef 817 */
Christopher Haster 1:24750b9ad5ef 818 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 820 {
Christopher Haster 1:24750b9ad5ef 821 if( ssl->handshake->verify_cookie == NULL )
Christopher Haster 1:24750b9ad5ef 822 {
Christopher Haster 1:24750b9ad5ef 823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
Christopher Haster 1:24750b9ad5ef 824 *p++ = 0;
Christopher Haster 1:24750b9ad5ef 825 }
Christopher Haster 1:24750b9ad5ef 826 else
Christopher Haster 1:24750b9ad5ef 827 {
Christopher Haster 1:24750b9ad5ef 828 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
Christopher Haster 1:24750b9ad5ef 829 ssl->handshake->verify_cookie,
Christopher Haster 1:24750b9ad5ef 830 ssl->handshake->verify_cookie_len );
Christopher Haster 1:24750b9ad5ef 831
Christopher Haster 1:24750b9ad5ef 832 *p++ = ssl->handshake->verify_cookie_len;
Christopher Haster 1:24750b9ad5ef 833 memcpy( p, ssl->handshake->verify_cookie,
Christopher Haster 1:24750b9ad5ef 834 ssl->handshake->verify_cookie_len );
Christopher Haster 1:24750b9ad5ef 835 p += ssl->handshake->verify_cookie_len;
Christopher Haster 1:24750b9ad5ef 836 }
Christopher Haster 1:24750b9ad5ef 837 }
Christopher Haster 1:24750b9ad5ef 838 #endif
Christopher Haster 1:24750b9ad5ef 839
Christopher Haster 1:24750b9ad5ef 840 /*
Christopher Haster 1:24750b9ad5ef 841 * Ciphersuite list
Christopher Haster 1:24750b9ad5ef 842 */
Christopher Haster 1:24750b9ad5ef 843 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
Christopher Haster 1:24750b9ad5ef 844
Christopher Haster 1:24750b9ad5ef 845 /* Skip writing ciphersuite length for now */
Christopher Haster 1:24750b9ad5ef 846 n = 0;
Christopher Haster 1:24750b9ad5ef 847 q = p;
Christopher Haster 1:24750b9ad5ef 848 p += 2;
Christopher Haster 1:24750b9ad5ef 849
Christopher Haster 1:24750b9ad5ef 850 for( i = 0; ciphersuites[i] != 0; i++ )
Christopher Haster 1:24750b9ad5ef 851 {
Christopher Haster 1:24750b9ad5ef 852 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
Christopher Haster 1:24750b9ad5ef 853
Christopher Haster 1:24750b9ad5ef 854 if( ciphersuite_info == NULL )
Christopher Haster 1:24750b9ad5ef 855 continue;
Christopher Haster 1:24750b9ad5ef 856
Christopher Haster 1:24750b9ad5ef 857 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
Christopher Haster 1:24750b9ad5ef 858 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
Christopher Haster 1:24750b9ad5ef 859 continue;
Christopher Haster 1:24750b9ad5ef 860
Christopher Haster 1:24750b9ad5ef 861 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 862 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster 1:24750b9ad5ef 863 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
Christopher Haster 1:24750b9ad5ef 864 continue;
Christopher Haster 1:24750b9ad5ef 865 #endif
Christopher Haster 1:24750b9ad5ef 866
Christopher Haster 1:24750b9ad5ef 867 #if defined(MBEDTLS_ARC4_C)
Christopher Haster 1:24750b9ad5ef 868 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
Christopher Haster 1:24750b9ad5ef 869 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Christopher Haster 1:24750b9ad5ef 870 continue;
Christopher Haster 1:24750b9ad5ef 871 #endif
Christopher Haster 1:24750b9ad5ef 872
Christopher Haster 1:24750b9ad5ef 873 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 874 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
Christopher Haster 1:24750b9ad5ef 875 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
Christopher Haster 1:24750b9ad5ef 876 continue;
Christopher Haster 1:24750b9ad5ef 877 #endif
Christopher Haster 1:24750b9ad5ef 878
Christopher Haster 1:24750b9ad5ef 879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
Christopher Haster 1:24750b9ad5ef 880 ciphersuites[i] ) );
Christopher Haster 1:24750b9ad5ef 881
Christopher Haster 1:24750b9ad5ef 882 n++;
Christopher Haster 1:24750b9ad5ef 883 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
Christopher Haster 1:24750b9ad5ef 884 *p++ = (unsigned char)( ciphersuites[i] );
Christopher Haster 1:24750b9ad5ef 885 }
Christopher Haster 1:24750b9ad5ef 886
Christopher Haster 1:24750b9ad5ef 887 /*
Christopher Haster 1:24750b9ad5ef 888 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Christopher Haster 1:24750b9ad5ef 889 */
Christopher Haster 1:24750b9ad5ef 890 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 891 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 892 #endif
Christopher Haster 1:24750b9ad5ef 893 {
Christopher Haster 1:24750b9ad5ef 894 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
Christopher Haster 1:24750b9ad5ef 895 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
Christopher Haster 1:24750b9ad5ef 896 n++;
Christopher Haster 1:24750b9ad5ef 897 }
Christopher Haster 1:24750b9ad5ef 898
Christopher Haster 1:24750b9ad5ef 899 /* Some versions of OpenSSL don't handle it correctly if not at end */
Christopher Haster 1:24750b9ad5ef 900 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
Christopher Haster 1:24750b9ad5ef 901 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
Christopher Haster 1:24750b9ad5ef 902 {
Christopher Haster 1:24750b9ad5ef 903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
Christopher Haster 1:24750b9ad5ef 904 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
Christopher Haster 1:24750b9ad5ef 905 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
Christopher Haster 1:24750b9ad5ef 906 n++;
Christopher Haster 1:24750b9ad5ef 907 }
Christopher Haster 1:24750b9ad5ef 908 #endif
Christopher Haster 1:24750b9ad5ef 909
Christopher Haster 1:24750b9ad5ef 910 *q++ = (unsigned char)( n >> 7 );
Christopher Haster 1:24750b9ad5ef 911 *q++ = (unsigned char)( n << 1 );
Christopher Haster 1:24750b9ad5ef 912
Christopher Haster 1:24750b9ad5ef 913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
Christopher Haster 1:24750b9ad5ef 914
Christopher Haster 1:24750b9ad5ef 915 #if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster 1:24750b9ad5ef 916 offer_compress = 1;
Christopher Haster 1:24750b9ad5ef 917 #else
Christopher Haster 1:24750b9ad5ef 918 offer_compress = 0;
Christopher Haster 1:24750b9ad5ef 919 #endif
Christopher Haster 1:24750b9ad5ef 920
Christopher Haster 1:24750b9ad5ef 921 /*
Christopher Haster 1:24750b9ad5ef 922 * We don't support compression with DTLS right now: is many records come
Christopher Haster 1:24750b9ad5ef 923 * in the same datagram, uncompressing one could overwrite the next one.
Christopher Haster 1:24750b9ad5ef 924 * We don't want to add complexity for handling that case unless there is
Christopher Haster 1:24750b9ad5ef 925 * an actual need for it.
Christopher Haster 1:24750b9ad5ef 926 */
Christopher Haster 1:24750b9ad5ef 927 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 928 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 929 offer_compress = 0;
Christopher Haster 1:24750b9ad5ef 930 #endif
Christopher Haster 1:24750b9ad5ef 931
Christopher Haster 1:24750b9ad5ef 932 if( offer_compress )
Christopher Haster 1:24750b9ad5ef 933 {
Christopher Haster 1:24750b9ad5ef 934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
Christopher Haster 1:24750b9ad5ef 935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
Christopher Haster 1:24750b9ad5ef 936 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
Christopher Haster 1:24750b9ad5ef 937
Christopher Haster 1:24750b9ad5ef 938 *p++ = 2;
Christopher Haster 1:24750b9ad5ef 939 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
Christopher Haster 1:24750b9ad5ef 940 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Christopher Haster 1:24750b9ad5ef 941 }
Christopher Haster 1:24750b9ad5ef 942 else
Christopher Haster 1:24750b9ad5ef 943 {
Christopher Haster 1:24750b9ad5ef 944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
Christopher Haster 1:24750b9ad5ef 945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
Christopher Haster 1:24750b9ad5ef 946 MBEDTLS_SSL_COMPRESS_NULL ) );
Christopher Haster 1:24750b9ad5ef 947
Christopher Haster 1:24750b9ad5ef 948 *p++ = 1;
Christopher Haster 1:24750b9ad5ef 949 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
Christopher Haster 1:24750b9ad5ef 950 }
Christopher Haster 1:24750b9ad5ef 951
Christopher Haster 1:24750b9ad5ef 952 // First write extensions, then the total length
Christopher Haster 1:24750b9ad5ef 953 //
Christopher Haster 1:24750b9ad5ef 954 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
Christopher Haster 1:24750b9ad5ef 955 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 956 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 957 #endif
Christopher Haster 1:24750b9ad5ef 958
Christopher Haster 1:24750b9ad5ef 959 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 960 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 961 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 962 #endif
Christopher Haster 1:24750b9ad5ef 963
Christopher Haster 1:24750b9ad5ef 964 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
Christopher Haster 1:24750b9ad5ef 965 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
Christopher Haster 1:24750b9ad5ef 966 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 967 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 968 #endif
Christopher Haster 1:24750b9ad5ef 969
Christopher Haster 1:24750b9ad5ef 970 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Christopher Haster 1:24750b9ad5ef 971 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 972 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 973 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 974
Christopher Haster 1:24750b9ad5ef 975 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 976 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 977 #endif
Christopher Haster 1:24750b9ad5ef 978
Christopher Haster 1:24750b9ad5ef 979 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 980 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 981 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 982 #endif
Christopher Haster 1:24750b9ad5ef 983
Christopher Haster 1:24750b9ad5ef 984 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster 1:24750b9ad5ef 985 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 986 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 987 #endif
Christopher Haster 1:24750b9ad5ef 988
Christopher Haster 1:24750b9ad5ef 989 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster 1:24750b9ad5ef 990 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 991 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 992 #endif
Christopher Haster 1:24750b9ad5ef 993
Christopher Haster 1:24750b9ad5ef 994 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster 1:24750b9ad5ef 995 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 996 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 997 #endif
Christopher Haster 1:24750b9ad5ef 998
Christopher Haster 1:24750b9ad5ef 999 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster 1:24750b9ad5ef 1000 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 1001 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 1002 #endif
Christopher Haster 1:24750b9ad5ef 1003
Christopher Haster 1:24750b9ad5ef 1004 #if defined(MBEDTLS_SSL_ALPN)
Christopher Haster 1:24750b9ad5ef 1005 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 1006 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 1007 #endif
Christopher Haster 1:24750b9ad5ef 1008
Christopher Haster 1:24750b9ad5ef 1009 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 1010 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
Christopher Haster 1:24750b9ad5ef 1011 ext_len += olen;
Christopher Haster 1:24750b9ad5ef 1012 #endif
Christopher Haster 1:24750b9ad5ef 1013
Christopher Haster 1:24750b9ad5ef 1014 /* olen unused if all extensions are disabled */
Christopher Haster 1:24750b9ad5ef 1015 ((void) olen);
Christopher Haster 1:24750b9ad5ef 1016
Christopher Haster 1:24750b9ad5ef 1017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
Christopher Haster 1:24750b9ad5ef 1018 ext_len ) );
Christopher Haster 1:24750b9ad5ef 1019
Christopher Haster 1:24750b9ad5ef 1020 if( ext_len > 0 )
Christopher Haster 1:24750b9ad5ef 1021 {
Christopher Haster 1:24750b9ad5ef 1022 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 1023 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
Christopher Haster 1:24750b9ad5ef 1024 p += ext_len;
Christopher Haster 1:24750b9ad5ef 1025 }
Christopher Haster 1:24750b9ad5ef 1026
Christopher Haster 1:24750b9ad5ef 1027 ssl->out_msglen = p - buf;
Christopher Haster 1:24750b9ad5ef 1028 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster 1:24750b9ad5ef 1029 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
Christopher Haster 1:24750b9ad5ef 1030
Christopher Haster 1:24750b9ad5ef 1031 ssl->state++;
Christopher Haster 1:24750b9ad5ef 1032
Christopher Haster 1:24750b9ad5ef 1033 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 1034 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 1035 mbedtls_ssl_send_flight_completed( ssl );
Christopher Haster 1:24750b9ad5ef 1036 #endif
Christopher Haster 1:24750b9ad5ef 1037
Christopher Haster 1:24750b9ad5ef 1038 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1039 {
Christopher Haster 1:24750b9ad5ef 1040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster 1:24750b9ad5ef 1041 return( ret );
Christopher Haster 1:24750b9ad5ef 1042 }
Christopher Haster 1:24750b9ad5ef 1043
Christopher Haster 1:24750b9ad5ef 1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
Christopher Haster 1:24750b9ad5ef 1045
Christopher Haster 1:24750b9ad5ef 1046 return( 0 );
Christopher Haster 1:24750b9ad5ef 1047 }
Christopher Haster 1:24750b9ad5ef 1048
Christopher Haster 1:24750b9ad5ef 1049 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1050 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1051 size_t len )
Christopher Haster 1:24750b9ad5ef 1052 {
Christopher Haster 1:24750b9ad5ef 1053 int ret;
Christopher Haster 1:24750b9ad5ef 1054
Christopher Haster 1:24750b9ad5ef 1055 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1056 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 1057 {
Christopher Haster 1:24750b9ad5ef 1058 /* Check verify-data in constant-time. The length OTOH is no secret */
Christopher Haster 1:24750b9ad5ef 1059 if( len != 1 + ssl->verify_data_len * 2 ||
Christopher Haster 1:24750b9ad5ef 1060 buf[0] != ssl->verify_data_len * 2 ||
Christopher Haster 1:24750b9ad5ef 1061 mbedtls_ssl_safer_memcmp( buf + 1,
Christopher Haster 1:24750b9ad5ef 1062 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
Christopher Haster 1:24750b9ad5ef 1063 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
Christopher Haster 1:24750b9ad5ef 1064 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
Christopher Haster 1:24750b9ad5ef 1065 {
Christopher Haster 1:24750b9ad5ef 1066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
Christopher Haster 1:24750b9ad5ef 1067
Christopher Haster 1:24750b9ad5ef 1068 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1069 return( ret );
Christopher Haster 1:24750b9ad5ef 1070
Christopher Haster 1:24750b9ad5ef 1071 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1072 }
Christopher Haster 1:24750b9ad5ef 1073 }
Christopher Haster 1:24750b9ad5ef 1074 else
Christopher Haster 1:24750b9ad5ef 1075 #endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster 1:24750b9ad5ef 1076 {
Christopher Haster 1:24750b9ad5ef 1077 if( len != 1 || buf[0] != 0x00 )
Christopher Haster 1:24750b9ad5ef 1078 {
Christopher Haster 1:24750b9ad5ef 1079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
Christopher Haster 1:24750b9ad5ef 1080
Christopher Haster 1:24750b9ad5ef 1081 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1082 return( ret );
Christopher Haster 1:24750b9ad5ef 1083
Christopher Haster 1:24750b9ad5ef 1084 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1085 }
Christopher Haster 1:24750b9ad5ef 1086
Christopher Haster 1:24750b9ad5ef 1087 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
Christopher Haster 1:24750b9ad5ef 1088 }
Christopher Haster 1:24750b9ad5ef 1089
Christopher Haster 1:24750b9ad5ef 1090 return( 0 );
Christopher Haster 1:24750b9ad5ef 1091 }
Christopher Haster 1:24750b9ad5ef 1092
Christopher Haster 1:24750b9ad5ef 1093 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster 1:24750b9ad5ef 1094 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1095 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1096 size_t len )
Christopher Haster 1:24750b9ad5ef 1097 {
Christopher Haster 1:24750b9ad5ef 1098 /*
Christopher Haster 1:24750b9ad5ef 1099 * server should use the extension only if we did,
Christopher Haster 1:24750b9ad5ef 1100 * and if so the server's value should match ours (and len is always 1)
Christopher Haster 1:24750b9ad5ef 1101 */
Christopher Haster 1:24750b9ad5ef 1102 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
Christopher Haster 1:24750b9ad5ef 1103 len != 1 ||
Christopher Haster 1:24750b9ad5ef 1104 buf[0] != ssl->conf->mfl_code )
Christopher Haster 1:24750b9ad5ef 1105 {
Christopher Haster 1:24750b9ad5ef 1106 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1107 }
Christopher Haster 1:24750b9ad5ef 1108
Christopher Haster 1:24750b9ad5ef 1109 return( 0 );
Christopher Haster 1:24750b9ad5ef 1110 }
Christopher Haster 1:24750b9ad5ef 1111 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster 1:24750b9ad5ef 1112
Christopher Haster 1:24750b9ad5ef 1113 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster 1:24750b9ad5ef 1114 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1115 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1116 size_t len )
Christopher Haster 1:24750b9ad5ef 1117 {
Christopher Haster 1:24750b9ad5ef 1118 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
Christopher Haster 1:24750b9ad5ef 1119 len != 0 )
Christopher Haster 1:24750b9ad5ef 1120 {
Christopher Haster 1:24750b9ad5ef 1121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1122 }
Christopher Haster 1:24750b9ad5ef 1123
Christopher Haster 1:24750b9ad5ef 1124 ((void) buf);
Christopher Haster 1:24750b9ad5ef 1125
Christopher Haster 1:24750b9ad5ef 1126 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
Christopher Haster 1:24750b9ad5ef 1127
Christopher Haster 1:24750b9ad5ef 1128 return( 0 );
Christopher Haster 1:24750b9ad5ef 1129 }
Christopher Haster 1:24750b9ad5ef 1130 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster 1:24750b9ad5ef 1131
Christopher Haster 1:24750b9ad5ef 1132 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster 1:24750b9ad5ef 1133 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1134 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1135 size_t len )
Christopher Haster 1:24750b9ad5ef 1136 {
Christopher Haster 1:24750b9ad5ef 1137 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
Christopher Haster 1:24750b9ad5ef 1138 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Christopher Haster 1:24750b9ad5ef 1139 len != 0 )
Christopher Haster 1:24750b9ad5ef 1140 {
Christopher Haster 1:24750b9ad5ef 1141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1142 }
Christopher Haster 1:24750b9ad5ef 1143
Christopher Haster 1:24750b9ad5ef 1144 ((void) buf);
Christopher Haster 1:24750b9ad5ef 1145
Christopher Haster 1:24750b9ad5ef 1146 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
Christopher Haster 1:24750b9ad5ef 1147
Christopher Haster 1:24750b9ad5ef 1148 return( 0 );
Christopher Haster 1:24750b9ad5ef 1149 }
Christopher Haster 1:24750b9ad5ef 1150 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster 1:24750b9ad5ef 1151
Christopher Haster 1:24750b9ad5ef 1152 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster 1:24750b9ad5ef 1153 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1154 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1155 size_t len )
Christopher Haster 1:24750b9ad5ef 1156 {
Christopher Haster 1:24750b9ad5ef 1157 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
Christopher Haster 1:24750b9ad5ef 1158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
Christopher Haster 1:24750b9ad5ef 1159 len != 0 )
Christopher Haster 1:24750b9ad5ef 1160 {
Christopher Haster 1:24750b9ad5ef 1161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1162 }
Christopher Haster 1:24750b9ad5ef 1163
Christopher Haster 1:24750b9ad5ef 1164 ((void) buf);
Christopher Haster 1:24750b9ad5ef 1165
Christopher Haster 1:24750b9ad5ef 1166 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
Christopher Haster 1:24750b9ad5ef 1167
Christopher Haster 1:24750b9ad5ef 1168 return( 0 );
Christopher Haster 1:24750b9ad5ef 1169 }
Christopher Haster 1:24750b9ad5ef 1170 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster 1:24750b9ad5ef 1171
Christopher Haster 1:24750b9ad5ef 1172 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 1173 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1174 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1175 size_t len )
Christopher Haster 1:24750b9ad5ef 1176 {
Christopher Haster 1:24750b9ad5ef 1177 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
Christopher Haster 1:24750b9ad5ef 1178 len != 0 )
Christopher Haster 1:24750b9ad5ef 1179 {
Christopher Haster 1:24750b9ad5ef 1180 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1181 }
Christopher Haster 1:24750b9ad5ef 1182
Christopher Haster 1:24750b9ad5ef 1183 ((void) buf);
Christopher Haster 1:24750b9ad5ef 1184
Christopher Haster 1:24750b9ad5ef 1185 ssl->handshake->new_session_ticket = 1;
Christopher Haster 1:24750b9ad5ef 1186
Christopher Haster 1:24750b9ad5ef 1187 return( 0 );
Christopher Haster 1:24750b9ad5ef 1188 }
Christopher Haster 1:24750b9ad5ef 1189 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster 1:24750b9ad5ef 1190
Christopher Haster 1:24750b9ad5ef 1191 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Christopher Haster 1:24750b9ad5ef 1192 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 1193 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1194 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1195 size_t len )
Christopher Haster 1:24750b9ad5ef 1196 {
Christopher Haster 1:24750b9ad5ef 1197 size_t list_size;
Christopher Haster 1:24750b9ad5ef 1198 const unsigned char *p;
Christopher Haster 1:24750b9ad5ef 1199
Christopher Haster 1:24750b9ad5ef 1200 list_size = buf[0];
Christopher Haster 1:24750b9ad5ef 1201 if( list_size + 1 != len )
Christopher Haster 1:24750b9ad5ef 1202 {
Christopher Haster 1:24750b9ad5ef 1203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1205 }
Christopher Haster 1:24750b9ad5ef 1206
Christopher Haster 1:24750b9ad5ef 1207 p = buf + 1;
Christopher Haster 1:24750b9ad5ef 1208 while( list_size > 0 )
Christopher Haster 1:24750b9ad5ef 1209 {
Christopher Haster 1:24750b9ad5ef 1210 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
Christopher Haster 1:24750b9ad5ef 1211 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
Christopher Haster 1:24750b9ad5ef 1212 {
Christopher Haster 1:24750b9ad5ef 1213 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
Christopher Haster 1:24750b9ad5ef 1214 ssl->handshake->ecdh_ctx.point_format = p[0];
Christopher Haster 1:24750b9ad5ef 1215 #endif
Christopher Haster 1:24750b9ad5ef 1216 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 1217 ssl->handshake->ecjpake_ctx.point_format = p[0];
Christopher Haster 1:24750b9ad5ef 1218 #endif
Christopher Haster 1:24750b9ad5ef 1219 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
Christopher Haster 1:24750b9ad5ef 1220 return( 0 );
Christopher Haster 1:24750b9ad5ef 1221 }
Christopher Haster 1:24750b9ad5ef 1222
Christopher Haster 1:24750b9ad5ef 1223 list_size--;
Christopher Haster 1:24750b9ad5ef 1224 p++;
Christopher Haster 1:24750b9ad5ef 1225 }
Christopher Haster 1:24750b9ad5ef 1226
Christopher Haster 1:24750b9ad5ef 1227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
Christopher Haster 1:24750b9ad5ef 1228 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1229 }
Christopher Haster 1:24750b9ad5ef 1230 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Christopher Haster 1:24750b9ad5ef 1231 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 1232
Christopher Haster 1:24750b9ad5ef 1233 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 1234 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1235 const unsigned char *buf,
Christopher Haster 1:24750b9ad5ef 1236 size_t len )
Christopher Haster 1:24750b9ad5ef 1237 {
Christopher Haster 1:24750b9ad5ef 1238 int ret;
Christopher Haster 1:24750b9ad5ef 1239
Christopher Haster 1:24750b9ad5ef 1240 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
Christopher Haster 1:24750b9ad5ef 1241 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 1242 {
Christopher Haster 1:24750b9ad5ef 1243 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
Christopher Haster 1:24750b9ad5ef 1244 return( 0 );
Christopher Haster 1:24750b9ad5ef 1245 }
Christopher Haster 1:24750b9ad5ef 1246
Christopher Haster 1:24750b9ad5ef 1247 /* If we got here, we no longer need our cached extension */
Christopher Haster 1:24750b9ad5ef 1248 mbedtls_free( ssl->handshake->ecjpake_cache );
Christopher Haster 1:24750b9ad5ef 1249 ssl->handshake->ecjpake_cache = NULL;
Christopher Haster 1:24750b9ad5ef 1250 ssl->handshake->ecjpake_cache_len = 0;
Christopher Haster 1:24750b9ad5ef 1251
Christopher Haster 1:24750b9ad5ef 1252 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
Christopher Haster 1:24750b9ad5ef 1253 buf, len ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1254 {
Christopher Haster 1:24750b9ad5ef 1255 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
Christopher Haster 1:24750b9ad5ef 1256 return( ret );
Christopher Haster 1:24750b9ad5ef 1257 }
Christopher Haster 1:24750b9ad5ef 1258
Christopher Haster 1:24750b9ad5ef 1259 return( 0 );
Christopher Haster 1:24750b9ad5ef 1260 }
Christopher Haster 1:24750b9ad5ef 1261 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 1262
Christopher Haster 1:24750b9ad5ef 1263 #if defined(MBEDTLS_SSL_ALPN)
Christopher Haster 1:24750b9ad5ef 1264 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1265 const unsigned char *buf, size_t len )
Christopher Haster 1:24750b9ad5ef 1266 {
Christopher Haster 1:24750b9ad5ef 1267 size_t list_len, name_len;
Christopher Haster 1:24750b9ad5ef 1268 const char **p;
Christopher Haster 1:24750b9ad5ef 1269
Christopher Haster 1:24750b9ad5ef 1270 /* If we didn't send it, the server shouldn't send it */
Christopher Haster 1:24750b9ad5ef 1271 if( ssl->conf->alpn_list == NULL )
Christopher Haster 1:24750b9ad5ef 1272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1273
Christopher Haster 1:24750b9ad5ef 1274 /*
Christopher Haster 1:24750b9ad5ef 1275 * opaque ProtocolName<1..2^8-1>;
Christopher Haster 1:24750b9ad5ef 1276 *
Christopher Haster 1:24750b9ad5ef 1277 * struct {
Christopher Haster 1:24750b9ad5ef 1278 * ProtocolName protocol_name_list<2..2^16-1>
Christopher Haster 1:24750b9ad5ef 1279 * } ProtocolNameList;
Christopher Haster 1:24750b9ad5ef 1280 *
Christopher Haster 1:24750b9ad5ef 1281 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
Christopher Haster 1:24750b9ad5ef 1282 */
Christopher Haster 1:24750b9ad5ef 1283
Christopher Haster 1:24750b9ad5ef 1284 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
Christopher Haster 1:24750b9ad5ef 1285 if( len < 4 )
Christopher Haster 1:24750b9ad5ef 1286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1287
Christopher Haster 1:24750b9ad5ef 1288 list_len = ( buf[0] << 8 ) | buf[1];
Christopher Haster 1:24750b9ad5ef 1289 if( list_len != len - 2 )
Christopher Haster 1:24750b9ad5ef 1290 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1291
Christopher Haster 1:24750b9ad5ef 1292 name_len = buf[2];
Christopher Haster 1:24750b9ad5ef 1293 if( name_len != list_len - 1 )
Christopher Haster 1:24750b9ad5ef 1294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1295
Christopher Haster 1:24750b9ad5ef 1296 /* Check that the server chosen protocol was in our list and save it */
Christopher Haster 1:24750b9ad5ef 1297 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
Christopher Haster 1:24750b9ad5ef 1298 {
Christopher Haster 1:24750b9ad5ef 1299 if( name_len == strlen( *p ) &&
Christopher Haster 1:24750b9ad5ef 1300 memcmp( buf + 3, *p, name_len ) == 0 )
Christopher Haster 1:24750b9ad5ef 1301 {
Christopher Haster 1:24750b9ad5ef 1302 ssl->alpn_chosen = *p;
Christopher Haster 1:24750b9ad5ef 1303 return( 0 );
Christopher Haster 1:24750b9ad5ef 1304 }
Christopher Haster 1:24750b9ad5ef 1305 }
Christopher Haster 1:24750b9ad5ef 1306
Christopher Haster 1:24750b9ad5ef 1307 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1308 }
Christopher Haster 1:24750b9ad5ef 1309 #endif /* MBEDTLS_SSL_ALPN */
Christopher Haster 1:24750b9ad5ef 1310
Christopher Haster 1:24750b9ad5ef 1311 /*
Christopher Haster 1:24750b9ad5ef 1312 * Parse HelloVerifyRequest. Only called after verifying the HS type.
Christopher Haster 1:24750b9ad5ef 1313 */
Christopher Haster 1:24750b9ad5ef 1314 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 1315 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 1316 {
Christopher Haster 1:24750b9ad5ef 1317 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster 1:24750b9ad5ef 1318 int major_ver, minor_ver;
Christopher Haster 1:24750b9ad5ef 1319 unsigned char cookie_len;
Christopher Haster 1:24750b9ad5ef 1320
Christopher Haster 1:24750b9ad5ef 1321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
Christopher Haster 1:24750b9ad5ef 1322
Christopher Haster 1:24750b9ad5ef 1323 /*
Christopher Haster 1:24750b9ad5ef 1324 * struct {
Christopher Haster 1:24750b9ad5ef 1325 * ProtocolVersion server_version;
Christopher Haster 1:24750b9ad5ef 1326 * opaque cookie<0..2^8-1>;
Christopher Haster 1:24750b9ad5ef 1327 * } HelloVerifyRequest;
Christopher Haster 1:24750b9ad5ef 1328 */
Christopher Haster 1:24750b9ad5ef 1329 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
Christopher Haster 1:24750b9ad5ef 1330 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
Christopher Haster 1:24750b9ad5ef 1331 p += 2;
Christopher Haster 1:24750b9ad5ef 1332
Christopher Haster 1:24750b9ad5ef 1333 /*
Christopher Haster 1:24750b9ad5ef 1334 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
Christopher Haster 1:24750b9ad5ef 1335 * even is lower than our min version.
Christopher Haster 1:24750b9ad5ef 1336 */
Christopher Haster 1:24750b9ad5ef 1337 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
Christopher Haster 1:24750b9ad5ef 1338 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
Christopher Haster 1:24750b9ad5ef 1339 major_ver > ssl->conf->max_major_ver ||
Christopher Haster 1:24750b9ad5ef 1340 minor_ver > ssl->conf->max_minor_ver )
Christopher Haster 1:24750b9ad5ef 1341 {
Christopher Haster 1:24750b9ad5ef 1342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
Christopher Haster 1:24750b9ad5ef 1343
Christopher Haster 1:24750b9ad5ef 1344 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Christopher Haster 1:24750b9ad5ef 1345 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Christopher Haster 1:24750b9ad5ef 1346
Christopher Haster 1:24750b9ad5ef 1347 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Christopher Haster 1:24750b9ad5ef 1348 }
Christopher Haster 1:24750b9ad5ef 1349
Christopher Haster 1:24750b9ad5ef 1350 cookie_len = *p++;
Christopher Haster 1:24750b9ad5ef 1351 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
Christopher Haster 1:24750b9ad5ef 1352
Christopher Haster 1:24750b9ad5ef 1353 mbedtls_free( ssl->handshake->verify_cookie );
Christopher Haster 1:24750b9ad5ef 1354
Christopher Haster 1:24750b9ad5ef 1355 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
Christopher Haster 1:24750b9ad5ef 1356 if( ssl->handshake->verify_cookie == NULL )
Christopher Haster 1:24750b9ad5ef 1357 {
Christopher Haster 1:24750b9ad5ef 1358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
Christopher Haster 1:24750b9ad5ef 1359 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Christopher Haster 1:24750b9ad5ef 1360 }
Christopher Haster 1:24750b9ad5ef 1361
Christopher Haster 1:24750b9ad5ef 1362 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
Christopher Haster 1:24750b9ad5ef 1363 ssl->handshake->verify_cookie_len = cookie_len;
Christopher Haster 1:24750b9ad5ef 1364
Christopher Haster 1:24750b9ad5ef 1365 /* Start over at ClientHello */
Christopher Haster 1:24750b9ad5ef 1366 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Christopher Haster 1:24750b9ad5ef 1367 mbedtls_ssl_reset_checksum( ssl );
Christopher Haster 1:24750b9ad5ef 1368
Christopher Haster 1:24750b9ad5ef 1369 mbedtls_ssl_recv_flight_completed( ssl );
Christopher Haster 1:24750b9ad5ef 1370
Christopher Haster 1:24750b9ad5ef 1371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
Christopher Haster 1:24750b9ad5ef 1372
Christopher Haster 1:24750b9ad5ef 1373 return( 0 );
Christopher Haster 1:24750b9ad5ef 1374 }
Christopher Haster 1:24750b9ad5ef 1375 #endif /* MBEDTLS_SSL_PROTO_DTLS */
Christopher Haster 1:24750b9ad5ef 1376
Christopher Haster 1:24750b9ad5ef 1377 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 1378 {
Christopher Haster 1:24750b9ad5ef 1379 int ret, i;
Christopher Haster 1:24750b9ad5ef 1380 size_t n;
Christopher Haster 1:24750b9ad5ef 1381 size_t ext_len;
Christopher Haster 1:24750b9ad5ef 1382 unsigned char *buf, *ext;
Christopher Haster 1:24750b9ad5ef 1383 unsigned char comp;
Christopher Haster 1:24750b9ad5ef 1384 #if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster 1:24750b9ad5ef 1385 int accept_comp;
Christopher Haster 1:24750b9ad5ef 1386 #endif
Christopher Haster 1:24750b9ad5ef 1387 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1388 int renegotiation_info_seen = 0;
Christopher Haster 1:24750b9ad5ef 1389 #endif
Christopher Haster 1:24750b9ad5ef 1390 int handshake_failure = 0;
Christopher Haster 1:24750b9ad5ef 1391 const mbedtls_ssl_ciphersuite_t *suite_info;
Christopher Haster 1:24750b9ad5ef 1392 #if defined(MBEDTLS_DEBUG_C)
Christopher Haster 1:24750b9ad5ef 1393 uint32_t t;
Christopher Haster 1:24750b9ad5ef 1394 #endif
Christopher Haster 1:24750b9ad5ef 1395
Christopher Haster 1:24750b9ad5ef 1396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
Christopher Haster 1:24750b9ad5ef 1397
Christopher Haster 1:24750b9ad5ef 1398 buf = ssl->in_msg;
Christopher Haster 1:24750b9ad5ef 1399
Christopher Haster 1:24750b9ad5ef 1400 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1401 {
Christopher Haster 1:24750b9ad5ef 1402 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster 1:24750b9ad5ef 1403 return( ret );
Christopher Haster 1:24750b9ad5ef 1404 }
Christopher Haster 1:24750b9ad5ef 1405
Christopher Haster 1:24750b9ad5ef 1406 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 1407 {
Christopher Haster 1:24750b9ad5ef 1408 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1409 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
Christopher Haster 1:24750b9ad5ef 1410 {
Christopher Haster 1:24750b9ad5ef 1411 ssl->renego_records_seen++;
Christopher Haster 1:24750b9ad5ef 1412
Christopher Haster 1:24750b9ad5ef 1413 if( ssl->conf->renego_max_records >= 0 &&
Christopher Haster 1:24750b9ad5ef 1414 ssl->renego_records_seen > ssl->conf->renego_max_records )
Christopher Haster 1:24750b9ad5ef 1415 {
Christopher Haster 1:24750b9ad5ef 1416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
Christopher Haster 1:24750b9ad5ef 1417 "but not honored by server" ) );
Christopher Haster 1:24750b9ad5ef 1418 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 1419 }
Christopher Haster 1:24750b9ad5ef 1420
Christopher Haster 1:24750b9ad5ef 1421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
Christopher Haster 1:24750b9ad5ef 1422 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
Christopher Haster 1:24750b9ad5ef 1423 }
Christopher Haster 1:24750b9ad5ef 1424 #endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster 1:24750b9ad5ef 1425
Christopher Haster 1:24750b9ad5ef 1426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1427 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 1428 }
Christopher Haster 1:24750b9ad5ef 1429
Christopher Haster 1:24750b9ad5ef 1430 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 1431 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 1432 {
Christopher Haster 1:24750b9ad5ef 1433 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
Christopher Haster 1:24750b9ad5ef 1434 {
Christopher Haster 1:24750b9ad5ef 1435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
Christopher Haster 1:24750b9ad5ef 1436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Christopher Haster 1:24750b9ad5ef 1437 return( ssl_parse_hello_verify_request( ssl ) );
Christopher Haster 1:24750b9ad5ef 1438 }
Christopher Haster 1:24750b9ad5ef 1439 else
Christopher Haster 1:24750b9ad5ef 1440 {
Christopher Haster 1:24750b9ad5ef 1441 /* We made it through the verification process */
Christopher Haster 1:24750b9ad5ef 1442 mbedtls_free( ssl->handshake->verify_cookie );
Christopher Haster 1:24750b9ad5ef 1443 ssl->handshake->verify_cookie = NULL;
Christopher Haster 1:24750b9ad5ef 1444 ssl->handshake->verify_cookie_len = 0;
Christopher Haster 1:24750b9ad5ef 1445 }
Christopher Haster 1:24750b9ad5ef 1446 }
Christopher Haster 1:24750b9ad5ef 1447 #endif /* MBEDTLS_SSL_PROTO_DTLS */
Christopher Haster 1:24750b9ad5ef 1448
Christopher Haster 1:24750b9ad5ef 1449 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
Christopher Haster 1:24750b9ad5ef 1450 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
Christopher Haster 1:24750b9ad5ef 1451 {
Christopher Haster 1:24750b9ad5ef 1452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1453 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1454 }
Christopher Haster 1:24750b9ad5ef 1455
Christopher Haster 1:24750b9ad5ef 1456 /*
Christopher Haster 1:24750b9ad5ef 1457 * 0 . 1 server_version
Christopher Haster 1:24750b9ad5ef 1458 * 2 . 33 random (maybe including 4 bytes of Unix time)
Christopher Haster 1:24750b9ad5ef 1459 * 34 . 34 session_id length = n
Christopher Haster 1:24750b9ad5ef 1460 * 35 . 34+n session_id
Christopher Haster 1:24750b9ad5ef 1461 * 35+n . 36+n cipher_suite
Christopher Haster 1:24750b9ad5ef 1462 * 37+n . 37+n compression_method
Christopher Haster 1:24750b9ad5ef 1463 *
Christopher Haster 1:24750b9ad5ef 1464 * 38+n . 39+n extensions length (optional)
Christopher Haster 1:24750b9ad5ef 1465 * 40+n . .. extensions
Christopher Haster 1:24750b9ad5ef 1466 */
Christopher Haster 1:24750b9ad5ef 1467 buf += mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster 1:24750b9ad5ef 1468
Christopher Haster 1:24750b9ad5ef 1469 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
Christopher Haster 1:24750b9ad5ef 1470 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
Christopher Haster 1:24750b9ad5ef 1471 ssl->conf->transport, buf + 0 );
Christopher Haster 1:24750b9ad5ef 1472
Christopher Haster 1:24750b9ad5ef 1473 if( ssl->major_ver < ssl->conf->min_major_ver ||
Christopher Haster 1:24750b9ad5ef 1474 ssl->minor_ver < ssl->conf->min_minor_ver ||
Christopher Haster 1:24750b9ad5ef 1475 ssl->major_ver > ssl->conf->max_major_ver ||
Christopher Haster 1:24750b9ad5ef 1476 ssl->minor_ver > ssl->conf->max_minor_ver )
Christopher Haster 1:24750b9ad5ef 1477 {
Christopher Haster 1:24750b9ad5ef 1478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
Christopher Haster 1:24750b9ad5ef 1479 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
Christopher Haster 1:24750b9ad5ef 1480 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
Christopher Haster 1:24750b9ad5ef 1481 ssl->major_ver, ssl->minor_ver,
Christopher Haster 1:24750b9ad5ef 1482 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
Christopher Haster 1:24750b9ad5ef 1483
Christopher Haster 1:24750b9ad5ef 1484 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
Christopher Haster 1:24750b9ad5ef 1485 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
Christopher Haster 1:24750b9ad5ef 1486
Christopher Haster 1:24750b9ad5ef 1487 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
Christopher Haster 1:24750b9ad5ef 1488 }
Christopher Haster 1:24750b9ad5ef 1489
Christopher Haster 1:24750b9ad5ef 1490 #if defined(MBEDTLS_DEBUG_C)
Christopher Haster 1:24750b9ad5ef 1491 t = ( (uint32_t) buf[2] << 24 )
Christopher Haster 1:24750b9ad5ef 1492 | ( (uint32_t) buf[3] << 16 )
Christopher Haster 1:24750b9ad5ef 1493 | ( (uint32_t) buf[4] << 8 )
Christopher Haster 1:24750b9ad5ef 1494 | ( (uint32_t) buf[5] );
Christopher Haster 1:24750b9ad5ef 1495 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
Christopher Haster 1:24750b9ad5ef 1496 #endif
Christopher Haster 1:24750b9ad5ef 1497
Christopher Haster 1:24750b9ad5ef 1498 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
Christopher Haster 1:24750b9ad5ef 1499
Christopher Haster 1:24750b9ad5ef 1500 n = buf[34];
Christopher Haster 1:24750b9ad5ef 1501
Christopher Haster 1:24750b9ad5ef 1502 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
Christopher Haster 1:24750b9ad5ef 1503
Christopher Haster 1:24750b9ad5ef 1504 if( n > 32 )
Christopher Haster 1:24750b9ad5ef 1505 {
Christopher Haster 1:24750b9ad5ef 1506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1508 }
Christopher Haster 1:24750b9ad5ef 1509
Christopher Haster 1:24750b9ad5ef 1510 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
Christopher Haster 1:24750b9ad5ef 1511 {
Christopher Haster 1:24750b9ad5ef 1512 ext_len = ( ( buf[38 + n] << 8 )
Christopher Haster 1:24750b9ad5ef 1513 | ( buf[39 + n] ) );
Christopher Haster 1:24750b9ad5ef 1514
Christopher Haster 1:24750b9ad5ef 1515 if( ( ext_len > 0 && ext_len < 4 ) ||
Christopher Haster 1:24750b9ad5ef 1516 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
Christopher Haster 1:24750b9ad5ef 1517 {
Christopher Haster 1:24750b9ad5ef 1518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1520 }
Christopher Haster 1:24750b9ad5ef 1521 }
Christopher Haster 1:24750b9ad5ef 1522 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
Christopher Haster 1:24750b9ad5ef 1523 {
Christopher Haster 1:24750b9ad5ef 1524 ext_len = 0;
Christopher Haster 1:24750b9ad5ef 1525 }
Christopher Haster 1:24750b9ad5ef 1526 else
Christopher Haster 1:24750b9ad5ef 1527 {
Christopher Haster 1:24750b9ad5ef 1528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1529 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1530 }
Christopher Haster 1:24750b9ad5ef 1531
Christopher Haster 1:24750b9ad5ef 1532 /* ciphersuite (used later) */
Christopher Haster 1:24750b9ad5ef 1533 i = ( buf[35 + n] << 8 ) | buf[36 + n];
Christopher Haster 1:24750b9ad5ef 1534
Christopher Haster 1:24750b9ad5ef 1535 /*
Christopher Haster 1:24750b9ad5ef 1536 * Read and check compression
Christopher Haster 1:24750b9ad5ef 1537 */
Christopher Haster 1:24750b9ad5ef 1538 comp = buf[37 + n];
Christopher Haster 1:24750b9ad5ef 1539
Christopher Haster 1:24750b9ad5ef 1540 #if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster 1:24750b9ad5ef 1541 /* See comments in ssl_write_client_hello() */
Christopher Haster 1:24750b9ad5ef 1542 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 1543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 1544 accept_comp = 0;
Christopher Haster 1:24750b9ad5ef 1545 else
Christopher Haster 1:24750b9ad5ef 1546 #endif
Christopher Haster 1:24750b9ad5ef 1547 accept_comp = 1;
Christopher Haster 1:24750b9ad5ef 1548
Christopher Haster 1:24750b9ad5ef 1549 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
Christopher Haster 1:24750b9ad5ef 1550 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
Christopher Haster 1:24750b9ad5ef 1551 #else /* MBEDTLS_ZLIB_SUPPORT */
Christopher Haster 1:24750b9ad5ef 1552 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
Christopher Haster 1:24750b9ad5ef 1553 #endif/* MBEDTLS_ZLIB_SUPPORT */
Christopher Haster 1:24750b9ad5ef 1554 {
Christopher Haster 1:24750b9ad5ef 1555 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
Christopher Haster 1:24750b9ad5ef 1556 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
Christopher Haster 1:24750b9ad5ef 1557 }
Christopher Haster 1:24750b9ad5ef 1558
Christopher Haster 1:24750b9ad5ef 1559 /*
Christopher Haster 1:24750b9ad5ef 1560 * Initialize update checksum functions
Christopher Haster 1:24750b9ad5ef 1561 */
Christopher Haster 1:24750b9ad5ef 1562 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
Christopher Haster 1:24750b9ad5ef 1563
Christopher Haster 1:24750b9ad5ef 1564 if( ssl->transform_negotiate->ciphersuite_info == NULL )
Christopher Haster 1:24750b9ad5ef 1565 {
Christopher Haster 1:24750b9ad5ef 1566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
Christopher Haster 1:24750b9ad5ef 1567 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster 1:24750b9ad5ef 1568 }
Christopher Haster 1:24750b9ad5ef 1569
Christopher Haster 1:24750b9ad5ef 1570 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
Christopher Haster 1:24750b9ad5ef 1571
Christopher Haster 1:24750b9ad5ef 1572 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
Christopher Haster 1:24750b9ad5ef 1573 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
Christopher Haster 1:24750b9ad5ef 1574
Christopher Haster 1:24750b9ad5ef 1575 /*
Christopher Haster 1:24750b9ad5ef 1576 * Check if the session can be resumed
Christopher Haster 1:24750b9ad5ef 1577 */
Christopher Haster 1:24750b9ad5ef 1578 if( ssl->handshake->resume == 0 || n == 0 ||
Christopher Haster 1:24750b9ad5ef 1579 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1580 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
Christopher Haster 1:24750b9ad5ef 1581 #endif
Christopher Haster 1:24750b9ad5ef 1582 ssl->session_negotiate->ciphersuite != i ||
Christopher Haster 1:24750b9ad5ef 1583 ssl->session_negotiate->compression != comp ||
Christopher Haster 1:24750b9ad5ef 1584 ssl->session_negotiate->id_len != n ||
Christopher Haster 1:24750b9ad5ef 1585 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
Christopher Haster 1:24750b9ad5ef 1586 {
Christopher Haster 1:24750b9ad5ef 1587 ssl->state++;
Christopher Haster 1:24750b9ad5ef 1588 ssl->handshake->resume = 0;
Christopher Haster 1:24750b9ad5ef 1589 #if defined(MBEDTLS_HAVE_TIME)
Christopher Haster 1:24750b9ad5ef 1590 ssl->session_negotiate->start = time( NULL );
Christopher Haster 1:24750b9ad5ef 1591 #endif
Christopher Haster 1:24750b9ad5ef 1592 ssl->session_negotiate->ciphersuite = i;
Christopher Haster 1:24750b9ad5ef 1593 ssl->session_negotiate->compression = comp;
Christopher Haster 1:24750b9ad5ef 1594 ssl->session_negotiate->id_len = n;
Christopher Haster 1:24750b9ad5ef 1595 memcpy( ssl->session_negotiate->id, buf + 35, n );
Christopher Haster 1:24750b9ad5ef 1596 }
Christopher Haster 1:24750b9ad5ef 1597 else
Christopher Haster 1:24750b9ad5ef 1598 {
Christopher Haster 1:24750b9ad5ef 1599 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Christopher Haster 1:24750b9ad5ef 1600
Christopher Haster 1:24750b9ad5ef 1601 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1602 {
Christopher Haster 1:24750b9ad5ef 1603 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster 1:24750b9ad5ef 1604 return( ret );
Christopher Haster 1:24750b9ad5ef 1605 }
Christopher Haster 1:24750b9ad5ef 1606 }
Christopher Haster 1:24750b9ad5ef 1607
Christopher Haster 1:24750b9ad5ef 1608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
Christopher Haster 1:24750b9ad5ef 1609 ssl->handshake->resume ? "a" : "no" ) );
Christopher Haster 1:24750b9ad5ef 1610
Christopher Haster 1:24750b9ad5ef 1611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
Christopher Haster 1:24750b9ad5ef 1612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
Christopher Haster 1:24750b9ad5ef 1613
Christopher Haster 1:24750b9ad5ef 1614 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
Christopher Haster 1:24750b9ad5ef 1615 if( suite_info == NULL
Christopher Haster 1:24750b9ad5ef 1616 #if defined(MBEDTLS_ARC4_C)
Christopher Haster 1:24750b9ad5ef 1617 || ( ssl->conf->arc4_disabled &&
Christopher Haster 1:24750b9ad5ef 1618 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
Christopher Haster 1:24750b9ad5ef 1619 #endif
Christopher Haster 1:24750b9ad5ef 1620 )
Christopher Haster 1:24750b9ad5ef 1621 {
Christopher Haster 1:24750b9ad5ef 1622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1623 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1624 }
Christopher Haster 1:24750b9ad5ef 1625
Christopher Haster 1:24750b9ad5ef 1626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
Christopher Haster 1:24750b9ad5ef 1627
Christopher Haster 1:24750b9ad5ef 1628 i = 0;
Christopher Haster 1:24750b9ad5ef 1629 while( 1 )
Christopher Haster 1:24750b9ad5ef 1630 {
Christopher Haster 1:24750b9ad5ef 1631 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
Christopher Haster 1:24750b9ad5ef 1632 {
Christopher Haster 1:24750b9ad5ef 1633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1634 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1635 }
Christopher Haster 1:24750b9ad5ef 1636
Christopher Haster 1:24750b9ad5ef 1637 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
Christopher Haster 1:24750b9ad5ef 1638 ssl->session_negotiate->ciphersuite )
Christopher Haster 1:24750b9ad5ef 1639 {
Christopher Haster 1:24750b9ad5ef 1640 break;
Christopher Haster 1:24750b9ad5ef 1641 }
Christopher Haster 1:24750b9ad5ef 1642 }
Christopher Haster 1:24750b9ad5ef 1643
Christopher Haster 1:24750b9ad5ef 1644 if( comp != MBEDTLS_SSL_COMPRESS_NULL
Christopher Haster 1:24750b9ad5ef 1645 #if defined(MBEDTLS_ZLIB_SUPPORT)
Christopher Haster 1:24750b9ad5ef 1646 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
Christopher Haster 1:24750b9ad5ef 1647 #endif
Christopher Haster 1:24750b9ad5ef 1648 )
Christopher Haster 1:24750b9ad5ef 1649 {
Christopher Haster 1:24750b9ad5ef 1650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1651 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1652 }
Christopher Haster 1:24750b9ad5ef 1653 ssl->session_negotiate->compression = comp;
Christopher Haster 1:24750b9ad5ef 1654
Christopher Haster 1:24750b9ad5ef 1655 ext = buf + 40 + n;
Christopher Haster 1:24750b9ad5ef 1656
Christopher Haster 1:24750b9ad5ef 1657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
Christopher Haster 1:24750b9ad5ef 1658
Christopher Haster 1:24750b9ad5ef 1659 while( ext_len )
Christopher Haster 1:24750b9ad5ef 1660 {
Christopher Haster 1:24750b9ad5ef 1661 unsigned int ext_id = ( ( ext[0] << 8 )
Christopher Haster 1:24750b9ad5ef 1662 | ( ext[1] ) );
Christopher Haster 1:24750b9ad5ef 1663 unsigned int ext_size = ( ( ext[2] << 8 )
Christopher Haster 1:24750b9ad5ef 1664 | ( ext[3] ) );
Christopher Haster 1:24750b9ad5ef 1665
Christopher Haster 1:24750b9ad5ef 1666 if( ext_size + 4 > ext_len )
Christopher Haster 1:24750b9ad5ef 1667 {
Christopher Haster 1:24750b9ad5ef 1668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1669 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1670 }
Christopher Haster 1:24750b9ad5ef 1671
Christopher Haster 1:24750b9ad5ef 1672 switch( ext_id )
Christopher Haster 1:24750b9ad5ef 1673 {
Christopher Haster 1:24750b9ad5ef 1674 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
Christopher Haster 1:24750b9ad5ef 1675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
Christopher Haster 1:24750b9ad5ef 1676 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1677 renegotiation_info_seen = 1;
Christopher Haster 1:24750b9ad5ef 1678 #endif
Christopher Haster 1:24750b9ad5ef 1679
Christopher Haster 1:24750b9ad5ef 1680 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
Christopher Haster 1:24750b9ad5ef 1681 ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1682 return( ret );
Christopher Haster 1:24750b9ad5ef 1683
Christopher Haster 1:24750b9ad5ef 1684 break;
Christopher Haster 1:24750b9ad5ef 1685
Christopher Haster 1:24750b9ad5ef 1686 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
Christopher Haster 1:24750b9ad5ef 1687 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
Christopher Haster 1:24750b9ad5ef 1688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
Christopher Haster 1:24750b9ad5ef 1689
Christopher Haster 1:24750b9ad5ef 1690 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1691 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1692 {
Christopher Haster 1:24750b9ad5ef 1693 return( ret );
Christopher Haster 1:24750b9ad5ef 1694 }
Christopher Haster 1:24750b9ad5ef 1695
Christopher Haster 1:24750b9ad5ef 1696 break;
Christopher Haster 1:24750b9ad5ef 1697 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
Christopher Haster 1:24750b9ad5ef 1698
Christopher Haster 1:24750b9ad5ef 1699 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
Christopher Haster 1:24750b9ad5ef 1700 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
Christopher Haster 1:24750b9ad5ef 1701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
Christopher Haster 1:24750b9ad5ef 1702
Christopher Haster 1:24750b9ad5ef 1703 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1704 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1705 {
Christopher Haster 1:24750b9ad5ef 1706 return( ret );
Christopher Haster 1:24750b9ad5ef 1707 }
Christopher Haster 1:24750b9ad5ef 1708
Christopher Haster 1:24750b9ad5ef 1709 break;
Christopher Haster 1:24750b9ad5ef 1710 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
Christopher Haster 1:24750b9ad5ef 1711
Christopher Haster 1:24750b9ad5ef 1712 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
Christopher Haster 1:24750b9ad5ef 1713 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
Christopher Haster 1:24750b9ad5ef 1714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
Christopher Haster 1:24750b9ad5ef 1715
Christopher Haster 1:24750b9ad5ef 1716 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1717 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1718 {
Christopher Haster 1:24750b9ad5ef 1719 return( ret );
Christopher Haster 1:24750b9ad5ef 1720 }
Christopher Haster 1:24750b9ad5ef 1721
Christopher Haster 1:24750b9ad5ef 1722 break;
Christopher Haster 1:24750b9ad5ef 1723 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
Christopher Haster 1:24750b9ad5ef 1724
Christopher Haster 1:24750b9ad5ef 1725 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
Christopher Haster 1:24750b9ad5ef 1726 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
Christopher Haster 1:24750b9ad5ef 1727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
Christopher Haster 1:24750b9ad5ef 1728
Christopher Haster 1:24750b9ad5ef 1729 if( ( ret = ssl_parse_extended_ms_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1730 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1731 {
Christopher Haster 1:24750b9ad5ef 1732 return( ret );
Christopher Haster 1:24750b9ad5ef 1733 }
Christopher Haster 1:24750b9ad5ef 1734
Christopher Haster 1:24750b9ad5ef 1735 break;
Christopher Haster 1:24750b9ad5ef 1736 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
Christopher Haster 1:24750b9ad5ef 1737
Christopher Haster 1:24750b9ad5ef 1738 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 1739 case MBEDTLS_TLS_EXT_SESSION_TICKET:
Christopher Haster 1:24750b9ad5ef 1740 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
Christopher Haster 1:24750b9ad5ef 1741
Christopher Haster 1:24750b9ad5ef 1742 if( ( ret = ssl_parse_session_ticket_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1743 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1744 {
Christopher Haster 1:24750b9ad5ef 1745 return( ret );
Christopher Haster 1:24750b9ad5ef 1746 }
Christopher Haster 1:24750b9ad5ef 1747
Christopher Haster 1:24750b9ad5ef 1748 break;
Christopher Haster 1:24750b9ad5ef 1749 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster 1:24750b9ad5ef 1750
Christopher Haster 1:24750b9ad5ef 1751 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
Christopher Haster 1:24750b9ad5ef 1752 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 1753 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
Christopher Haster 1:24750b9ad5ef 1754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
Christopher Haster 1:24750b9ad5ef 1755
Christopher Haster 1:24750b9ad5ef 1756 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
Christopher Haster 1:24750b9ad5ef 1757 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1758 {
Christopher Haster 1:24750b9ad5ef 1759 return( ret );
Christopher Haster 1:24750b9ad5ef 1760 }
Christopher Haster 1:24750b9ad5ef 1761
Christopher Haster 1:24750b9ad5ef 1762 break;
Christopher Haster 1:24750b9ad5ef 1763 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
Christopher Haster 1:24750b9ad5ef 1764 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 1765
Christopher Haster 1:24750b9ad5ef 1766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 1767 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
Christopher Haster 1:24750b9ad5ef 1768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
Christopher Haster 1:24750b9ad5ef 1769
Christopher Haster 1:24750b9ad5ef 1770 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
Christopher Haster 1:24750b9ad5ef 1771 ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1772 {
Christopher Haster 1:24750b9ad5ef 1773 return( ret );
Christopher Haster 1:24750b9ad5ef 1774 }
Christopher Haster 1:24750b9ad5ef 1775
Christopher Haster 1:24750b9ad5ef 1776 break;
Christopher Haster 1:24750b9ad5ef 1777 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 1778
Christopher Haster 1:24750b9ad5ef 1779 #if defined(MBEDTLS_SSL_ALPN)
Christopher Haster 1:24750b9ad5ef 1780 case MBEDTLS_TLS_EXT_ALPN:
Christopher Haster 1:24750b9ad5ef 1781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
Christopher Haster 1:24750b9ad5ef 1782
Christopher Haster 1:24750b9ad5ef 1783 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1784 return( ret );
Christopher Haster 1:24750b9ad5ef 1785
Christopher Haster 1:24750b9ad5ef 1786 break;
Christopher Haster 1:24750b9ad5ef 1787 #endif /* MBEDTLS_SSL_ALPN */
Christopher Haster 1:24750b9ad5ef 1788
Christopher Haster 1:24750b9ad5ef 1789 default:
Christopher Haster 1:24750b9ad5ef 1790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
Christopher Haster 1:24750b9ad5ef 1791 ext_id ) );
Christopher Haster 1:24750b9ad5ef 1792 }
Christopher Haster 1:24750b9ad5ef 1793
Christopher Haster 1:24750b9ad5ef 1794 ext_len -= 4 + ext_size;
Christopher Haster 1:24750b9ad5ef 1795 ext += 4 + ext_size;
Christopher Haster 1:24750b9ad5ef 1796
Christopher Haster 1:24750b9ad5ef 1797 if( ext_len > 0 && ext_len < 4 )
Christopher Haster 1:24750b9ad5ef 1798 {
Christopher Haster 1:24750b9ad5ef 1799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
Christopher Haster 1:24750b9ad5ef 1800 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1801 }
Christopher Haster 1:24750b9ad5ef 1802 }
Christopher Haster 1:24750b9ad5ef 1803
Christopher Haster 1:24750b9ad5ef 1804 /*
Christopher Haster 1:24750b9ad5ef 1805 * Renegotiation security checks
Christopher Haster 1:24750b9ad5ef 1806 */
Christopher Haster 1:24750b9ad5ef 1807 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster 1:24750b9ad5ef 1808 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 1809 {
Christopher Haster 1:24750b9ad5ef 1810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
Christopher Haster 1:24750b9ad5ef 1811 handshake_failure = 1;
Christopher Haster 1:24750b9ad5ef 1812 }
Christopher Haster 1:24750b9ad5ef 1813 #if defined(MBEDTLS_SSL_RENEGOTIATION)
Christopher Haster 1:24750b9ad5ef 1814 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster 1:24750b9ad5ef 1815 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
Christopher Haster 1:24750b9ad5ef 1816 renegotiation_info_seen == 0 )
Christopher Haster 1:24750b9ad5ef 1817 {
Christopher Haster 1:24750b9ad5ef 1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
Christopher Haster 1:24750b9ad5ef 1819 handshake_failure = 1;
Christopher Haster 1:24750b9ad5ef 1820 }
Christopher Haster 1:24750b9ad5ef 1821 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster 1:24750b9ad5ef 1822 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster 1:24750b9ad5ef 1823 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
Christopher Haster 1:24750b9ad5ef 1824 {
Christopher Haster 1:24750b9ad5ef 1825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
Christopher Haster 1:24750b9ad5ef 1826 handshake_failure = 1;
Christopher Haster 1:24750b9ad5ef 1827 }
Christopher Haster 1:24750b9ad5ef 1828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
Christopher Haster 1:24750b9ad5ef 1829 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
Christopher Haster 1:24750b9ad5ef 1830 renegotiation_info_seen == 1 )
Christopher Haster 1:24750b9ad5ef 1831 {
Christopher Haster 1:24750b9ad5ef 1832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
Christopher Haster 1:24750b9ad5ef 1833 handshake_failure = 1;
Christopher Haster 1:24750b9ad5ef 1834 }
Christopher Haster 1:24750b9ad5ef 1835 #endif /* MBEDTLS_SSL_RENEGOTIATION */
Christopher Haster 1:24750b9ad5ef 1836
Christopher Haster 1:24750b9ad5ef 1837 if( handshake_failure == 1 )
Christopher Haster 1:24750b9ad5ef 1838 {
Christopher Haster 1:24750b9ad5ef 1839 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1840 return( ret );
Christopher Haster 1:24750b9ad5ef 1841
Christopher Haster 1:24750b9ad5ef 1842 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
Christopher Haster 1:24750b9ad5ef 1843 }
Christopher Haster 1:24750b9ad5ef 1844
Christopher Haster 1:24750b9ad5ef 1845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
Christopher Haster 1:24750b9ad5ef 1846
Christopher Haster 1:24750b9ad5ef 1847 return( 0 );
Christopher Haster 1:24750b9ad5ef 1848 }
Christopher Haster 1:24750b9ad5ef 1849
Christopher Haster 1:24750b9ad5ef 1850 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1851 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 1852 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
Christopher Haster 1:24750b9ad5ef 1853 unsigned char *end )
Christopher Haster 1:24750b9ad5ef 1854 {
Christopher Haster 1:24750b9ad5ef 1855 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster 1:24750b9ad5ef 1856
Christopher Haster 1:24750b9ad5ef 1857 /*
Christopher Haster 1:24750b9ad5ef 1858 * Ephemeral DH parameters:
Christopher Haster 1:24750b9ad5ef 1859 *
Christopher Haster 1:24750b9ad5ef 1860 * struct {
Christopher Haster 1:24750b9ad5ef 1861 * opaque dh_p<1..2^16-1>;
Christopher Haster 1:24750b9ad5ef 1862 * opaque dh_g<1..2^16-1>;
Christopher Haster 1:24750b9ad5ef 1863 * opaque dh_Ys<1..2^16-1>;
Christopher Haster 1:24750b9ad5ef 1864 * } ServerDHParams;
Christopher Haster 1:24750b9ad5ef 1865 */
Christopher Haster 1:24750b9ad5ef 1866 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1867 {
Christopher Haster 1:24750b9ad5ef 1868 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
Christopher Haster 1:24750b9ad5ef 1869 return( ret );
Christopher Haster 1:24750b9ad5ef 1870 }
Christopher Haster 1:24750b9ad5ef 1871
Christopher Haster 1:24750b9ad5ef 1872 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
Christopher Haster 1:24750b9ad5ef 1873 {
Christopher Haster 1:24750b9ad5ef 1874 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
Christopher Haster 1:24750b9ad5ef 1875 ssl->handshake->dhm_ctx.len * 8,
Christopher Haster 1:24750b9ad5ef 1876 ssl->conf->dhm_min_bitlen ) );
Christopher Haster 1:24750b9ad5ef 1877 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 1878 }
Christopher Haster 1:24750b9ad5ef 1879
Christopher Haster 1:24750b9ad5ef 1880 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
Christopher Haster 1:24750b9ad5ef 1881 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
Christopher Haster 1:24750b9ad5ef 1882 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
Christopher Haster 1:24750b9ad5ef 1883
Christopher Haster 1:24750b9ad5ef 1884 return( ret );
Christopher Haster 1:24750b9ad5ef 1885 }
Christopher Haster 1:24750b9ad5ef 1886 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1887 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 1888
Christopher Haster 1:24750b9ad5ef 1889 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1890 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1891 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1892 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1893 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 1894 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 1895 {
Christopher Haster 1:24750b9ad5ef 1896 const mbedtls_ecp_curve_info *curve_info;
Christopher Haster 1:24750b9ad5ef 1897
Christopher Haster 1:24750b9ad5ef 1898 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
Christopher Haster 1:24750b9ad5ef 1899 if( curve_info == NULL )
Christopher Haster 1:24750b9ad5ef 1900 {
Christopher Haster 1:24750b9ad5ef 1901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 1902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 1903 }
Christopher Haster 1:24750b9ad5ef 1904
Christopher Haster 1:24750b9ad5ef 1905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
Christopher Haster 1:24750b9ad5ef 1906
Christopher Haster 1:24750b9ad5ef 1907 #if defined(MBEDTLS_ECP_C)
Christopher Haster 1:24750b9ad5ef 1908 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
Christopher Haster 1:24750b9ad5ef 1909 #else
Christopher Haster 1:24750b9ad5ef 1910 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
Christopher Haster 1:24750b9ad5ef 1911 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
Christopher Haster 1:24750b9ad5ef 1912 #endif
Christopher Haster 1:24750b9ad5ef 1913 return( -1 );
Christopher Haster 1:24750b9ad5ef 1914
Christopher Haster 1:24750b9ad5ef 1915 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
Christopher Haster 1:24750b9ad5ef 1916
Christopher Haster 1:24750b9ad5ef 1917 return( 0 );
Christopher Haster 1:24750b9ad5ef 1918 }
Christopher Haster 1:24750b9ad5ef 1919 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1920 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1921 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1922 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1923 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 1924
Christopher Haster 1:24750b9ad5ef 1925 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1926 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1927 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 1928 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1929 unsigned char **p,
Christopher Haster 1:24750b9ad5ef 1930 unsigned char *end )
Christopher Haster 1:24750b9ad5ef 1931 {
Christopher Haster 1:24750b9ad5ef 1932 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster 1:24750b9ad5ef 1933
Christopher Haster 1:24750b9ad5ef 1934 /*
Christopher Haster 1:24750b9ad5ef 1935 * Ephemeral ECDH parameters:
Christopher Haster 1:24750b9ad5ef 1936 *
Christopher Haster 1:24750b9ad5ef 1937 * struct {
Christopher Haster 1:24750b9ad5ef 1938 * ECParameters curve_params;
Christopher Haster 1:24750b9ad5ef 1939 * ECPoint public;
Christopher Haster 1:24750b9ad5ef 1940 * } ServerECDHParams;
Christopher Haster 1:24750b9ad5ef 1941 */
Christopher Haster 1:24750b9ad5ef 1942 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
Christopher Haster 1:24750b9ad5ef 1943 (const unsigned char **) p, end ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 1944 {
Christopher Haster 1:24750b9ad5ef 1945 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
Christopher Haster 1:24750b9ad5ef 1946 return( ret );
Christopher Haster 1:24750b9ad5ef 1947 }
Christopher Haster 1:24750b9ad5ef 1948
Christopher Haster 1:24750b9ad5ef 1949 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Christopher Haster 1:24750b9ad5ef 1950 {
Christopher Haster 1:24750b9ad5ef 1951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
Christopher Haster 1:24750b9ad5ef 1952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 1953 }
Christopher Haster 1:24750b9ad5ef 1954
Christopher Haster 1:24750b9ad5ef 1955 return( ret );
Christopher Haster 1:24750b9ad5ef 1956 }
Christopher Haster 1:24750b9ad5ef 1957 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1958 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 1959 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 1960
Christopher Haster 1:24750b9ad5ef 1961 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 1962 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1963 unsigned char **p,
Christopher Haster 1:24750b9ad5ef 1964 unsigned char *end )
Christopher Haster 1:24750b9ad5ef 1965 {
Christopher Haster 1:24750b9ad5ef 1966 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster 1:24750b9ad5ef 1967 size_t len;
Christopher Haster 1:24750b9ad5ef 1968 ((void) ssl);
Christopher Haster 1:24750b9ad5ef 1969
Christopher Haster 1:24750b9ad5ef 1970 /*
Christopher Haster 1:24750b9ad5ef 1971 * PSK parameters:
Christopher Haster 1:24750b9ad5ef 1972 *
Christopher Haster 1:24750b9ad5ef 1973 * opaque psk_identity_hint<0..2^16-1>;
Christopher Haster 1:24750b9ad5ef 1974 */
Christopher Haster 1:24750b9ad5ef 1975 len = (*p)[0] << 8 | (*p)[1];
Christopher Haster 1:24750b9ad5ef 1976 *p += 2;
Christopher Haster 1:24750b9ad5ef 1977
Christopher Haster 1:24750b9ad5ef 1978 if( (*p) + len > end )
Christopher Haster 1:24750b9ad5ef 1979 {
Christopher Haster 1:24750b9ad5ef 1980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
Christopher Haster 1:24750b9ad5ef 1981 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 1982 }
Christopher Haster 1:24750b9ad5ef 1983
Christopher Haster 1:24750b9ad5ef 1984 // TODO: Retrieve PSK identity hint and callback to app
Christopher Haster 1:24750b9ad5ef 1985 //
Christopher Haster 1:24750b9ad5ef 1986 *p += len;
Christopher Haster 1:24750b9ad5ef 1987 ret = 0;
Christopher Haster 1:24750b9ad5ef 1988
Christopher Haster 1:24750b9ad5ef 1989 return( ret );
Christopher Haster 1:24750b9ad5ef 1990 }
Christopher Haster 1:24750b9ad5ef 1991 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 1992
Christopher Haster 1:24750b9ad5ef 1993 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 1994 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 1995 /*
Christopher Haster 1:24750b9ad5ef 1996 * Generate a pre-master secret and encrypt it with the server's RSA key
Christopher Haster 1:24750b9ad5ef 1997 */
Christopher Haster 1:24750b9ad5ef 1998 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 1999 size_t offset, size_t *olen,
Christopher Haster 1:24750b9ad5ef 2000 size_t pms_offset )
Christopher Haster 1:24750b9ad5ef 2001 {
Christopher Haster 1:24750b9ad5ef 2002 int ret;
Christopher Haster 1:24750b9ad5ef 2003 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
Christopher Haster 1:24750b9ad5ef 2004 unsigned char *p = ssl->handshake->premaster + pms_offset;
Christopher Haster 1:24750b9ad5ef 2005
Christopher Haster 1:24750b9ad5ef 2006 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster 1:24750b9ad5ef 2007 {
Christopher Haster 1:24750b9ad5ef 2008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
Christopher Haster 1:24750b9ad5ef 2009 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster 1:24750b9ad5ef 2010 }
Christopher Haster 1:24750b9ad5ef 2011
Christopher Haster 1:24750b9ad5ef 2012 /*
Christopher Haster 1:24750b9ad5ef 2013 * Generate (part of) the pre-master as
Christopher Haster 1:24750b9ad5ef 2014 * struct {
Christopher Haster 1:24750b9ad5ef 2015 * ProtocolVersion client_version;
Christopher Haster 1:24750b9ad5ef 2016 * opaque random[46];
Christopher Haster 1:24750b9ad5ef 2017 * } PreMasterSecret;
Christopher Haster 1:24750b9ad5ef 2018 */
Christopher Haster 1:24750b9ad5ef 2019 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
Christopher Haster 1:24750b9ad5ef 2020 ssl->conf->transport, p );
Christopher Haster 1:24750b9ad5ef 2021
Christopher Haster 1:24750b9ad5ef 2022 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2023 {
Christopher Haster 1:24750b9ad5ef 2024 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
Christopher Haster 1:24750b9ad5ef 2025 return( ret );
Christopher Haster 1:24750b9ad5ef 2026 }
Christopher Haster 1:24750b9ad5ef 2027
Christopher Haster 1:24750b9ad5ef 2028 ssl->handshake->pmslen = 48;
Christopher Haster 1:24750b9ad5ef 2029
Christopher Haster 1:24750b9ad5ef 2030 if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster 1:24750b9ad5ef 2031 {
Christopher Haster 1:24750b9ad5ef 2032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster 1:24750b9ad5ef 2033 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2034 }
Christopher Haster 1:24750b9ad5ef 2035
Christopher Haster 1:24750b9ad5ef 2036 /*
Christopher Haster 1:24750b9ad5ef 2037 * Now write it out, encrypted
Christopher Haster 1:24750b9ad5ef 2038 */
Christopher Haster 1:24750b9ad5ef 2039 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster 1:24750b9ad5ef 2040 MBEDTLS_PK_RSA ) )
Christopher Haster 1:24750b9ad5ef 2041 {
Christopher Haster 1:24750b9ad5ef 2042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
Christopher Haster 1:24750b9ad5ef 2043 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster 1:24750b9ad5ef 2044 }
Christopher Haster 1:24750b9ad5ef 2045
Christopher Haster 1:24750b9ad5ef 2046 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster 1:24750b9ad5ef 2047 p, ssl->handshake->pmslen,
Christopher Haster 1:24750b9ad5ef 2048 ssl->out_msg + offset + len_bytes, olen,
Christopher Haster 1:24750b9ad5ef 2049 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
Christopher Haster 1:24750b9ad5ef 2050 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2051 {
Christopher Haster 1:24750b9ad5ef 2052 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
Christopher Haster 1:24750b9ad5ef 2053 return( ret );
Christopher Haster 1:24750b9ad5ef 2054 }
Christopher Haster 1:24750b9ad5ef 2055
Christopher Haster 1:24750b9ad5ef 2056 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
Christopher Haster 1:24750b9ad5ef 2057 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 2058 if( len_bytes == 2 )
Christopher Haster 1:24750b9ad5ef 2059 {
Christopher Haster 1:24750b9ad5ef 2060 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
Christopher Haster 1:24750b9ad5ef 2061 ssl->out_msg[offset+1] = (unsigned char)( *olen );
Christopher Haster 1:24750b9ad5ef 2062 *olen += 2;
Christopher Haster 1:24750b9ad5ef 2063 }
Christopher Haster 1:24750b9ad5ef 2064 #endif
Christopher Haster 1:24750b9ad5ef 2065
Christopher Haster 1:24750b9ad5ef 2066 return( 0 );
Christopher Haster 1:24750b9ad5ef 2067 }
Christopher Haster 1:24750b9ad5ef 2068 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2069 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2070
Christopher Haster 1:24750b9ad5ef 2071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 2072 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2073 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2074 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2075 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
Christopher Haster 1:24750b9ad5ef 2076 unsigned char **p,
Christopher Haster 1:24750b9ad5ef 2077 unsigned char *end,
Christopher Haster 1:24750b9ad5ef 2078 mbedtls_md_type_t *md_alg,
Christopher Haster 1:24750b9ad5ef 2079 mbedtls_pk_type_t *pk_alg )
Christopher Haster 1:24750b9ad5ef 2080 {
Christopher Haster 1:24750b9ad5ef 2081 ((void) ssl);
Christopher Haster 1:24750b9ad5ef 2082 *md_alg = MBEDTLS_MD_NONE;
Christopher Haster 1:24750b9ad5ef 2083 *pk_alg = MBEDTLS_PK_NONE;
Christopher Haster 1:24750b9ad5ef 2084
Christopher Haster 1:24750b9ad5ef 2085 /* Only in TLS 1.2 */
Christopher Haster 1:24750b9ad5ef 2086 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 2087 {
Christopher Haster 1:24750b9ad5ef 2088 return( 0 );
Christopher Haster 1:24750b9ad5ef 2089 }
Christopher Haster 1:24750b9ad5ef 2090
Christopher Haster 1:24750b9ad5ef 2091 if( (*p) + 2 > end )
Christopher Haster 1:24750b9ad5ef 2092 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2093
Christopher Haster 1:24750b9ad5ef 2094 /*
Christopher Haster 1:24750b9ad5ef 2095 * Get hash algorithm
Christopher Haster 1:24750b9ad5ef 2096 */
Christopher Haster 1:24750b9ad5ef 2097 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
Christopher Haster 1:24750b9ad5ef 2098 {
Christopher Haster 1:24750b9ad5ef 2099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported "
Christopher Haster 1:24750b9ad5ef 2100 "HashAlgorithm %d", *(p)[0] ) );
Christopher Haster 1:24750b9ad5ef 2101 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2102 }
Christopher Haster 1:24750b9ad5ef 2103
Christopher Haster 1:24750b9ad5ef 2104 /*
Christopher Haster 1:24750b9ad5ef 2105 * Get signature algorithm
Christopher Haster 1:24750b9ad5ef 2106 */
Christopher Haster 1:24750b9ad5ef 2107 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
Christopher Haster 1:24750b9ad5ef 2108 {
Christopher Haster 1:24750b9ad5ef 2109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported "
Christopher Haster 1:24750b9ad5ef 2110 "SignatureAlgorithm %d", (*p)[1] ) );
Christopher Haster 1:24750b9ad5ef 2111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2112 }
Christopher Haster 1:24750b9ad5ef 2113
Christopher Haster 1:24750b9ad5ef 2114 /*
Christopher Haster 1:24750b9ad5ef 2115 * Check if the hash is acceptable
Christopher Haster 1:24750b9ad5ef 2116 */
Christopher Haster 1:24750b9ad5ef 2117 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
Christopher Haster 1:24750b9ad5ef 2118 {
Christopher Haster 1:24750b9ad5ef 2119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm "
Christopher Haster 1:24750b9ad5ef 2120 "that was not offered" ) );
Christopher Haster 1:24750b9ad5ef 2121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2122 }
Christopher Haster 1:24750b9ad5ef 2123
Christopher Haster 1:24750b9ad5ef 2124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
Christopher Haster 1:24750b9ad5ef 2125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
Christopher Haster 1:24750b9ad5ef 2126 *p += 2;
Christopher Haster 1:24750b9ad5ef 2127
Christopher Haster 1:24750b9ad5ef 2128 return( 0 );
Christopher Haster 1:24750b9ad5ef 2129 }
Christopher Haster 1:24750b9ad5ef 2130 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2131 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2132 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2133 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster 1:24750b9ad5ef 2134
Christopher Haster 1:24750b9ad5ef 2135 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2136 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2137 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2138 {
Christopher Haster 1:24750b9ad5ef 2139 int ret;
Christopher Haster 1:24750b9ad5ef 2140 const mbedtls_ecp_keypair *peer_key;
Christopher Haster 1:24750b9ad5ef 2141
Christopher Haster 1:24750b9ad5ef 2142 if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster 1:24750b9ad5ef 2143 {
Christopher Haster 1:24750b9ad5ef 2144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster 1:24750b9ad5ef 2145 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2146 }
Christopher Haster 1:24750b9ad5ef 2147
Christopher Haster 1:24750b9ad5ef 2148 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster 1:24750b9ad5ef 2149 MBEDTLS_PK_ECKEY ) )
Christopher Haster 1:24750b9ad5ef 2150 {
Christopher Haster 1:24750b9ad5ef 2151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
Christopher Haster 1:24750b9ad5ef 2152 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster 1:24750b9ad5ef 2153 }
Christopher Haster 1:24750b9ad5ef 2154
Christopher Haster 1:24750b9ad5ef 2155 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
Christopher Haster 1:24750b9ad5ef 2156
Christopher Haster 1:24750b9ad5ef 2157 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
Christopher Haster 1:24750b9ad5ef 2158 MBEDTLS_ECDH_THEIRS ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2159 {
Christopher Haster 1:24750b9ad5ef 2160 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
Christopher Haster 1:24750b9ad5ef 2161 return( ret );
Christopher Haster 1:24750b9ad5ef 2162 }
Christopher Haster 1:24750b9ad5ef 2163
Christopher Haster 1:24750b9ad5ef 2164 if( ssl_check_server_ecdh_params( ssl ) != 0 )
Christopher Haster 1:24750b9ad5ef 2165 {
Christopher Haster 1:24750b9ad5ef 2166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
Christopher Haster 1:24750b9ad5ef 2167 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
Christopher Haster 1:24750b9ad5ef 2168 }
Christopher Haster 1:24750b9ad5ef 2169
Christopher Haster 1:24750b9ad5ef 2170 return( ret );
Christopher Haster 1:24750b9ad5ef 2171 }
Christopher Haster 1:24750b9ad5ef 2172 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
Christopher Haster 1:24750b9ad5ef 2173 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2174
Christopher Haster 1:24750b9ad5ef 2175 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2176 {
Christopher Haster 1:24750b9ad5ef 2177 int ret;
Christopher Haster 1:24750b9ad5ef 2178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 2179 unsigned char *p, *end;
Christopher Haster 1:24750b9ad5ef 2180
Christopher Haster 1:24750b9ad5ef 2181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2182
Christopher Haster 1:24750b9ad5ef 2183 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2184 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Christopher Haster 1:24750b9ad5ef 2185 {
Christopher Haster 1:24750b9ad5ef 2186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2187 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2188 return( 0 );
Christopher Haster 1:24750b9ad5ef 2189 }
Christopher Haster 1:24750b9ad5ef 2190 ((void) p);
Christopher Haster 1:24750b9ad5ef 2191 ((void) end);
Christopher Haster 1:24750b9ad5ef 2192 #endif
Christopher Haster 1:24750b9ad5ef 2193
Christopher Haster 1:24750b9ad5ef 2194 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2195 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2196 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Christopher Haster 1:24750b9ad5ef 2197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Christopher Haster 1:24750b9ad5ef 2198 {
Christopher Haster 1:24750b9ad5ef 2199 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2200 {
Christopher Haster 1:24750b9ad5ef 2201 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
Christopher Haster 1:24750b9ad5ef 2202 return( ret );
Christopher Haster 1:24750b9ad5ef 2203 }
Christopher Haster 1:24750b9ad5ef 2204
Christopher Haster 1:24750b9ad5ef 2205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2206 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2207 return( 0 );
Christopher Haster 1:24750b9ad5ef 2208 }
Christopher Haster 1:24750b9ad5ef 2209 ((void) p);
Christopher Haster 1:24750b9ad5ef 2210 ((void) end);
Christopher Haster 1:24750b9ad5ef 2211 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2212 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2213
Christopher Haster 1:24750b9ad5ef 2214 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2215 {
Christopher Haster 1:24750b9ad5ef 2216 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster 1:24750b9ad5ef 2217 return( ret );
Christopher Haster 1:24750b9ad5ef 2218 }
Christopher Haster 1:24750b9ad5ef 2219
Christopher Haster 1:24750b9ad5ef 2220 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 2221 {
Christopher Haster 1:24750b9ad5ef 2222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2223 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2224 }
Christopher Haster 1:24750b9ad5ef 2225
Christopher Haster 1:24750b9ad5ef 2226 /*
Christopher Haster 1:24750b9ad5ef 2227 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
Christopher Haster 1:24750b9ad5ef 2228 * doesn't use a psk_identity_hint
Christopher Haster 1:24750b9ad5ef 2229 */
Christopher Haster 1:24750b9ad5ef 2230 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
Christopher Haster 1:24750b9ad5ef 2231 {
Christopher Haster 1:24750b9ad5ef 2232 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2233 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster 1:24750b9ad5ef 2234 {
Christopher Haster 1:24750b9ad5ef 2235 ssl->record_read = 1;
Christopher Haster 1:24750b9ad5ef 2236 goto exit;
Christopher Haster 1:24750b9ad5ef 2237 }
Christopher Haster 1:24750b9ad5ef 2238
Christopher Haster 1:24750b9ad5ef 2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2241 }
Christopher Haster 1:24750b9ad5ef 2242
Christopher Haster 1:24750b9ad5ef 2243 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster 1:24750b9ad5ef 2244 end = ssl->in_msg + ssl->in_hslen;
Christopher Haster 1:24750b9ad5ef 2245 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
Christopher Haster 1:24750b9ad5ef 2246
Christopher Haster 1:24750b9ad5ef 2247 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2248 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2249 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 2250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2251 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster 1:24750b9ad5ef 2252 {
Christopher Haster 1:24750b9ad5ef 2253 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
Christopher Haster 1:24750b9ad5ef 2254 {
Christopher Haster 1:24750b9ad5ef 2255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2257 }
Christopher Haster 1:24750b9ad5ef 2258 } /* FALLTROUGH */
Christopher Haster 1:24750b9ad5ef 2259 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2260
Christopher Haster 1:24750b9ad5ef 2261 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2262 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2263 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2264 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster 1:24750b9ad5ef 2265 ; /* nothing more to do */
Christopher Haster 1:24750b9ad5ef 2266 else
Christopher Haster 1:24750b9ad5ef 2267 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2268 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2269 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2270 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2271 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
Christopher Haster 1:24750b9ad5ef 2272 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Christopher Haster 1:24750b9ad5ef 2273 {
Christopher Haster 1:24750b9ad5ef 2274 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
Christopher Haster 1:24750b9ad5ef 2275 {
Christopher Haster 1:24750b9ad5ef 2276 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2278 }
Christopher Haster 1:24750b9ad5ef 2279 }
Christopher Haster 1:24750b9ad5ef 2280 else
Christopher Haster 1:24750b9ad5ef 2281 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2282 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2283 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2284 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2285 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Christopher Haster 1:24750b9ad5ef 2287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2288 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Christopher Haster 1:24750b9ad5ef 2289 {
Christopher Haster 1:24750b9ad5ef 2290 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
Christopher Haster 1:24750b9ad5ef 2291 {
Christopher Haster 1:24750b9ad5ef 2292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2293 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2294 }
Christopher Haster 1:24750b9ad5ef 2295 }
Christopher Haster 1:24750b9ad5ef 2296 else
Christopher Haster 1:24750b9ad5ef 2297 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2298 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2299 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2300 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 2301 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 2302 {
Christopher Haster 1:24750b9ad5ef 2303 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
Christopher Haster 1:24750b9ad5ef 2304 p, end - p );
Christopher Haster 1:24750b9ad5ef 2305 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2306 {
Christopher Haster 1:24750b9ad5ef 2307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
Christopher Haster 1:24750b9ad5ef 2308 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2309 }
Christopher Haster 1:24750b9ad5ef 2310 }
Christopher Haster 1:24750b9ad5ef 2311 else
Christopher Haster 1:24750b9ad5ef 2312 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
Christopher Haster 1:24750b9ad5ef 2313 {
Christopher Haster 1:24750b9ad5ef 2314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2316 }
Christopher Haster 1:24750b9ad5ef 2317
Christopher Haster 1:24750b9ad5ef 2318 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2319 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2320 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2321 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
Christopher Haster 1:24750b9ad5ef 2322 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Christopher Haster 1:24750b9ad5ef 2323 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
Christopher Haster 1:24750b9ad5ef 2324 {
Christopher Haster 1:24750b9ad5ef 2325 size_t sig_len, hashlen;
Christopher Haster 1:24750b9ad5ef 2326 unsigned char hash[64];
Christopher Haster 1:24750b9ad5ef 2327 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Christopher Haster 1:24750b9ad5ef 2328 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
Christopher Haster 1:24750b9ad5ef 2329 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster 1:24750b9ad5ef 2330 size_t params_len = p - params;
Christopher Haster 1:24750b9ad5ef 2331
Christopher Haster 1:24750b9ad5ef 2332 /*
Christopher Haster 1:24750b9ad5ef 2333 * Handle the digitally-signed structure
Christopher Haster 1:24750b9ad5ef 2334 */
Christopher Haster 1:24750b9ad5ef 2335 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 2336 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 2337 {
Christopher Haster 1:24750b9ad5ef 2338 if( ssl_parse_signature_algorithm( ssl, &p, end,
Christopher Haster 1:24750b9ad5ef 2339 &md_alg, &pk_alg ) != 0 )
Christopher Haster 1:24750b9ad5ef 2340 {
Christopher Haster 1:24750b9ad5ef 2341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2342 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2343 }
Christopher Haster 1:24750b9ad5ef 2344
Christopher Haster 1:24750b9ad5ef 2345 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
Christopher Haster 1:24750b9ad5ef 2346 {
Christopher Haster 1:24750b9ad5ef 2347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2349 }
Christopher Haster 1:24750b9ad5ef 2350 }
Christopher Haster 1:24750b9ad5ef 2351 else
Christopher Haster 1:24750b9ad5ef 2352 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster 1:24750b9ad5ef 2353 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
Christopher Haster 1:24750b9ad5ef 2354 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster 1:24750b9ad5ef 2355 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 2356 {
Christopher Haster 1:24750b9ad5ef 2357 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
Christopher Haster 1:24750b9ad5ef 2358
Christopher Haster 1:24750b9ad5ef 2359 /* Default hash for ECDSA is SHA-1 */
Christopher Haster 1:24750b9ad5ef 2360 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
Christopher Haster 1:24750b9ad5ef 2361 md_alg = MBEDTLS_MD_SHA1;
Christopher Haster 1:24750b9ad5ef 2362 }
Christopher Haster 1:24750b9ad5ef 2363 else
Christopher Haster 1:24750b9ad5ef 2364 #endif
Christopher Haster 1:24750b9ad5ef 2365 {
Christopher Haster 1:24750b9ad5ef 2366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2367 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2368 }
Christopher Haster 1:24750b9ad5ef 2369
Christopher Haster 1:24750b9ad5ef 2370 /*
Christopher Haster 1:24750b9ad5ef 2371 * Read signature
Christopher Haster 1:24750b9ad5ef 2372 */
Christopher Haster 1:24750b9ad5ef 2373 sig_len = ( p[0] << 8 ) | p[1];
Christopher Haster 1:24750b9ad5ef 2374 p += 2;
Christopher Haster 1:24750b9ad5ef 2375
Christopher Haster 1:24750b9ad5ef 2376 if( end != p + sig_len )
Christopher Haster 1:24750b9ad5ef 2377 {
Christopher Haster 1:24750b9ad5ef 2378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
Christopher Haster 1:24750b9ad5ef 2380 }
Christopher Haster 1:24750b9ad5ef 2381
Christopher Haster 1:24750b9ad5ef 2382 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
Christopher Haster 1:24750b9ad5ef 2383
Christopher Haster 1:24750b9ad5ef 2384 /*
Christopher Haster 1:24750b9ad5ef 2385 * Compute the hash that has been signed
Christopher Haster 1:24750b9ad5ef 2386 */
Christopher Haster 1:24750b9ad5ef 2387 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
Christopher Haster 1:24750b9ad5ef 2388 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster 1:24750b9ad5ef 2389 if( md_alg == MBEDTLS_MD_NONE )
Christopher Haster 1:24750b9ad5ef 2390 {
Christopher Haster 1:24750b9ad5ef 2391 mbedtls_md5_context mbedtls_md5;
Christopher Haster 1:24750b9ad5ef 2392 mbedtls_sha1_context mbedtls_sha1;
Christopher Haster 1:24750b9ad5ef 2393
Christopher Haster 1:24750b9ad5ef 2394 mbedtls_md5_init( &mbedtls_md5 );
Christopher Haster 1:24750b9ad5ef 2395 mbedtls_sha1_init( &mbedtls_sha1 );
Christopher Haster 1:24750b9ad5ef 2396
Christopher Haster 1:24750b9ad5ef 2397 hashlen = 36;
Christopher Haster 1:24750b9ad5ef 2398
Christopher Haster 1:24750b9ad5ef 2399 /*
Christopher Haster 1:24750b9ad5ef 2400 * digitally-signed struct {
Christopher Haster 1:24750b9ad5ef 2401 * opaque md5_hash[16];
Christopher Haster 1:24750b9ad5ef 2402 * opaque sha_hash[20];
Christopher Haster 1:24750b9ad5ef 2403 * };
Christopher Haster 1:24750b9ad5ef 2404 *
Christopher Haster 1:24750b9ad5ef 2405 * md5_hash
Christopher Haster 1:24750b9ad5ef 2406 * MD5(ClientHello.random + ServerHello.random
Christopher Haster 1:24750b9ad5ef 2407 * + ServerParams);
Christopher Haster 1:24750b9ad5ef 2408 * sha_hash
Christopher Haster 1:24750b9ad5ef 2409 * SHA(ClientHello.random + ServerHello.random
Christopher Haster 1:24750b9ad5ef 2410 * + ServerParams);
Christopher Haster 1:24750b9ad5ef 2411 */
Christopher Haster 1:24750b9ad5ef 2412 mbedtls_md5_starts( &mbedtls_md5 );
Christopher Haster 1:24750b9ad5ef 2413 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
Christopher Haster 1:24750b9ad5ef 2414 mbedtls_md5_update( &mbedtls_md5, params, params_len );
Christopher Haster 1:24750b9ad5ef 2415 mbedtls_md5_finish( &mbedtls_md5, hash );
Christopher Haster 1:24750b9ad5ef 2416
Christopher Haster 1:24750b9ad5ef 2417 mbedtls_sha1_starts( &mbedtls_sha1 );
Christopher Haster 1:24750b9ad5ef 2418 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
Christopher Haster 1:24750b9ad5ef 2419 mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
Christopher Haster 1:24750b9ad5ef 2420 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
Christopher Haster 1:24750b9ad5ef 2421
Christopher Haster 1:24750b9ad5ef 2422 mbedtls_md5_free( &mbedtls_md5 );
Christopher Haster 1:24750b9ad5ef 2423 mbedtls_sha1_free( &mbedtls_sha1 );
Christopher Haster 1:24750b9ad5ef 2424 }
Christopher Haster 1:24750b9ad5ef 2425 else
Christopher Haster 1:24750b9ad5ef 2426 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
Christopher Haster 1:24750b9ad5ef 2427 MBEDTLS_SSL_PROTO_TLS1_1 */
Christopher Haster 1:24750b9ad5ef 2428 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
Christopher Haster 1:24750b9ad5ef 2429 defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 2430 if( md_alg != MBEDTLS_MD_NONE )
Christopher Haster 1:24750b9ad5ef 2431 {
Christopher Haster 1:24750b9ad5ef 2432 mbedtls_md_context_t ctx;
Christopher Haster 1:24750b9ad5ef 2433
Christopher Haster 1:24750b9ad5ef 2434 mbedtls_md_init( &ctx );
Christopher Haster 1:24750b9ad5ef 2435
Christopher Haster 1:24750b9ad5ef 2436 /* Info from md_alg will be used instead */
Christopher Haster 1:24750b9ad5ef 2437 hashlen = 0;
Christopher Haster 1:24750b9ad5ef 2438
Christopher Haster 1:24750b9ad5ef 2439 /*
Christopher Haster 1:24750b9ad5ef 2440 * digitally-signed struct {
Christopher Haster 1:24750b9ad5ef 2441 * opaque client_random[32];
Christopher Haster 1:24750b9ad5ef 2442 * opaque server_random[32];
Christopher Haster 1:24750b9ad5ef 2443 * ServerDHParams params;
Christopher Haster 1:24750b9ad5ef 2444 * };
Christopher Haster 1:24750b9ad5ef 2445 */
Christopher Haster 1:24750b9ad5ef 2446 if( ( ret = mbedtls_md_setup( &ctx,
Christopher Haster 1:24750b9ad5ef 2447 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2448 {
Christopher Haster 1:24750b9ad5ef 2449 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
Christopher Haster 1:24750b9ad5ef 2450 return( ret );
Christopher Haster 1:24750b9ad5ef 2451 }
Christopher Haster 1:24750b9ad5ef 2452
Christopher Haster 1:24750b9ad5ef 2453 mbedtls_md_starts( &ctx );
Christopher Haster 1:24750b9ad5ef 2454 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
Christopher Haster 1:24750b9ad5ef 2455 mbedtls_md_update( &ctx, params, params_len );
Christopher Haster 1:24750b9ad5ef 2456 mbedtls_md_finish( &ctx, hash );
Christopher Haster 1:24750b9ad5ef 2457 mbedtls_md_free( &ctx );
Christopher Haster 1:24750b9ad5ef 2458 }
Christopher Haster 1:24750b9ad5ef 2459 else
Christopher Haster 1:24750b9ad5ef 2460 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
Christopher Haster 1:24750b9ad5ef 2461 MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster 1:24750b9ad5ef 2462 {
Christopher Haster 1:24750b9ad5ef 2463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2464 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2465 }
Christopher Haster 1:24750b9ad5ef 2466
Christopher Haster 1:24750b9ad5ef 2467 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
Christopher Haster 1:24750b9ad5ef 2468 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
Christopher Haster 1:24750b9ad5ef 2469
Christopher Haster 1:24750b9ad5ef 2470 if( ssl->session_negotiate->peer_cert == NULL )
Christopher Haster 1:24750b9ad5ef 2471 {
Christopher Haster 1:24750b9ad5ef 2472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
Christopher Haster 1:24750b9ad5ef 2473 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2474 }
Christopher Haster 1:24750b9ad5ef 2475
Christopher Haster 1:24750b9ad5ef 2476 /*
Christopher Haster 1:24750b9ad5ef 2477 * Verify signature
Christopher Haster 1:24750b9ad5ef 2478 */
Christopher Haster 1:24750b9ad5ef 2479 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
Christopher Haster 1:24750b9ad5ef 2480 {
Christopher Haster 1:24750b9ad5ef 2481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
Christopher Haster 1:24750b9ad5ef 2482 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
Christopher Haster 1:24750b9ad5ef 2483 }
Christopher Haster 1:24750b9ad5ef 2484
Christopher Haster 1:24750b9ad5ef 2485 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
Christopher Haster 1:24750b9ad5ef 2486 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2487 {
Christopher Haster 1:24750b9ad5ef 2488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
Christopher Haster 1:24750b9ad5ef 2489 return( ret );
Christopher Haster 1:24750b9ad5ef 2490 }
Christopher Haster 1:24750b9ad5ef 2491 }
Christopher Haster 1:24750b9ad5ef 2492 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2493 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2494 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2495
Christopher Haster 1:24750b9ad5ef 2496 exit:
Christopher Haster 1:24750b9ad5ef 2497 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2498
Christopher Haster 1:24750b9ad5ef 2499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2500
Christopher Haster 1:24750b9ad5ef 2501 return( 0 );
Christopher Haster 1:24750b9ad5ef 2502 }
Christopher Haster 1:24750b9ad5ef 2503
Christopher Haster 1:24750b9ad5ef 2504 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2505 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2506 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2507 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2508 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2509 {
Christopher Haster 1:24750b9ad5ef 2510 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 2511
Christopher Haster 1:24750b9ad5ef 2512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Christopher Haster 1:24750b9ad5ef 2513
Christopher Haster 1:24750b9ad5ef 2514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 2516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 2519 {
Christopher Haster 1:24750b9ad5ef 2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Christopher Haster 1:24750b9ad5ef 2521 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2522 return( 0 );
Christopher Haster 1:24750b9ad5ef 2523 }
Christopher Haster 1:24750b9ad5ef 2524
Christopher Haster 1:24750b9ad5ef 2525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2527 }
Christopher Haster 1:24750b9ad5ef 2528 #else
Christopher Haster 1:24750b9ad5ef 2529 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2530 {
Christopher Haster 1:24750b9ad5ef 2531 int ret;
Christopher Haster 1:24750b9ad5ef 2532 unsigned char *buf, *p;
Christopher Haster 1:24750b9ad5ef 2533 size_t n = 0, m = 0;
Christopher Haster 1:24750b9ad5ef 2534 size_t cert_type_len = 0, dn_len = 0;
Christopher Haster 1:24750b9ad5ef 2535 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 2536
Christopher Haster 1:24750b9ad5ef 2537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
Christopher Haster 1:24750b9ad5ef 2538
Christopher Haster 1:24750b9ad5ef 2539 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 2541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2543 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 2544 {
Christopher Haster 1:24750b9ad5ef 2545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
Christopher Haster 1:24750b9ad5ef 2546 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2547 return( 0 );
Christopher Haster 1:24750b9ad5ef 2548 }
Christopher Haster 1:24750b9ad5ef 2549
Christopher Haster 1:24750b9ad5ef 2550 if( ssl->record_read == 0 )
Christopher Haster 1:24750b9ad5ef 2551 {
Christopher Haster 1:24750b9ad5ef 2552 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2553 {
Christopher Haster 1:24750b9ad5ef 2554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster 1:24750b9ad5ef 2555 return( ret );
Christopher Haster 1:24750b9ad5ef 2556 }
Christopher Haster 1:24750b9ad5ef 2557
Christopher Haster 1:24750b9ad5ef 2558 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 2559 {
Christopher Haster 1:24750b9ad5ef 2560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster 1:24750b9ad5ef 2561 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2562 }
Christopher Haster 1:24750b9ad5ef 2563
Christopher Haster 1:24750b9ad5ef 2564 ssl->record_read = 1;
Christopher Haster 1:24750b9ad5ef 2565 }
Christopher Haster 1:24750b9ad5ef 2566
Christopher Haster 1:24750b9ad5ef 2567 ssl->client_auth = 0;
Christopher Haster 1:24750b9ad5ef 2568 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2569
Christopher Haster 1:24750b9ad5ef 2570 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
Christopher Haster 1:24750b9ad5ef 2571 ssl->client_auth++;
Christopher Haster 1:24750b9ad5ef 2572
Christopher Haster 1:24750b9ad5ef 2573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
Christopher Haster 1:24750b9ad5ef 2574 ssl->client_auth ? "a" : "no" ) );
Christopher Haster 1:24750b9ad5ef 2575
Christopher Haster 1:24750b9ad5ef 2576 if( ssl->client_auth == 0 )
Christopher Haster 1:24750b9ad5ef 2577 goto exit;
Christopher Haster 1:24750b9ad5ef 2578
Christopher Haster 1:24750b9ad5ef 2579 ssl->record_read = 0;
Christopher Haster 1:24750b9ad5ef 2580
Christopher Haster 1:24750b9ad5ef 2581 // TODO: handshake_failure alert for an anonymous server to request
Christopher Haster 1:24750b9ad5ef 2582 // client authentication
Christopher Haster 1:24750b9ad5ef 2583
Christopher Haster 1:24750b9ad5ef 2584 /*
Christopher Haster 1:24750b9ad5ef 2585 * struct {
Christopher Haster 1:24750b9ad5ef 2586 * ClientCertificateType certificate_types<1..2^8-1>;
Christopher Haster 1:24750b9ad5ef 2587 * SignatureAndHashAlgorithm
Christopher Haster 1:24750b9ad5ef 2588 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
Christopher Haster 1:24750b9ad5ef 2589 * DistinguishedName certificate_authorities<0..2^16-1>;
Christopher Haster 1:24750b9ad5ef 2590 * } CertificateRequest;
Christopher Haster 1:24750b9ad5ef 2591 */
Christopher Haster 1:24750b9ad5ef 2592 buf = ssl->in_msg;
Christopher Haster 1:24750b9ad5ef 2593
Christopher Haster 1:24750b9ad5ef 2594 // Retrieve cert types
Christopher Haster 1:24750b9ad5ef 2595 //
Christopher Haster 1:24750b9ad5ef 2596 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
Christopher Haster 1:24750b9ad5ef 2597 n = cert_type_len;
Christopher Haster 1:24750b9ad5ef 2598
Christopher Haster 1:24750b9ad5ef 2599 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Christopher Haster 1:24750b9ad5ef 2600 {
Christopher Haster 1:24750b9ad5ef 2601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster 1:24750b9ad5ef 2602 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster 1:24750b9ad5ef 2603 }
Christopher Haster 1:24750b9ad5ef 2604
Christopher Haster 1:24750b9ad5ef 2605 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
Christopher Haster 1:24750b9ad5ef 2606 while( cert_type_len > 0 )
Christopher Haster 1:24750b9ad5ef 2607 {
Christopher Haster 1:24750b9ad5ef 2608 #if defined(MBEDTLS_RSA_C)
Christopher Haster 1:24750b9ad5ef 2609 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
Christopher Haster 1:24750b9ad5ef 2610 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
Christopher Haster 1:24750b9ad5ef 2611 {
Christopher Haster 1:24750b9ad5ef 2612 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
Christopher Haster 1:24750b9ad5ef 2613 break;
Christopher Haster 1:24750b9ad5ef 2614 }
Christopher Haster 1:24750b9ad5ef 2615 else
Christopher Haster 1:24750b9ad5ef 2616 #endif
Christopher Haster 1:24750b9ad5ef 2617 #if defined(MBEDTLS_ECDSA_C)
Christopher Haster 1:24750b9ad5ef 2618 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
Christopher Haster 1:24750b9ad5ef 2619 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Christopher Haster 1:24750b9ad5ef 2620 {
Christopher Haster 1:24750b9ad5ef 2621 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
Christopher Haster 1:24750b9ad5ef 2622 break;
Christopher Haster 1:24750b9ad5ef 2623 }
Christopher Haster 1:24750b9ad5ef 2624 else
Christopher Haster 1:24750b9ad5ef 2625 #endif
Christopher Haster 1:24750b9ad5ef 2626 {
Christopher Haster 1:24750b9ad5ef 2627 ; /* Unsupported cert type, ignore */
Christopher Haster 1:24750b9ad5ef 2628 }
Christopher Haster 1:24750b9ad5ef 2629
Christopher Haster 1:24750b9ad5ef 2630 cert_type_len--;
Christopher Haster 1:24750b9ad5ef 2631 p++;
Christopher Haster 1:24750b9ad5ef 2632 }
Christopher Haster 1:24750b9ad5ef 2633
Christopher Haster 1:24750b9ad5ef 2634 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 2635 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 2636 {
Christopher Haster 1:24750b9ad5ef 2637 /* Ignored, see comments about hash in write_certificate_verify */
Christopher Haster 1:24750b9ad5ef 2638 // TODO: should check the signature part against our pk_key though
Christopher Haster 1:24750b9ad5ef 2639 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
Christopher Haster 1:24750b9ad5ef 2640 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
Christopher Haster 1:24750b9ad5ef 2641
Christopher Haster 1:24750b9ad5ef 2642 m += 2;
Christopher Haster 1:24750b9ad5ef 2643 n += sig_alg_len;
Christopher Haster 1:24750b9ad5ef 2644
Christopher Haster 1:24750b9ad5ef 2645 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
Christopher Haster 1:24750b9ad5ef 2646 {
Christopher Haster 1:24750b9ad5ef 2647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster 1:24750b9ad5ef 2648 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster 1:24750b9ad5ef 2649 }
Christopher Haster 1:24750b9ad5ef 2650 }
Christopher Haster 1:24750b9ad5ef 2651 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster 1:24750b9ad5ef 2652
Christopher Haster 1:24750b9ad5ef 2653 /* Ignore certificate_authorities, we only have one cert anyway */
Christopher Haster 1:24750b9ad5ef 2654 // TODO: should not send cert if no CA matches
Christopher Haster 1:24750b9ad5ef 2655 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
Christopher Haster 1:24750b9ad5ef 2656 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
Christopher Haster 1:24750b9ad5ef 2657
Christopher Haster 1:24750b9ad5ef 2658 n += dn_len;
Christopher Haster 1:24750b9ad5ef 2659 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
Christopher Haster 1:24750b9ad5ef 2660 {
Christopher Haster 1:24750b9ad5ef 2661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
Christopher Haster 1:24750b9ad5ef 2662 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
Christopher Haster 1:24750b9ad5ef 2663 }
Christopher Haster 1:24750b9ad5ef 2664
Christopher Haster 1:24750b9ad5ef 2665 exit:
Christopher Haster 1:24750b9ad5ef 2666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
Christopher Haster 1:24750b9ad5ef 2667
Christopher Haster 1:24750b9ad5ef 2668 return( 0 );
Christopher Haster 1:24750b9ad5ef 2669 }
Christopher Haster 1:24750b9ad5ef 2670 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
Christopher Haster 1:24750b9ad5ef 2671 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Christopher Haster 1:24750b9ad5ef 2672 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
Christopher Haster 1:24750b9ad5ef 2673 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2674
Christopher Haster 1:24750b9ad5ef 2675 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2676 {
Christopher Haster 1:24750b9ad5ef 2677 int ret;
Christopher Haster 1:24750b9ad5ef 2678
Christopher Haster 1:24750b9ad5ef 2679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
Christopher Haster 1:24750b9ad5ef 2680
Christopher Haster 1:24750b9ad5ef 2681 if( ssl->record_read == 0 )
Christopher Haster 1:24750b9ad5ef 2682 {
Christopher Haster 1:24750b9ad5ef 2683 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2684 {
Christopher Haster 1:24750b9ad5ef 2685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster 1:24750b9ad5ef 2686 return( ret );
Christopher Haster 1:24750b9ad5ef 2687 }
Christopher Haster 1:24750b9ad5ef 2688
Christopher Haster 1:24750b9ad5ef 2689 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 2690 {
Christopher Haster 1:24750b9ad5ef 2691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Christopher Haster 1:24750b9ad5ef 2692 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 2693 }
Christopher Haster 1:24750b9ad5ef 2694 }
Christopher Haster 1:24750b9ad5ef 2695 ssl->record_read = 0;
Christopher Haster 1:24750b9ad5ef 2696
Christopher Haster 1:24750b9ad5ef 2697 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
Christopher Haster 1:24750b9ad5ef 2698 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
Christopher Haster 1:24750b9ad5ef 2699 {
Christopher Haster 1:24750b9ad5ef 2700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
Christopher Haster 1:24750b9ad5ef 2701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
Christopher Haster 1:24750b9ad5ef 2702 }
Christopher Haster 1:24750b9ad5ef 2703
Christopher Haster 1:24750b9ad5ef 2704 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2705
Christopher Haster 1:24750b9ad5ef 2706 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 2707 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
Christopher Haster 1:24750b9ad5ef 2708 mbedtls_ssl_recv_flight_completed( ssl );
Christopher Haster 1:24750b9ad5ef 2709 #endif
Christopher Haster 1:24750b9ad5ef 2710
Christopher Haster 1:24750b9ad5ef 2711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
Christopher Haster 1:24750b9ad5ef 2712
Christopher Haster 1:24750b9ad5ef 2713 return( 0 );
Christopher Haster 1:24750b9ad5ef 2714 }
Christopher Haster 1:24750b9ad5ef 2715
Christopher Haster 1:24750b9ad5ef 2716 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2717 {
Christopher Haster 1:24750b9ad5ef 2718 int ret;
Christopher Haster 1:24750b9ad5ef 2719 size_t i, n;
Christopher Haster 1:24750b9ad5ef 2720 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 2721
Christopher Haster 1:24750b9ad5ef 2722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2723
Christopher Haster 1:24750b9ad5ef 2724 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2725 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
Christopher Haster 1:24750b9ad5ef 2726 {
Christopher Haster 1:24750b9ad5ef 2727 /*
Christopher Haster 1:24750b9ad5ef 2728 * DHM key exchange -- send G^X mod P
Christopher Haster 1:24750b9ad5ef 2729 */
Christopher Haster 1:24750b9ad5ef 2730 n = ssl->handshake->dhm_ctx.len;
Christopher Haster 1:24750b9ad5ef 2731
Christopher Haster 1:24750b9ad5ef 2732 ssl->out_msg[4] = (unsigned char)( n >> 8 );
Christopher Haster 1:24750b9ad5ef 2733 ssl->out_msg[5] = (unsigned char)( n );
Christopher Haster 1:24750b9ad5ef 2734 i = 6;
Christopher Haster 1:24750b9ad5ef 2735
Christopher Haster 1:24750b9ad5ef 2736 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Christopher Haster 1:24750b9ad5ef 2737 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Christopher Haster 1:24750b9ad5ef 2738 &ssl->out_msg[i], n,
Christopher Haster 1:24750b9ad5ef 2739 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2740 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2741 {
Christopher Haster 1:24750b9ad5ef 2742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Christopher Haster 1:24750b9ad5ef 2743 return( ret );
Christopher Haster 1:24750b9ad5ef 2744 }
Christopher Haster 1:24750b9ad5ef 2745
Christopher Haster 1:24750b9ad5ef 2746 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
Christopher Haster 1:24750b9ad5ef 2747 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
Christopher Haster 1:24750b9ad5ef 2748
Christopher Haster 1:24750b9ad5ef 2749 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
Christopher Haster 1:24750b9ad5ef 2750 ssl->handshake->premaster,
Christopher Haster 1:24750b9ad5ef 2751 MBEDTLS_PREMASTER_SIZE,
Christopher Haster 1:24750b9ad5ef 2752 &ssl->handshake->pmslen,
Christopher Haster 1:24750b9ad5ef 2753 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2754 {
Christopher Haster 1:24750b9ad5ef 2755 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
Christopher Haster 1:24750b9ad5ef 2756 return( ret );
Christopher Haster 1:24750b9ad5ef 2757 }
Christopher Haster 1:24750b9ad5ef 2758
Christopher Haster 1:24750b9ad5ef 2759 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
Christopher Haster 1:24750b9ad5ef 2760 }
Christopher Haster 1:24750b9ad5ef 2761 else
Christopher Haster 1:24750b9ad5ef 2762 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2763 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2764 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2765 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
Christopher Haster 1:24750b9ad5ef 2766 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2767 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
Christopher Haster 1:24750b9ad5ef 2768 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
Christopher Haster 1:24750b9ad5ef 2769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
Christopher Haster 1:24750b9ad5ef 2770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
Christopher Haster 1:24750b9ad5ef 2771 {
Christopher Haster 1:24750b9ad5ef 2772 /*
Christopher Haster 1:24750b9ad5ef 2773 * ECDH key exchange -- send client public value
Christopher Haster 1:24750b9ad5ef 2774 */
Christopher Haster 1:24750b9ad5ef 2775 i = 4;
Christopher Haster 1:24750b9ad5ef 2776
Christopher Haster 1:24750b9ad5ef 2777 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
Christopher Haster 1:24750b9ad5ef 2778 &n,
Christopher Haster 1:24750b9ad5ef 2779 &ssl->out_msg[i], 1000,
Christopher Haster 1:24750b9ad5ef 2780 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2781 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2782 {
Christopher Haster 1:24750b9ad5ef 2783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Christopher Haster 1:24750b9ad5ef 2784 return( ret );
Christopher Haster 1:24750b9ad5ef 2785 }
Christopher Haster 1:24750b9ad5ef 2786
Christopher Haster 1:24750b9ad5ef 2787 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Christopher Haster 1:24750b9ad5ef 2788
Christopher Haster 1:24750b9ad5ef 2789 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
Christopher Haster 1:24750b9ad5ef 2790 &ssl->handshake->pmslen,
Christopher Haster 1:24750b9ad5ef 2791 ssl->handshake->premaster,
Christopher Haster 1:24750b9ad5ef 2792 MBEDTLS_MPI_MAX_SIZE,
Christopher Haster 1:24750b9ad5ef 2793 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2794 {
Christopher Haster 1:24750b9ad5ef 2795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
Christopher Haster 1:24750b9ad5ef 2796 return( ret );
Christopher Haster 1:24750b9ad5ef 2797 }
Christopher Haster 1:24750b9ad5ef 2798
Christopher Haster 1:24750b9ad5ef 2799 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
Christopher Haster 1:24750b9ad5ef 2800 }
Christopher Haster 1:24750b9ad5ef 2801 else
Christopher Haster 1:24750b9ad5ef 2802 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2803 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2804 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
Christopher Haster 1:24750b9ad5ef 2805 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2806 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2807 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2808 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 2809 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2810 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster 1:24750b9ad5ef 2811 {
Christopher Haster 1:24750b9ad5ef 2812 /*
Christopher Haster 1:24750b9ad5ef 2813 * opaque psk_identity<0..2^16-1>;
Christopher Haster 1:24750b9ad5ef 2814 */
Christopher Haster 1:24750b9ad5ef 2815 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
Christopher Haster 1:24750b9ad5ef 2816 {
Christopher Haster 1:24750b9ad5ef 2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
Christopher Haster 1:24750b9ad5ef 2818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Christopher Haster 1:24750b9ad5ef 2819 }
Christopher Haster 1:24750b9ad5ef 2820
Christopher Haster 1:24750b9ad5ef 2821 i = 4;
Christopher Haster 1:24750b9ad5ef 2822 n = ssl->conf->psk_identity_len;
Christopher Haster 1:24750b9ad5ef 2823
Christopher Haster 1:24750b9ad5ef 2824 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster 1:24750b9ad5ef 2825 {
Christopher Haster 1:24750b9ad5ef 2826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
Christopher Haster 1:24750b9ad5ef 2827 "SSL buffer too short" ) );
Christopher Haster 1:24750b9ad5ef 2828 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster 1:24750b9ad5ef 2829 }
Christopher Haster 1:24750b9ad5ef 2830
Christopher Haster 1:24750b9ad5ef 2831 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
Christopher Haster 1:24750b9ad5ef 2832 ssl->out_msg[i++] = (unsigned char)( n );
Christopher Haster 1:24750b9ad5ef 2833
Christopher Haster 1:24750b9ad5ef 2834 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
Christopher Haster 1:24750b9ad5ef 2835 i += ssl->conf->psk_identity_len;
Christopher Haster 1:24750b9ad5ef 2836
Christopher Haster 1:24750b9ad5ef 2837 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2838 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
Christopher Haster 1:24750b9ad5ef 2839 {
Christopher Haster 1:24750b9ad5ef 2840 n = 0;
Christopher Haster 1:24750b9ad5ef 2841 }
Christopher Haster 1:24750b9ad5ef 2842 else
Christopher Haster 1:24750b9ad5ef 2843 #endif
Christopher Haster 1:24750b9ad5ef 2844 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2845 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
Christopher Haster 1:24750b9ad5ef 2846 {
Christopher Haster 1:24750b9ad5ef 2847 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2848 return( ret );
Christopher Haster 1:24750b9ad5ef 2849 }
Christopher Haster 1:24750b9ad5ef 2850 else
Christopher Haster 1:24750b9ad5ef 2851 #endif
Christopher Haster 1:24750b9ad5ef 2852 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2853 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
Christopher Haster 1:24750b9ad5ef 2854 {
Christopher Haster 1:24750b9ad5ef 2855 /*
Christopher Haster 1:24750b9ad5ef 2856 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
Christopher Haster 1:24750b9ad5ef 2857 */
Christopher Haster 1:24750b9ad5ef 2858 n = ssl->handshake->dhm_ctx.len;
Christopher Haster 1:24750b9ad5ef 2859
Christopher Haster 1:24750b9ad5ef 2860 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
Christopher Haster 1:24750b9ad5ef 2861 {
Christopher Haster 1:24750b9ad5ef 2862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
Christopher Haster 1:24750b9ad5ef 2863 " or SSL buffer too short" ) );
Christopher Haster 1:24750b9ad5ef 2864 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
Christopher Haster 1:24750b9ad5ef 2865 }
Christopher Haster 1:24750b9ad5ef 2866
Christopher Haster 1:24750b9ad5ef 2867 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
Christopher Haster 1:24750b9ad5ef 2868 ssl->out_msg[i++] = (unsigned char)( n );
Christopher Haster 1:24750b9ad5ef 2869
Christopher Haster 1:24750b9ad5ef 2870 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
Christopher Haster 1:24750b9ad5ef 2871 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
Christopher Haster 1:24750b9ad5ef 2872 &ssl->out_msg[i], n,
Christopher Haster 1:24750b9ad5ef 2873 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2874 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2875 {
Christopher Haster 1:24750b9ad5ef 2876 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
Christopher Haster 1:24750b9ad5ef 2877 return( ret );
Christopher Haster 1:24750b9ad5ef 2878 }
Christopher Haster 1:24750b9ad5ef 2879 }
Christopher Haster 1:24750b9ad5ef 2880 else
Christopher Haster 1:24750b9ad5ef 2881 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2882 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
Christopher Haster 1:24750b9ad5ef 2883 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
Christopher Haster 1:24750b9ad5ef 2884 {
Christopher Haster 1:24750b9ad5ef 2885 /*
Christopher Haster 1:24750b9ad5ef 2886 * ClientECDiffieHellmanPublic public;
Christopher Haster 1:24750b9ad5ef 2887 */
Christopher Haster 1:24750b9ad5ef 2888 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
Christopher Haster 1:24750b9ad5ef 2889 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
Christopher Haster 1:24750b9ad5ef 2890 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2891 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2892 {
Christopher Haster 1:24750b9ad5ef 2893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
Christopher Haster 1:24750b9ad5ef 2894 return( ret );
Christopher Haster 1:24750b9ad5ef 2895 }
Christopher Haster 1:24750b9ad5ef 2896
Christopher Haster 1:24750b9ad5ef 2897 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
Christopher Haster 1:24750b9ad5ef 2898 }
Christopher Haster 1:24750b9ad5ef 2899 else
Christopher Haster 1:24750b9ad5ef 2900 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2901 {
Christopher Haster 1:24750b9ad5ef 2902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2904 }
Christopher Haster 1:24750b9ad5ef 2905
Christopher Haster 1:24750b9ad5ef 2906 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
Christopher Haster 1:24750b9ad5ef 2907 ciphersuite_info->key_exchange ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2908 {
Christopher Haster 1:24750b9ad5ef 2909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
Christopher Haster 1:24750b9ad5ef 2910 return( ret );
Christopher Haster 1:24750b9ad5ef 2911 }
Christopher Haster 1:24750b9ad5ef 2912 }
Christopher Haster 1:24750b9ad5ef 2913 else
Christopher Haster 1:24750b9ad5ef 2914 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
Christopher Haster 1:24750b9ad5ef 2915 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
Christopher Haster 1:24750b9ad5ef 2917 {
Christopher Haster 1:24750b9ad5ef 2918 i = 4;
Christopher Haster 1:24750b9ad5ef 2919 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2920 return( ret );
Christopher Haster 1:24750b9ad5ef 2921 }
Christopher Haster 1:24750b9ad5ef 2922 else
Christopher Haster 1:24750b9ad5ef 2923 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2924 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
Christopher Haster 1:24750b9ad5ef 2925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 2926 {
Christopher Haster 1:24750b9ad5ef 2927 i = 4;
Christopher Haster 1:24750b9ad5ef 2928
Christopher Haster 1:24750b9ad5ef 2929 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
Christopher Haster 1:24750b9ad5ef 2930 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
Christopher Haster 1:24750b9ad5ef 2931 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2932 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2933 {
Christopher Haster 1:24750b9ad5ef 2934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
Christopher Haster 1:24750b9ad5ef 2935 return( ret );
Christopher Haster 1:24750b9ad5ef 2936 }
Christopher Haster 1:24750b9ad5ef 2937
Christopher Haster 1:24750b9ad5ef 2938 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
Christopher Haster 1:24750b9ad5ef 2939 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
Christopher Haster 1:24750b9ad5ef 2940 ssl->conf->f_rng, ssl->conf->p_rng );
Christopher Haster 1:24750b9ad5ef 2941 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 2942 {
Christopher Haster 1:24750b9ad5ef 2943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
Christopher Haster 1:24750b9ad5ef 2944 return( ret );
Christopher Haster 1:24750b9ad5ef 2945 }
Christopher Haster 1:24750b9ad5ef 2946 }
Christopher Haster 1:24750b9ad5ef 2947 else
Christopher Haster 1:24750b9ad5ef 2948 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 2949 {
Christopher Haster 1:24750b9ad5ef 2950 ((void) ciphersuite_info);
Christopher Haster 1:24750b9ad5ef 2951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 2952 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 2953 }
Christopher Haster 1:24750b9ad5ef 2954
Christopher Haster 1:24750b9ad5ef 2955 ssl->out_msglen = i + n;
Christopher Haster 1:24750b9ad5ef 2956 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster 1:24750b9ad5ef 2957 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
Christopher Haster 1:24750b9ad5ef 2958
Christopher Haster 1:24750b9ad5ef 2959 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2960
Christopher Haster 1:24750b9ad5ef 2961 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2962 {
Christopher Haster 1:24750b9ad5ef 2963 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster 1:24750b9ad5ef 2964 return( ret );
Christopher Haster 1:24750b9ad5ef 2965 }
Christopher Haster 1:24750b9ad5ef 2966
Christopher Haster 1:24750b9ad5ef 2967 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
Christopher Haster 1:24750b9ad5ef 2968
Christopher Haster 1:24750b9ad5ef 2969 return( 0 );
Christopher Haster 1:24750b9ad5ef 2970 }
Christopher Haster 1:24750b9ad5ef 2971
Christopher Haster 1:24750b9ad5ef 2972 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2973 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2974 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
Christopher Haster 1:24750b9ad5ef 2975 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
Christopher Haster 1:24750b9ad5ef 2976 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 2977 {
Christopher Haster 1:24750b9ad5ef 2978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 2979 int ret;
Christopher Haster 1:24750b9ad5ef 2980
Christopher Haster 1:24750b9ad5ef 2981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 2982
Christopher Haster 1:24750b9ad5ef 2983 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 2984 {
Christopher Haster 1:24750b9ad5ef 2985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster 1:24750b9ad5ef 2986 return( ret );
Christopher Haster 1:24750b9ad5ef 2987 }
Christopher Haster 1:24750b9ad5ef 2988
Christopher Haster 1:24750b9ad5ef 2989 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 2990 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 2991 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2992 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 2993 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 2994 {
Christopher Haster 1:24750b9ad5ef 2995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 2996 ssl->state++;
Christopher Haster 1:24750b9ad5ef 2997 return( 0 );
Christopher Haster 1:24750b9ad5ef 2998 }
Christopher Haster 1:24750b9ad5ef 2999
Christopher Haster 1:24750b9ad5ef 3000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 3001 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 3002 }
Christopher Haster 1:24750b9ad5ef 3003 #else
Christopher Haster 1:24750b9ad5ef 3004 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 3005 {
Christopher Haster 1:24750b9ad5ef 3006 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
Christopher Haster 1:24750b9ad5ef 3007 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
Christopher Haster 1:24750b9ad5ef 3008 size_t n = 0, offset = 0;
Christopher Haster 1:24750b9ad5ef 3009 unsigned char hash[48];
Christopher Haster 1:24750b9ad5ef 3010 unsigned char *hash_start = hash;
Christopher Haster 1:24750b9ad5ef 3011 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
Christopher Haster 1:24750b9ad5ef 3012 unsigned int hashlen;
Christopher Haster 1:24750b9ad5ef 3013
Christopher Haster 1:24750b9ad5ef 3014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 3015
Christopher Haster 1:24750b9ad5ef 3016 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3017 {
Christopher Haster 1:24750b9ad5ef 3018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
Christopher Haster 1:24750b9ad5ef 3019 return( ret );
Christopher Haster 1:24750b9ad5ef 3020 }
Christopher Haster 1:24750b9ad5ef 3021
Christopher Haster 1:24750b9ad5ef 3022 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
Christopher Haster 1:24750b9ad5ef 3023 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
Christopher Haster 1:24750b9ad5ef 3024 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
Christopher Haster 1:24750b9ad5ef 3025 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
Christopher Haster 1:24750b9ad5ef 3026 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
Christopher Haster 1:24750b9ad5ef 3027 {
Christopher Haster 1:24750b9ad5ef 3028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 3029 ssl->state++;
Christopher Haster 1:24750b9ad5ef 3030 return( 0 );
Christopher Haster 1:24750b9ad5ef 3031 }
Christopher Haster 1:24750b9ad5ef 3032
Christopher Haster 1:24750b9ad5ef 3033 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
Christopher Haster 1:24750b9ad5ef 3034 {
Christopher Haster 1:24750b9ad5ef 3035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 3036 ssl->state++;
Christopher Haster 1:24750b9ad5ef 3037 return( 0 );
Christopher Haster 1:24750b9ad5ef 3038 }
Christopher Haster 1:24750b9ad5ef 3039
Christopher Haster 1:24750b9ad5ef 3040 if( mbedtls_ssl_own_key( ssl ) == NULL )
Christopher Haster 1:24750b9ad5ef 3041 {
Christopher Haster 1:24750b9ad5ef 3042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
Christopher Haster 1:24750b9ad5ef 3043 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
Christopher Haster 1:24750b9ad5ef 3044 }
Christopher Haster 1:24750b9ad5ef 3045
Christopher Haster 1:24750b9ad5ef 3046 /*
Christopher Haster 1:24750b9ad5ef 3047 * Make an RSA signature of the handshake digests
Christopher Haster 1:24750b9ad5ef 3048 */
Christopher Haster 1:24750b9ad5ef 3049 ssl->handshake->calc_verify( ssl, hash );
Christopher Haster 1:24750b9ad5ef 3050
Christopher Haster 1:24750b9ad5ef 3051 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
Christopher Haster 1:24750b9ad5ef 3052 defined(MBEDTLS_SSL_PROTO_TLS1_1)
Christopher Haster 1:24750b9ad5ef 3053 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 3054 {
Christopher Haster 1:24750b9ad5ef 3055 /*
Christopher Haster 1:24750b9ad5ef 3056 * digitally-signed struct {
Christopher Haster 1:24750b9ad5ef 3057 * opaque md5_hash[16];
Christopher Haster 1:24750b9ad5ef 3058 * opaque sha_hash[20];
Christopher Haster 1:24750b9ad5ef 3059 * };
Christopher Haster 1:24750b9ad5ef 3060 *
Christopher Haster 1:24750b9ad5ef 3061 * md5_hash
Christopher Haster 1:24750b9ad5ef 3062 * MD5(handshake_messages);
Christopher Haster 1:24750b9ad5ef 3063 *
Christopher Haster 1:24750b9ad5ef 3064 * sha_hash
Christopher Haster 1:24750b9ad5ef 3065 * SHA(handshake_messages);
Christopher Haster 1:24750b9ad5ef 3066 */
Christopher Haster 1:24750b9ad5ef 3067 hashlen = 36;
Christopher Haster 1:24750b9ad5ef 3068 md_alg = MBEDTLS_MD_NONE;
Christopher Haster 1:24750b9ad5ef 3069
Christopher Haster 1:24750b9ad5ef 3070 /*
Christopher Haster 1:24750b9ad5ef 3071 * For ECDSA, default hash is SHA-1 only
Christopher Haster 1:24750b9ad5ef 3072 */
Christopher Haster 1:24750b9ad5ef 3073 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
Christopher Haster 1:24750b9ad5ef 3074 {
Christopher Haster 1:24750b9ad5ef 3075 hash_start += 16;
Christopher Haster 1:24750b9ad5ef 3076 hashlen -= 16;
Christopher Haster 1:24750b9ad5ef 3077 md_alg = MBEDTLS_MD_SHA1;
Christopher Haster 1:24750b9ad5ef 3078 }
Christopher Haster 1:24750b9ad5ef 3079 }
Christopher Haster 1:24750b9ad5ef 3080 else
Christopher Haster 1:24750b9ad5ef 3081 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
Christopher Haster 1:24750b9ad5ef 3082 MBEDTLS_SSL_PROTO_TLS1_1 */
Christopher Haster 1:24750b9ad5ef 3083 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
Christopher Haster 1:24750b9ad5ef 3084 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
Christopher Haster 1:24750b9ad5ef 3085 {
Christopher Haster 1:24750b9ad5ef 3086 /*
Christopher Haster 1:24750b9ad5ef 3087 * digitally-signed struct {
Christopher Haster 1:24750b9ad5ef 3088 * opaque handshake_messages[handshake_messages_length];
Christopher Haster 1:24750b9ad5ef 3089 * };
Christopher Haster 1:24750b9ad5ef 3090 *
Christopher Haster 1:24750b9ad5ef 3091 * Taking shortcut here. We assume that the server always allows the
Christopher Haster 1:24750b9ad5ef 3092 * PRF Hash function and has sent it in the allowed signature
Christopher Haster 1:24750b9ad5ef 3093 * algorithms list received in the Certificate Request message.
Christopher Haster 1:24750b9ad5ef 3094 *
Christopher Haster 1:24750b9ad5ef 3095 * Until we encounter a server that does not, we will take this
Christopher Haster 1:24750b9ad5ef 3096 * shortcut.
Christopher Haster 1:24750b9ad5ef 3097 *
Christopher Haster 1:24750b9ad5ef 3098 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
Christopher Haster 1:24750b9ad5ef 3099 * in order to satisfy 'weird' needs from the server side.
Christopher Haster 1:24750b9ad5ef 3100 */
Christopher Haster 1:24750b9ad5ef 3101 if( ssl->transform_negotiate->ciphersuite_info->mac ==
Christopher Haster 1:24750b9ad5ef 3102 MBEDTLS_MD_SHA384 )
Christopher Haster 1:24750b9ad5ef 3103 {
Christopher Haster 1:24750b9ad5ef 3104 md_alg = MBEDTLS_MD_SHA384;
Christopher Haster 1:24750b9ad5ef 3105 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
Christopher Haster 1:24750b9ad5ef 3106 }
Christopher Haster 1:24750b9ad5ef 3107 else
Christopher Haster 1:24750b9ad5ef 3108 {
Christopher Haster 1:24750b9ad5ef 3109 md_alg = MBEDTLS_MD_SHA256;
Christopher Haster 1:24750b9ad5ef 3110 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
Christopher Haster 1:24750b9ad5ef 3111 }
Christopher Haster 1:24750b9ad5ef 3112 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
Christopher Haster 1:24750b9ad5ef 3113
Christopher Haster 1:24750b9ad5ef 3114 /* Info from md_alg will be used instead */
Christopher Haster 1:24750b9ad5ef 3115 hashlen = 0;
Christopher Haster 1:24750b9ad5ef 3116 offset = 2;
Christopher Haster 1:24750b9ad5ef 3117 }
Christopher Haster 1:24750b9ad5ef 3118 else
Christopher Haster 1:24750b9ad5ef 3119 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
Christopher Haster 1:24750b9ad5ef 3120 {
Christopher Haster 1:24750b9ad5ef 3121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
Christopher Haster 1:24750b9ad5ef 3122 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Christopher Haster 1:24750b9ad5ef 3123 }
Christopher Haster 1:24750b9ad5ef 3124
Christopher Haster 1:24750b9ad5ef 3125 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
Christopher Haster 1:24750b9ad5ef 3126 ssl->out_msg + 6 + offset, &n,
Christopher Haster 1:24750b9ad5ef 3127 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3128 {
Christopher Haster 1:24750b9ad5ef 3129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
Christopher Haster 1:24750b9ad5ef 3130 return( ret );
Christopher Haster 1:24750b9ad5ef 3131 }
Christopher Haster 1:24750b9ad5ef 3132
Christopher Haster 1:24750b9ad5ef 3133 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
Christopher Haster 1:24750b9ad5ef 3134 ssl->out_msg[5 + offset] = (unsigned char)( n );
Christopher Haster 1:24750b9ad5ef 3135
Christopher Haster 1:24750b9ad5ef 3136 ssl->out_msglen = 6 + n + offset;
Christopher Haster 1:24750b9ad5ef 3137 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
Christopher Haster 1:24750b9ad5ef 3138 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
Christopher Haster 1:24750b9ad5ef 3139
Christopher Haster 1:24750b9ad5ef 3140 ssl->state++;
Christopher Haster 1:24750b9ad5ef 3141
Christopher Haster 1:24750b9ad5ef 3142 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3143 {
Christopher Haster 1:24750b9ad5ef 3144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
Christopher Haster 1:24750b9ad5ef 3145 return( ret );
Christopher Haster 1:24750b9ad5ef 3146 }
Christopher Haster 1:24750b9ad5ef 3147
Christopher Haster 1:24750b9ad5ef 3148 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
Christopher Haster 1:24750b9ad5ef 3149
Christopher Haster 1:24750b9ad5ef 3150 return( ret );
Christopher Haster 1:24750b9ad5ef 3151 }
Christopher Haster 1:24750b9ad5ef 3152 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
Christopher Haster 1:24750b9ad5ef 3153 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
Christopher Haster 1:24750b9ad5ef 3154 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
Christopher Haster 1:24750b9ad5ef 3155
Christopher Haster 1:24750b9ad5ef 3156 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 3157 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 3158 {
Christopher Haster 1:24750b9ad5ef 3159 int ret;
Christopher Haster 1:24750b9ad5ef 3160 uint32_t lifetime;
Christopher Haster 1:24750b9ad5ef 3161 size_t ticket_len;
Christopher Haster 1:24750b9ad5ef 3162 unsigned char *ticket;
Christopher Haster 1:24750b9ad5ef 3163 const unsigned char *msg;
Christopher Haster 1:24750b9ad5ef 3164
Christopher Haster 1:24750b9ad5ef 3165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
Christopher Haster 1:24750b9ad5ef 3166
Christopher Haster 1:24750b9ad5ef 3167 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3168 {
Christopher Haster 1:24750b9ad5ef 3169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
Christopher Haster 1:24750b9ad5ef 3170 return( ret );
Christopher Haster 1:24750b9ad5ef 3171 }
Christopher Haster 1:24750b9ad5ef 3172
Christopher Haster 1:24750b9ad5ef 3173 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
Christopher Haster 1:24750b9ad5ef 3174 {
Christopher Haster 1:24750b9ad5ef 3175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster 1:24750b9ad5ef 3176 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
Christopher Haster 1:24750b9ad5ef 3177 }
Christopher Haster 1:24750b9ad5ef 3178
Christopher Haster 1:24750b9ad5ef 3179 /*
Christopher Haster 1:24750b9ad5ef 3180 * struct {
Christopher Haster 1:24750b9ad5ef 3181 * uint32 ticket_lifetime_hint;
Christopher Haster 1:24750b9ad5ef 3182 * opaque ticket<0..2^16-1>;
Christopher Haster 1:24750b9ad5ef 3183 * } NewSessionTicket;
Christopher Haster 1:24750b9ad5ef 3184 *
Christopher Haster 1:24750b9ad5ef 3185 * 0 . 3 ticket_lifetime_hint
Christopher Haster 1:24750b9ad5ef 3186 * 4 . 5 ticket_len (n)
Christopher Haster 1:24750b9ad5ef 3187 * 6 . 5+n ticket content
Christopher Haster 1:24750b9ad5ef 3188 */
Christopher Haster 1:24750b9ad5ef 3189 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
Christopher Haster 1:24750b9ad5ef 3190 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
Christopher Haster 1:24750b9ad5ef 3191 {
Christopher Haster 1:24750b9ad5ef 3192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster 1:24750b9ad5ef 3193 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Christopher Haster 1:24750b9ad5ef 3194 }
Christopher Haster 1:24750b9ad5ef 3195
Christopher Haster 1:24750b9ad5ef 3196 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
Christopher Haster 1:24750b9ad5ef 3197
Christopher Haster 1:24750b9ad5ef 3198 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) |
Christopher Haster 1:24750b9ad5ef 3199 ( msg[2] << 8 ) | ( msg[3] );
Christopher Haster 1:24750b9ad5ef 3200
Christopher Haster 1:24750b9ad5ef 3201 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
Christopher Haster 1:24750b9ad5ef 3202
Christopher Haster 1:24750b9ad5ef 3203 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
Christopher Haster 1:24750b9ad5ef 3204 {
Christopher Haster 1:24750b9ad5ef 3205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
Christopher Haster 1:24750b9ad5ef 3206 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
Christopher Haster 1:24750b9ad5ef 3207 }
Christopher Haster 1:24750b9ad5ef 3208
Christopher Haster 1:24750b9ad5ef 3209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
Christopher Haster 1:24750b9ad5ef 3210
Christopher Haster 1:24750b9ad5ef 3211 /* We're not waiting for a NewSessionTicket message any more */
Christopher Haster 1:24750b9ad5ef 3212 ssl->handshake->new_session_ticket = 0;
Christopher Haster 1:24750b9ad5ef 3213 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
Christopher Haster 1:24750b9ad5ef 3214
Christopher Haster 1:24750b9ad5ef 3215 /*
Christopher Haster 1:24750b9ad5ef 3216 * Zero-length ticket means the server changed his mind and doesn't want
Christopher Haster 1:24750b9ad5ef 3217 * to send a ticket after all, so just forget it
Christopher Haster 1:24750b9ad5ef 3218 */
Christopher Haster 1:24750b9ad5ef 3219 if( ticket_len == 0 )
Christopher Haster 1:24750b9ad5ef 3220 return( 0 );
Christopher Haster 1:24750b9ad5ef 3221
Christopher Haster 1:24750b9ad5ef 3222 mbedtls_zeroize( ssl->session_negotiate->ticket,
Christopher Haster 1:24750b9ad5ef 3223 ssl->session_negotiate->ticket_len );
Christopher Haster 1:24750b9ad5ef 3224 mbedtls_free( ssl->session_negotiate->ticket );
Christopher Haster 1:24750b9ad5ef 3225 ssl->session_negotiate->ticket = NULL;
Christopher Haster 1:24750b9ad5ef 3226 ssl->session_negotiate->ticket_len = 0;
Christopher Haster 1:24750b9ad5ef 3227
Christopher Haster 1:24750b9ad5ef 3228 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
Christopher Haster 1:24750b9ad5ef 3229 {
Christopher Haster 1:24750b9ad5ef 3230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
Christopher Haster 1:24750b9ad5ef 3231 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
Christopher Haster 1:24750b9ad5ef 3232 }
Christopher Haster 1:24750b9ad5ef 3233
Christopher Haster 1:24750b9ad5ef 3234 memcpy( ticket, msg + 6, ticket_len );
Christopher Haster 1:24750b9ad5ef 3235
Christopher Haster 1:24750b9ad5ef 3236 ssl->session_negotiate->ticket = ticket;
Christopher Haster 1:24750b9ad5ef 3237 ssl->session_negotiate->ticket_len = ticket_len;
Christopher Haster 1:24750b9ad5ef 3238 ssl->session_negotiate->ticket_lifetime = lifetime;
Christopher Haster 1:24750b9ad5ef 3239
Christopher Haster 1:24750b9ad5ef 3240 /*
Christopher Haster 1:24750b9ad5ef 3241 * RFC 5077 section 3.4:
Christopher Haster 1:24750b9ad5ef 3242 * "If the client receives a session ticket from the server, then it
Christopher Haster 1:24750b9ad5ef 3243 * discards any Session ID that was sent in the ServerHello."
Christopher Haster 1:24750b9ad5ef 3244 */
Christopher Haster 1:24750b9ad5ef 3245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
Christopher Haster 1:24750b9ad5ef 3246 ssl->session_negotiate->id_len = 0;
Christopher Haster 1:24750b9ad5ef 3247
Christopher Haster 1:24750b9ad5ef 3248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
Christopher Haster 1:24750b9ad5ef 3249
Christopher Haster 1:24750b9ad5ef 3250 return( 0 );
Christopher Haster 1:24750b9ad5ef 3251 }
Christopher Haster 1:24750b9ad5ef 3252 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
Christopher Haster 1:24750b9ad5ef 3253
Christopher Haster 1:24750b9ad5ef 3254 /*
Christopher Haster 1:24750b9ad5ef 3255 * SSL handshake -- client side -- single step
Christopher Haster 1:24750b9ad5ef 3256 */
Christopher Haster 1:24750b9ad5ef 3257 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
Christopher Haster 1:24750b9ad5ef 3258 {
Christopher Haster 1:24750b9ad5ef 3259 int ret = 0;
Christopher Haster 1:24750b9ad5ef 3260
Christopher Haster 1:24750b9ad5ef 3261 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
Christopher Haster 1:24750b9ad5ef 3262 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster 1:24750b9ad5ef 3263
Christopher Haster 1:24750b9ad5ef 3264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
Christopher Haster 1:24750b9ad5ef 3265
Christopher Haster 1:24750b9ad5ef 3266 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3267 return( ret );
Christopher Haster 1:24750b9ad5ef 3268
Christopher Haster 1:24750b9ad5ef 3269 #if defined(MBEDTLS_SSL_PROTO_DTLS)
Christopher Haster 1:24750b9ad5ef 3270 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
Christopher Haster 1:24750b9ad5ef 3271 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
Christopher Haster 1:24750b9ad5ef 3272 {
Christopher Haster 1:24750b9ad5ef 3273 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 3274 return( ret );
Christopher Haster 1:24750b9ad5ef 3275 }
Christopher Haster 1:24750b9ad5ef 3276 #endif
Christopher Haster 1:24750b9ad5ef 3277
Christopher Haster 1:24750b9ad5ef 3278 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
Christopher Haster 1:24750b9ad5ef 3279 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
Christopher Haster 1:24750b9ad5ef 3280 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 3281 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
Christopher Haster 1:24750b9ad5ef 3282 ssl->handshake->new_session_ticket != 0 )
Christopher Haster 1:24750b9ad5ef 3283 {
Christopher Haster 1:24750b9ad5ef 3284 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
Christopher Haster 1:24750b9ad5ef 3285 }
Christopher Haster 1:24750b9ad5ef 3286 #endif
Christopher Haster 1:24750b9ad5ef 3287
Christopher Haster 1:24750b9ad5ef 3288 switch( ssl->state )
Christopher Haster 1:24750b9ad5ef 3289 {
Christopher Haster 1:24750b9ad5ef 3290 case MBEDTLS_SSL_HELLO_REQUEST:
Christopher Haster 1:24750b9ad5ef 3291 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
Christopher Haster 1:24750b9ad5ef 3292 break;
Christopher Haster 1:24750b9ad5ef 3293
Christopher Haster 1:24750b9ad5ef 3294 /*
Christopher Haster 1:24750b9ad5ef 3295 * ==> ClientHello
Christopher Haster 1:24750b9ad5ef 3296 */
Christopher Haster 1:24750b9ad5ef 3297 case MBEDTLS_SSL_CLIENT_HELLO:
Christopher Haster 1:24750b9ad5ef 3298 ret = ssl_write_client_hello( ssl );
Christopher Haster 1:24750b9ad5ef 3299 break;
Christopher Haster 1:24750b9ad5ef 3300
Christopher Haster 1:24750b9ad5ef 3301 /*
Christopher Haster 1:24750b9ad5ef 3302 * <== ServerHello
Christopher Haster 1:24750b9ad5ef 3303 * Certificate
Christopher Haster 1:24750b9ad5ef 3304 * ( ServerKeyExchange )
Christopher Haster 1:24750b9ad5ef 3305 * ( CertificateRequest )
Christopher Haster 1:24750b9ad5ef 3306 * ServerHelloDone
Christopher Haster 1:24750b9ad5ef 3307 */
Christopher Haster 1:24750b9ad5ef 3308 case MBEDTLS_SSL_SERVER_HELLO:
Christopher Haster 1:24750b9ad5ef 3309 ret = ssl_parse_server_hello( ssl );
Christopher Haster 1:24750b9ad5ef 3310 break;
Christopher Haster 1:24750b9ad5ef 3311
Christopher Haster 1:24750b9ad5ef 3312 case MBEDTLS_SSL_SERVER_CERTIFICATE:
Christopher Haster 1:24750b9ad5ef 3313 ret = mbedtls_ssl_parse_certificate( ssl );
Christopher Haster 1:24750b9ad5ef 3314 break;
Christopher Haster 1:24750b9ad5ef 3315
Christopher Haster 1:24750b9ad5ef 3316 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
Christopher Haster 1:24750b9ad5ef 3317 ret = ssl_parse_server_key_exchange( ssl );
Christopher Haster 1:24750b9ad5ef 3318 break;
Christopher Haster 1:24750b9ad5ef 3319
Christopher Haster 1:24750b9ad5ef 3320 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
Christopher Haster 1:24750b9ad5ef 3321 ret = ssl_parse_certificate_request( ssl );
Christopher Haster 1:24750b9ad5ef 3322 break;
Christopher Haster 1:24750b9ad5ef 3323
Christopher Haster 1:24750b9ad5ef 3324 case MBEDTLS_SSL_SERVER_HELLO_DONE:
Christopher Haster 1:24750b9ad5ef 3325 ret = ssl_parse_server_hello_done( ssl );
Christopher Haster 1:24750b9ad5ef 3326 break;
Christopher Haster 1:24750b9ad5ef 3327
Christopher Haster 1:24750b9ad5ef 3328 /*
Christopher Haster 1:24750b9ad5ef 3329 * ==> ( Certificate/Alert )
Christopher Haster 1:24750b9ad5ef 3330 * ClientKeyExchange
Christopher Haster 1:24750b9ad5ef 3331 * ( CertificateVerify )
Christopher Haster 1:24750b9ad5ef 3332 * ChangeCipherSpec
Christopher Haster 1:24750b9ad5ef 3333 * Finished
Christopher Haster 1:24750b9ad5ef 3334 */
Christopher Haster 1:24750b9ad5ef 3335 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
Christopher Haster 1:24750b9ad5ef 3336 ret = mbedtls_ssl_write_certificate( ssl );
Christopher Haster 1:24750b9ad5ef 3337 break;
Christopher Haster 1:24750b9ad5ef 3338
Christopher Haster 1:24750b9ad5ef 3339 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
Christopher Haster 1:24750b9ad5ef 3340 ret = ssl_write_client_key_exchange( ssl );
Christopher Haster 1:24750b9ad5ef 3341 break;
Christopher Haster 1:24750b9ad5ef 3342
Christopher Haster 1:24750b9ad5ef 3343 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
Christopher Haster 1:24750b9ad5ef 3344 ret = ssl_write_certificate_verify( ssl );
Christopher Haster 1:24750b9ad5ef 3345 break;
Christopher Haster 1:24750b9ad5ef 3346
Christopher Haster 1:24750b9ad5ef 3347 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
Christopher Haster 1:24750b9ad5ef 3348 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
Christopher Haster 1:24750b9ad5ef 3349 break;
Christopher Haster 1:24750b9ad5ef 3350
Christopher Haster 1:24750b9ad5ef 3351 case MBEDTLS_SSL_CLIENT_FINISHED:
Christopher Haster 1:24750b9ad5ef 3352 ret = mbedtls_ssl_write_finished( ssl );
Christopher Haster 1:24750b9ad5ef 3353 break;
Christopher Haster 1:24750b9ad5ef 3354
Christopher Haster 1:24750b9ad5ef 3355 /*
Christopher Haster 1:24750b9ad5ef 3356 * <== ( NewSessionTicket )
Christopher Haster 1:24750b9ad5ef 3357 * ChangeCipherSpec
Christopher Haster 1:24750b9ad5ef 3358 * Finished
Christopher Haster 1:24750b9ad5ef 3359 */
Christopher Haster 1:24750b9ad5ef 3360 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
Christopher Haster 1:24750b9ad5ef 3361 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
Christopher Haster 1:24750b9ad5ef 3362 ret = ssl_parse_new_session_ticket( ssl );
Christopher Haster 1:24750b9ad5ef 3363 break;
Christopher Haster 1:24750b9ad5ef 3364 #endif
Christopher Haster 1:24750b9ad5ef 3365
Christopher Haster 1:24750b9ad5ef 3366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
Christopher Haster 1:24750b9ad5ef 3367 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
Christopher Haster 1:24750b9ad5ef 3368 break;
Christopher Haster 1:24750b9ad5ef 3369
Christopher Haster 1:24750b9ad5ef 3370 case MBEDTLS_SSL_SERVER_FINISHED:
Christopher Haster 1:24750b9ad5ef 3371 ret = mbedtls_ssl_parse_finished( ssl );
Christopher Haster 1:24750b9ad5ef 3372 break;
Christopher Haster 1:24750b9ad5ef 3373
Christopher Haster 1:24750b9ad5ef 3374 case MBEDTLS_SSL_FLUSH_BUFFERS:
Christopher Haster 1:24750b9ad5ef 3375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
Christopher Haster 1:24750b9ad5ef 3376 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
Christopher Haster 1:24750b9ad5ef 3377 break;
Christopher Haster 1:24750b9ad5ef 3378
Christopher Haster 1:24750b9ad5ef 3379 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
Christopher Haster 1:24750b9ad5ef 3380 mbedtls_ssl_handshake_wrapup( ssl );
Christopher Haster 1:24750b9ad5ef 3381 break;
Christopher Haster 1:24750b9ad5ef 3382
Christopher Haster 1:24750b9ad5ef 3383 default:
Christopher Haster 1:24750b9ad5ef 3384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
Christopher Haster 1:24750b9ad5ef 3385 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Christopher Haster 1:24750b9ad5ef 3386 }
Christopher Haster 1:24750b9ad5ef 3387
Christopher Haster 1:24750b9ad5ef 3388 return( ret );
Christopher Haster 1:24750b9ad5ef 3389 }
Christopher Haster 1:24750b9ad5ef 3390 #endif /* MBEDTLS_SSL_CLI_C */