mbed TLS Build

Dependents:   Slave-prot-prod

Committer:
markrad
Date:
Thu Jan 05 00:18:44 2017 +0000
Revision:
0:cdf462088d13
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 /*
markrad 0:cdf462088d13 2 * SSLv3/TLSv1 server-side functions
markrad 0:cdf462088d13 3 *
markrad 0:cdf462088d13 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 5 * SPDX-License-Identifier: Apache-2.0
markrad 0:cdf462088d13 6 *
markrad 0:cdf462088d13 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
markrad 0:cdf462088d13 8 * not use this file except in compliance with the License.
markrad 0:cdf462088d13 9 * You may obtain a copy of the License at
markrad 0:cdf462088d13 10 *
markrad 0:cdf462088d13 11 * http://www.apache.org/licenses/LICENSE-2.0
markrad 0:cdf462088d13 12 *
markrad 0:cdf462088d13 13 * Unless required by applicable law or agreed to in writing, software
markrad 0:cdf462088d13 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
markrad 0:cdf462088d13 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
markrad 0:cdf462088d13 16 * See the License for the specific language governing permissions and
markrad 0:cdf462088d13 17 * limitations under the License.
markrad 0:cdf462088d13 18 *
markrad 0:cdf462088d13 19 * This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 20 */
markrad 0:cdf462088d13 21
markrad 0:cdf462088d13 22 #if !defined(MBEDTLS_CONFIG_FILE)
markrad 0:cdf462088d13 23 #include "mbedtls/config.h"
markrad 0:cdf462088d13 24 #else
markrad 0:cdf462088d13 25 #include MBEDTLS_CONFIG_FILE
markrad 0:cdf462088d13 26 #endif
markrad 0:cdf462088d13 27
markrad 0:cdf462088d13 28 #if defined(MBEDTLS_SSL_SRV_C)
markrad 0:cdf462088d13 29
markrad 0:cdf462088d13 30 #if defined(MBEDTLS_PLATFORM_C)
markrad 0:cdf462088d13 31 #include "mbedtls/platform.h"
markrad 0:cdf462088d13 32 #else
markrad 0:cdf462088d13 33 #include <stdlib.h>
markrad 0:cdf462088d13 34 #define mbedtls_calloc calloc
markrad 0:cdf462088d13 35 #define mbedtls_free free
markrad 0:cdf462088d13 36 #endif
markrad 0:cdf462088d13 37
markrad 0:cdf462088d13 38 #include "mbedtls/debug.h"
markrad 0:cdf462088d13 39 #include "mbedtls/ssl.h"
markrad 0:cdf462088d13 40 #include "mbedtls/ssl_internal.h"
markrad 0:cdf462088d13 41
markrad 0:cdf462088d13 42 #include <string.h>
markrad 0:cdf462088d13 43
markrad 0:cdf462088d13 44 #if defined(MBEDTLS_ECP_C)
markrad 0:cdf462088d13 45 #include "mbedtls/ecp.h"
markrad 0:cdf462088d13 46 #endif
markrad 0:cdf462088d13 47
markrad 0:cdf462088d13 48 #if defined(MBEDTLS_HAVE_TIME)
markrad 0:cdf462088d13 49 #include "mbedtls/platform_time.h"
markrad 0:cdf462088d13 50 #endif
markrad 0:cdf462088d13 51
markrad 0:cdf462088d13 52 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 53 /* Implementation that should never be optimized out by the compiler */
markrad 0:cdf462088d13 54 static void mbedtls_zeroize( void *v, size_t n ) {
markrad 0:cdf462088d13 55 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
markrad 0:cdf462088d13 56 }
markrad 0:cdf462088d13 57 #endif
markrad 0:cdf462088d13 58
markrad 0:cdf462088d13 59 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad 0:cdf462088d13 60 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 61 const unsigned char *info,
markrad 0:cdf462088d13 62 size_t ilen )
markrad 0:cdf462088d13 63 {
markrad 0:cdf462088d13 64 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
markrad 0:cdf462088d13 65 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad 0:cdf462088d13 66
markrad 0:cdf462088d13 67 mbedtls_free( ssl->cli_id );
markrad 0:cdf462088d13 68
markrad 0:cdf462088d13 69 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
markrad 0:cdf462088d13 70 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad 0:cdf462088d13 71
markrad 0:cdf462088d13 72 memcpy( ssl->cli_id, info, ilen );
markrad 0:cdf462088d13 73 ssl->cli_id_len = ilen;
markrad 0:cdf462088d13 74
markrad 0:cdf462088d13 75 return( 0 );
markrad 0:cdf462088d13 76 }
markrad 0:cdf462088d13 77
markrad 0:cdf462088d13 78 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
markrad 0:cdf462088d13 79 mbedtls_ssl_cookie_write_t *f_cookie_write,
markrad 0:cdf462088d13 80 mbedtls_ssl_cookie_check_t *f_cookie_check,
markrad 0:cdf462088d13 81 void *p_cookie )
markrad 0:cdf462088d13 82 {
markrad 0:cdf462088d13 83 conf->f_cookie_write = f_cookie_write;
markrad 0:cdf462088d13 84 conf->f_cookie_check = f_cookie_check;
markrad 0:cdf462088d13 85 conf->p_cookie = p_cookie;
markrad 0:cdf462088d13 86 }
markrad 0:cdf462088d13 87 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad 0:cdf462088d13 88
markrad 0:cdf462088d13 89 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad 0:cdf462088d13 90 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 91 const unsigned char *buf,
markrad 0:cdf462088d13 92 size_t len )
markrad 0:cdf462088d13 93 {
markrad 0:cdf462088d13 94 int ret;
markrad 0:cdf462088d13 95 size_t servername_list_size, hostname_len;
markrad 0:cdf462088d13 96 const unsigned char *p;
markrad 0:cdf462088d13 97
markrad 0:cdf462088d13 98 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
markrad 0:cdf462088d13 99
markrad 0:cdf462088d13 100 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
markrad 0:cdf462088d13 101 if( servername_list_size + 2 != len )
markrad 0:cdf462088d13 102 {
markrad 0:cdf462088d13 103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 104 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 105 }
markrad 0:cdf462088d13 106
markrad 0:cdf462088d13 107 p = buf + 2;
markrad 0:cdf462088d13 108 while( servername_list_size > 0 )
markrad 0:cdf462088d13 109 {
markrad 0:cdf462088d13 110 hostname_len = ( ( p[1] << 8 ) | p[2] );
markrad 0:cdf462088d13 111 if( hostname_len + 3 > servername_list_size )
markrad 0:cdf462088d13 112 {
markrad 0:cdf462088d13 113 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 114 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 115 }
markrad 0:cdf462088d13 116
markrad 0:cdf462088d13 117 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
markrad 0:cdf462088d13 118 {
markrad 0:cdf462088d13 119 ret = ssl->conf->f_sni( ssl->conf->p_sni,
markrad 0:cdf462088d13 120 ssl, p + 3, hostname_len );
markrad 0:cdf462088d13 121 if( ret != 0 )
markrad 0:cdf462088d13 122 {
markrad 0:cdf462088d13 123 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
markrad 0:cdf462088d13 124 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 125 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
markrad 0:cdf462088d13 126 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 127 }
markrad 0:cdf462088d13 128 return( 0 );
markrad 0:cdf462088d13 129 }
markrad 0:cdf462088d13 130
markrad 0:cdf462088d13 131 servername_list_size -= hostname_len + 3;
markrad 0:cdf462088d13 132 p += hostname_len + 3;
markrad 0:cdf462088d13 133 }
markrad 0:cdf462088d13 134
markrad 0:cdf462088d13 135 if( servername_list_size != 0 )
markrad 0:cdf462088d13 136 {
markrad 0:cdf462088d13 137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 138 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 139 }
markrad 0:cdf462088d13 140
markrad 0:cdf462088d13 141 return( 0 );
markrad 0:cdf462088d13 142 }
markrad 0:cdf462088d13 143 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad 0:cdf462088d13 144
markrad 0:cdf462088d13 145 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 146 const unsigned char *buf,
markrad 0:cdf462088d13 147 size_t len )
markrad 0:cdf462088d13 148 {
markrad 0:cdf462088d13 149 int ret;
markrad 0:cdf462088d13 150
markrad 0:cdf462088d13 151 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 152 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 153 {
markrad 0:cdf462088d13 154 /* Check verify-data in constant-time. The length OTOH is no secret */
markrad 0:cdf462088d13 155 if( len != 1 + ssl->verify_data_len ||
markrad 0:cdf462088d13 156 buf[0] != ssl->verify_data_len ||
markrad 0:cdf462088d13 157 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
markrad 0:cdf462088d13 158 ssl->verify_data_len ) != 0 )
markrad 0:cdf462088d13 159 {
markrad 0:cdf462088d13 160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
markrad 0:cdf462088d13 161
markrad 0:cdf462088d13 162 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 163 return( ret );
markrad 0:cdf462088d13 164
markrad 0:cdf462088d13 165 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 166 }
markrad 0:cdf462088d13 167 }
markrad 0:cdf462088d13 168 else
markrad 0:cdf462088d13 169 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 170 {
markrad 0:cdf462088d13 171 if( len != 1 || buf[0] != 0x0 )
markrad 0:cdf462088d13 172 {
markrad 0:cdf462088d13 173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
markrad 0:cdf462088d13 174
markrad 0:cdf462088d13 175 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 176 return( ret );
markrad 0:cdf462088d13 177
markrad 0:cdf462088d13 178 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 179 }
markrad 0:cdf462088d13 180
markrad 0:cdf462088d13 181 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad 0:cdf462088d13 182 }
markrad 0:cdf462088d13 183
markrad 0:cdf462088d13 184 return( 0 );
markrad 0:cdf462088d13 185 }
markrad 0:cdf462088d13 186
markrad 0:cdf462088d13 187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
markrad 0:cdf462088d13 188 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad 0:cdf462088d13 189 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 190 const unsigned char *buf,
markrad 0:cdf462088d13 191 size_t len )
markrad 0:cdf462088d13 192 {
markrad 0:cdf462088d13 193 size_t sig_alg_list_size;
markrad 0:cdf462088d13 194 const unsigned char *p;
markrad 0:cdf462088d13 195 const unsigned char *end = buf + len;
markrad 0:cdf462088d13 196 const int *md_cur;
markrad 0:cdf462088d13 197
markrad 0:cdf462088d13 198
markrad 0:cdf462088d13 199 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
markrad 0:cdf462088d13 200 if( sig_alg_list_size + 2 != len ||
markrad 0:cdf462088d13 201 sig_alg_list_size % 2 != 0 )
markrad 0:cdf462088d13 202 {
markrad 0:cdf462088d13 203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 204 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 205 }
markrad 0:cdf462088d13 206
markrad 0:cdf462088d13 207 /*
markrad 0:cdf462088d13 208 * For now, ignore the SignatureAlgorithm part and rely on offered
markrad 0:cdf462088d13 209 * ciphersuites only for that part. To be fixed later.
markrad 0:cdf462088d13 210 *
markrad 0:cdf462088d13 211 * So, just look at the HashAlgorithm part.
markrad 0:cdf462088d13 212 */
markrad 0:cdf462088d13 213 for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
markrad 0:cdf462088d13 214 for( p = buf + 2; p < end; p += 2 ) {
markrad 0:cdf462088d13 215 if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
markrad 0:cdf462088d13 216 ssl->handshake->sig_alg = p[0];
markrad 0:cdf462088d13 217 goto have_sig_alg;
markrad 0:cdf462088d13 218 }
markrad 0:cdf462088d13 219 }
markrad 0:cdf462088d13 220 }
markrad 0:cdf462088d13 221
markrad 0:cdf462088d13 222 /* Some key echanges do not need signatures at all */
markrad 0:cdf462088d13 223 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
markrad 0:cdf462088d13 224 return( 0 );
markrad 0:cdf462088d13 225
markrad 0:cdf462088d13 226 have_sig_alg:
markrad 0:cdf462088d13 227 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
markrad 0:cdf462088d13 228 ssl->handshake->sig_alg ) );
markrad 0:cdf462088d13 229
markrad 0:cdf462088d13 230 return( 0 );
markrad 0:cdf462088d13 231 }
markrad 0:cdf462088d13 232 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
markrad 0:cdf462088d13 233 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
markrad 0:cdf462088d13 234
markrad 0:cdf462088d13 235 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
markrad 0:cdf462088d13 236 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 237 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 238 const unsigned char *buf,
markrad 0:cdf462088d13 239 size_t len )
markrad 0:cdf462088d13 240 {
markrad 0:cdf462088d13 241 size_t list_size, our_size;
markrad 0:cdf462088d13 242 const unsigned char *p;
markrad 0:cdf462088d13 243 const mbedtls_ecp_curve_info *curve_info, **curves;
markrad 0:cdf462088d13 244
markrad 0:cdf462088d13 245 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
markrad 0:cdf462088d13 246 if( list_size + 2 != len ||
markrad 0:cdf462088d13 247 list_size % 2 != 0 )
markrad 0:cdf462088d13 248 {
markrad 0:cdf462088d13 249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 250 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 251 }
markrad 0:cdf462088d13 252
markrad 0:cdf462088d13 253 /* Should never happen unless client duplicates the extension */
markrad 0:cdf462088d13 254 if( ssl->handshake->curves != NULL )
markrad 0:cdf462088d13 255 {
markrad 0:cdf462088d13 256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 257 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 258 }
markrad 0:cdf462088d13 259
markrad 0:cdf462088d13 260 /* Don't allow our peer to make us allocate too much memory,
markrad 0:cdf462088d13 261 * and leave room for a final 0 */
markrad 0:cdf462088d13 262 our_size = list_size / 2 + 1;
markrad 0:cdf462088d13 263 if( our_size > MBEDTLS_ECP_DP_MAX )
markrad 0:cdf462088d13 264 our_size = MBEDTLS_ECP_DP_MAX;
markrad 0:cdf462088d13 265
markrad 0:cdf462088d13 266 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
markrad 0:cdf462088d13 267 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
markrad 0:cdf462088d13 268
markrad 0:cdf462088d13 269 ssl->handshake->curves = curves;
markrad 0:cdf462088d13 270
markrad 0:cdf462088d13 271 p = buf + 2;
markrad 0:cdf462088d13 272 while( list_size > 0 && our_size > 1 )
markrad 0:cdf462088d13 273 {
markrad 0:cdf462088d13 274 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
markrad 0:cdf462088d13 275
markrad 0:cdf462088d13 276 if( curve_info != NULL )
markrad 0:cdf462088d13 277 {
markrad 0:cdf462088d13 278 *curves++ = curve_info;
markrad 0:cdf462088d13 279 our_size--;
markrad 0:cdf462088d13 280 }
markrad 0:cdf462088d13 281
markrad 0:cdf462088d13 282 list_size -= 2;
markrad 0:cdf462088d13 283 p += 2;
markrad 0:cdf462088d13 284 }
markrad 0:cdf462088d13 285
markrad 0:cdf462088d13 286 return( 0 );
markrad 0:cdf462088d13 287 }
markrad 0:cdf462088d13 288
markrad 0:cdf462088d13 289 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 290 const unsigned char *buf,
markrad 0:cdf462088d13 291 size_t len )
markrad 0:cdf462088d13 292 {
markrad 0:cdf462088d13 293 size_t list_size;
markrad 0:cdf462088d13 294 const unsigned char *p;
markrad 0:cdf462088d13 295
markrad 0:cdf462088d13 296 list_size = buf[0];
markrad 0:cdf462088d13 297 if( list_size + 1 != len )
markrad 0:cdf462088d13 298 {
markrad 0:cdf462088d13 299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 301 }
markrad 0:cdf462088d13 302
markrad 0:cdf462088d13 303 p = buf + 1;
markrad 0:cdf462088d13 304 while( list_size > 0 )
markrad 0:cdf462088d13 305 {
markrad 0:cdf462088d13 306 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
markrad 0:cdf462088d13 307 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
markrad 0:cdf462088d13 308 {
markrad 0:cdf462088d13 309 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 310 ssl->handshake->ecdh_ctx.point_format = p[0];
markrad 0:cdf462088d13 311 #endif
markrad 0:cdf462088d13 312 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 313 ssl->handshake->ecjpake_ctx.point_format = p[0];
markrad 0:cdf462088d13 314 #endif
markrad 0:cdf462088d13 315 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
markrad 0:cdf462088d13 316 return( 0 );
markrad 0:cdf462088d13 317 }
markrad 0:cdf462088d13 318
markrad 0:cdf462088d13 319 list_size--;
markrad 0:cdf462088d13 320 p++;
markrad 0:cdf462088d13 321 }
markrad 0:cdf462088d13 322
markrad 0:cdf462088d13 323 return( 0 );
markrad 0:cdf462088d13 324 }
markrad 0:cdf462088d13 325 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
markrad 0:cdf462088d13 326 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 327
markrad 0:cdf462088d13 328 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 329 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 330 const unsigned char *buf,
markrad 0:cdf462088d13 331 size_t len )
markrad 0:cdf462088d13 332 {
markrad 0:cdf462088d13 333 int ret;
markrad 0:cdf462088d13 334
markrad 0:cdf462088d13 335 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
markrad 0:cdf462088d13 336 {
markrad 0:cdf462088d13 337 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
markrad 0:cdf462088d13 338 return( 0 );
markrad 0:cdf462088d13 339 }
markrad 0:cdf462088d13 340
markrad 0:cdf462088d13 341 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
markrad 0:cdf462088d13 342 buf, len ) ) != 0 )
markrad 0:cdf462088d13 343 {
markrad 0:cdf462088d13 344 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
markrad 0:cdf462088d13 345 return( ret );
markrad 0:cdf462088d13 346 }
markrad 0:cdf462088d13 347
markrad 0:cdf462088d13 348 /* Only mark the extension as OK when we're sure it is */
markrad 0:cdf462088d13 349 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
markrad 0:cdf462088d13 350
markrad 0:cdf462088d13 351 return( 0 );
markrad 0:cdf462088d13 352 }
markrad 0:cdf462088d13 353 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 354
markrad 0:cdf462088d13 355 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad 0:cdf462088d13 356 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 357 const unsigned char *buf,
markrad 0:cdf462088d13 358 size_t len )
markrad 0:cdf462088d13 359 {
markrad 0:cdf462088d13 360 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
markrad 0:cdf462088d13 361 {
markrad 0:cdf462088d13 362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 363 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 364 }
markrad 0:cdf462088d13 365
markrad 0:cdf462088d13 366 ssl->session_negotiate->mfl_code = buf[0];
markrad 0:cdf462088d13 367
markrad 0:cdf462088d13 368 return( 0 );
markrad 0:cdf462088d13 369 }
markrad 0:cdf462088d13 370 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad 0:cdf462088d13 371
markrad 0:cdf462088d13 372 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad 0:cdf462088d13 373 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 374 const unsigned char *buf,
markrad 0:cdf462088d13 375 size_t len )
markrad 0:cdf462088d13 376 {
markrad 0:cdf462088d13 377 if( len != 0 )
markrad 0:cdf462088d13 378 {
markrad 0:cdf462088d13 379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 380 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 381 }
markrad 0:cdf462088d13 382
markrad 0:cdf462088d13 383 ((void) buf);
markrad 0:cdf462088d13 384
markrad 0:cdf462088d13 385 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
markrad 0:cdf462088d13 386 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
markrad 0:cdf462088d13 387
markrad 0:cdf462088d13 388 return( 0 );
markrad 0:cdf462088d13 389 }
markrad 0:cdf462088d13 390 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad 0:cdf462088d13 391
markrad 0:cdf462088d13 392 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad 0:cdf462088d13 393 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 394 const unsigned char *buf,
markrad 0:cdf462088d13 395 size_t len )
markrad 0:cdf462088d13 396 {
markrad 0:cdf462088d13 397 if( len != 0 )
markrad 0:cdf462088d13 398 {
markrad 0:cdf462088d13 399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 400 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 401 }
markrad 0:cdf462088d13 402
markrad 0:cdf462088d13 403 ((void) buf);
markrad 0:cdf462088d13 404
markrad 0:cdf462088d13 405 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
markrad 0:cdf462088d13 406 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad 0:cdf462088d13 407 {
markrad 0:cdf462088d13 408 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
markrad 0:cdf462088d13 409 }
markrad 0:cdf462088d13 410
markrad 0:cdf462088d13 411 return( 0 );
markrad 0:cdf462088d13 412 }
markrad 0:cdf462088d13 413 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad 0:cdf462088d13 414
markrad 0:cdf462088d13 415 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad 0:cdf462088d13 416 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 417 const unsigned char *buf,
markrad 0:cdf462088d13 418 size_t len )
markrad 0:cdf462088d13 419 {
markrad 0:cdf462088d13 420 if( len != 0 )
markrad 0:cdf462088d13 421 {
markrad 0:cdf462088d13 422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 423 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 424 }
markrad 0:cdf462088d13 425
markrad 0:cdf462088d13 426 ((void) buf);
markrad 0:cdf462088d13 427
markrad 0:cdf462088d13 428 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
markrad 0:cdf462088d13 429 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad 0:cdf462088d13 430 {
markrad 0:cdf462088d13 431 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
markrad 0:cdf462088d13 432 }
markrad 0:cdf462088d13 433
markrad 0:cdf462088d13 434 return( 0 );
markrad 0:cdf462088d13 435 }
markrad 0:cdf462088d13 436 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad 0:cdf462088d13 437
markrad 0:cdf462088d13 438 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 439 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 440 unsigned char *buf,
markrad 0:cdf462088d13 441 size_t len )
markrad 0:cdf462088d13 442 {
markrad 0:cdf462088d13 443 int ret;
markrad 0:cdf462088d13 444 mbedtls_ssl_session session;
markrad 0:cdf462088d13 445
markrad 0:cdf462088d13 446 mbedtls_ssl_session_init( &session );
markrad 0:cdf462088d13 447
markrad 0:cdf462088d13 448 if( ssl->conf->f_ticket_parse == NULL ||
markrad 0:cdf462088d13 449 ssl->conf->f_ticket_write == NULL )
markrad 0:cdf462088d13 450 {
markrad 0:cdf462088d13 451 return( 0 );
markrad 0:cdf462088d13 452 }
markrad 0:cdf462088d13 453
markrad 0:cdf462088d13 454 /* Remember the client asked us to send a new ticket */
markrad 0:cdf462088d13 455 ssl->handshake->new_session_ticket = 1;
markrad 0:cdf462088d13 456
markrad 0:cdf462088d13 457 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
markrad 0:cdf462088d13 458
markrad 0:cdf462088d13 459 if( len == 0 )
markrad 0:cdf462088d13 460 return( 0 );
markrad 0:cdf462088d13 461
markrad 0:cdf462088d13 462 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 463 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 464 {
markrad 0:cdf462088d13 465 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
markrad 0:cdf462088d13 466 return( 0 );
markrad 0:cdf462088d13 467 }
markrad 0:cdf462088d13 468 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 469
markrad 0:cdf462088d13 470 /*
markrad 0:cdf462088d13 471 * Failures are ok: just ignore the ticket and proceed.
markrad 0:cdf462088d13 472 */
markrad 0:cdf462088d13 473 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
markrad 0:cdf462088d13 474 buf, len ) ) != 0 )
markrad 0:cdf462088d13 475 {
markrad 0:cdf462088d13 476 mbedtls_ssl_session_free( &session );
markrad 0:cdf462088d13 477
markrad 0:cdf462088d13 478 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
markrad 0:cdf462088d13 479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
markrad 0:cdf462088d13 480 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
markrad 0:cdf462088d13 481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
markrad 0:cdf462088d13 482 else
markrad 0:cdf462088d13 483 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
markrad 0:cdf462088d13 484
markrad 0:cdf462088d13 485 return( 0 );
markrad 0:cdf462088d13 486 }
markrad 0:cdf462088d13 487
markrad 0:cdf462088d13 488 /*
markrad 0:cdf462088d13 489 * Keep the session ID sent by the client, since we MUST send it back to
markrad 0:cdf462088d13 490 * inform them we're accepting the ticket (RFC 5077 section 3.4)
markrad 0:cdf462088d13 491 */
markrad 0:cdf462088d13 492 session.id_len = ssl->session_negotiate->id_len;
markrad 0:cdf462088d13 493 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
markrad 0:cdf462088d13 494
markrad 0:cdf462088d13 495 mbedtls_ssl_session_free( ssl->session_negotiate );
markrad 0:cdf462088d13 496 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
markrad 0:cdf462088d13 497
markrad 0:cdf462088d13 498 /* Zeroize instead of free as we copied the content */
markrad 0:cdf462088d13 499 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
markrad 0:cdf462088d13 500
markrad 0:cdf462088d13 501 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
markrad 0:cdf462088d13 502
markrad 0:cdf462088d13 503 ssl->handshake->resume = 1;
markrad 0:cdf462088d13 504
markrad 0:cdf462088d13 505 /* Don't send a new ticket after all, this one is OK */
markrad 0:cdf462088d13 506 ssl->handshake->new_session_ticket = 0;
markrad 0:cdf462088d13 507
markrad 0:cdf462088d13 508 return( 0 );
markrad 0:cdf462088d13 509 }
markrad 0:cdf462088d13 510 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 511
markrad 0:cdf462088d13 512 #if defined(MBEDTLS_SSL_ALPN)
markrad 0:cdf462088d13 513 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 514 const unsigned char *buf, size_t len )
markrad 0:cdf462088d13 515 {
markrad 0:cdf462088d13 516 size_t list_len, cur_len, ours_len;
markrad 0:cdf462088d13 517 const unsigned char *theirs, *start, *end;
markrad 0:cdf462088d13 518 const char **ours;
markrad 0:cdf462088d13 519
markrad 0:cdf462088d13 520 /* If ALPN not configured, just ignore the extension */
markrad 0:cdf462088d13 521 if( ssl->conf->alpn_list == NULL )
markrad 0:cdf462088d13 522 return( 0 );
markrad 0:cdf462088d13 523
markrad 0:cdf462088d13 524 /*
markrad 0:cdf462088d13 525 * opaque ProtocolName<1..2^8-1>;
markrad 0:cdf462088d13 526 *
markrad 0:cdf462088d13 527 * struct {
markrad 0:cdf462088d13 528 * ProtocolName protocol_name_list<2..2^16-1>
markrad 0:cdf462088d13 529 * } ProtocolNameList;
markrad 0:cdf462088d13 530 */
markrad 0:cdf462088d13 531
markrad 0:cdf462088d13 532 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
markrad 0:cdf462088d13 533 if( len < 4 )
markrad 0:cdf462088d13 534 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 535
markrad 0:cdf462088d13 536 list_len = ( buf[0] << 8 ) | buf[1];
markrad 0:cdf462088d13 537 if( list_len != len - 2 )
markrad 0:cdf462088d13 538 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 539
markrad 0:cdf462088d13 540 /*
markrad 0:cdf462088d13 541 * Use our order of preference
markrad 0:cdf462088d13 542 */
markrad 0:cdf462088d13 543 start = buf + 2;
markrad 0:cdf462088d13 544 end = buf + len;
markrad 0:cdf462088d13 545 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
markrad 0:cdf462088d13 546 {
markrad 0:cdf462088d13 547 ours_len = strlen( *ours );
markrad 0:cdf462088d13 548 for( theirs = start; theirs != end; theirs += cur_len )
markrad 0:cdf462088d13 549 {
markrad 0:cdf462088d13 550 /* If the list is well formed, we should get equality first */
markrad 0:cdf462088d13 551 if( theirs > end )
markrad 0:cdf462088d13 552 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 553
markrad 0:cdf462088d13 554 cur_len = *theirs++;
markrad 0:cdf462088d13 555
markrad 0:cdf462088d13 556 /* Empty strings MUST NOT be included */
markrad 0:cdf462088d13 557 if( cur_len == 0 )
markrad 0:cdf462088d13 558 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 559
markrad 0:cdf462088d13 560 if( cur_len == ours_len &&
markrad 0:cdf462088d13 561 memcmp( theirs, *ours, cur_len ) == 0 )
markrad 0:cdf462088d13 562 {
markrad 0:cdf462088d13 563 ssl->alpn_chosen = *ours;
markrad 0:cdf462088d13 564 return( 0 );
markrad 0:cdf462088d13 565 }
markrad 0:cdf462088d13 566 }
markrad 0:cdf462088d13 567 }
markrad 0:cdf462088d13 568
markrad 0:cdf462088d13 569 /* If we get there, no match was found */
markrad 0:cdf462088d13 570 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 571 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
markrad 0:cdf462088d13 572 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 573 }
markrad 0:cdf462088d13 574 #endif /* MBEDTLS_SSL_ALPN */
markrad 0:cdf462088d13 575
markrad 0:cdf462088d13 576 /*
markrad 0:cdf462088d13 577 * Auxiliary functions for ServerHello parsing and related actions
markrad 0:cdf462088d13 578 */
markrad 0:cdf462088d13 579
markrad 0:cdf462088d13 580 #if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad 0:cdf462088d13 581 /*
markrad 0:cdf462088d13 582 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
markrad 0:cdf462088d13 583 */
markrad 0:cdf462088d13 584 #if defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 585 static int ssl_check_key_curve( mbedtls_pk_context *pk,
markrad 0:cdf462088d13 586 const mbedtls_ecp_curve_info **curves )
markrad 0:cdf462088d13 587 {
markrad 0:cdf462088d13 588 const mbedtls_ecp_curve_info **crv = curves;
markrad 0:cdf462088d13 589 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
markrad 0:cdf462088d13 590
markrad 0:cdf462088d13 591 while( *crv != NULL )
markrad 0:cdf462088d13 592 {
markrad 0:cdf462088d13 593 if( (*crv)->grp_id == grp_id )
markrad 0:cdf462088d13 594 return( 0 );
markrad 0:cdf462088d13 595 crv++;
markrad 0:cdf462088d13 596 }
markrad 0:cdf462088d13 597
markrad 0:cdf462088d13 598 return( -1 );
markrad 0:cdf462088d13 599 }
markrad 0:cdf462088d13 600 #endif /* MBEDTLS_ECDSA_C */
markrad 0:cdf462088d13 601
markrad 0:cdf462088d13 602 /*
markrad 0:cdf462088d13 603 * Try picking a certificate for this ciphersuite,
markrad 0:cdf462088d13 604 * return 0 on success and -1 on failure.
markrad 0:cdf462088d13 605 */
markrad 0:cdf462088d13 606 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 607 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
markrad 0:cdf462088d13 608 {
markrad 0:cdf462088d13 609 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
markrad 0:cdf462088d13 610 mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
markrad 0:cdf462088d13 611 uint32_t flags;
markrad 0:cdf462088d13 612
markrad 0:cdf462088d13 613 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad 0:cdf462088d13 614 if( ssl->handshake->sni_key_cert != NULL )
markrad 0:cdf462088d13 615 list = ssl->handshake->sni_key_cert;
markrad 0:cdf462088d13 616 else
markrad 0:cdf462088d13 617 #endif
markrad 0:cdf462088d13 618 list = ssl->conf->key_cert;
markrad 0:cdf462088d13 619
markrad 0:cdf462088d13 620 if( pk_alg == MBEDTLS_PK_NONE )
markrad 0:cdf462088d13 621 return( 0 );
markrad 0:cdf462088d13 622
markrad 0:cdf462088d13 623 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
markrad 0:cdf462088d13 624
markrad 0:cdf462088d13 625 if( list == NULL )
markrad 0:cdf462088d13 626 {
markrad 0:cdf462088d13 627 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
markrad 0:cdf462088d13 628 return( -1 );
markrad 0:cdf462088d13 629 }
markrad 0:cdf462088d13 630
markrad 0:cdf462088d13 631 for( cur = list; cur != NULL; cur = cur->next )
markrad 0:cdf462088d13 632 {
markrad 0:cdf462088d13 633 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
markrad 0:cdf462088d13 634 cur->cert );
markrad 0:cdf462088d13 635
markrad 0:cdf462088d13 636 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
markrad 0:cdf462088d13 637 {
markrad 0:cdf462088d13 638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
markrad 0:cdf462088d13 639 continue;
markrad 0:cdf462088d13 640 }
markrad 0:cdf462088d13 641
markrad 0:cdf462088d13 642 /*
markrad 0:cdf462088d13 643 * This avoids sending the client a cert it'll reject based on
markrad 0:cdf462088d13 644 * keyUsage or other extensions.
markrad 0:cdf462088d13 645 *
markrad 0:cdf462088d13 646 * It also allows the user to provision different certificates for
markrad 0:cdf462088d13 647 * different uses based on keyUsage, eg if they want to avoid signing
markrad 0:cdf462088d13 648 * and decrypting with the same RSA key.
markrad 0:cdf462088d13 649 */
markrad 0:cdf462088d13 650 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
markrad 0:cdf462088d13 651 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
markrad 0:cdf462088d13 652 {
markrad 0:cdf462088d13 653 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
markrad 0:cdf462088d13 654 "(extended) key usage extension" ) );
markrad 0:cdf462088d13 655 continue;
markrad 0:cdf462088d13 656 }
markrad 0:cdf462088d13 657
markrad 0:cdf462088d13 658 #if defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 659 if( pk_alg == MBEDTLS_PK_ECDSA &&
markrad 0:cdf462088d13 660 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
markrad 0:cdf462088d13 661 {
markrad 0:cdf462088d13 662 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
markrad 0:cdf462088d13 663 continue;
markrad 0:cdf462088d13 664 }
markrad 0:cdf462088d13 665 #endif
markrad 0:cdf462088d13 666
markrad 0:cdf462088d13 667 /*
markrad 0:cdf462088d13 668 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
markrad 0:cdf462088d13 669 * present them a SHA-higher cert rather than failing if it's the only
markrad 0:cdf462088d13 670 * one we got that satisfies the other conditions.
markrad 0:cdf462088d13 671 */
markrad 0:cdf462088d13 672 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
markrad 0:cdf462088d13 673 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
markrad 0:cdf462088d13 674 {
markrad 0:cdf462088d13 675 if( fallback == NULL )
markrad 0:cdf462088d13 676 fallback = cur;
markrad 0:cdf462088d13 677 {
markrad 0:cdf462088d13 678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
markrad 0:cdf462088d13 679 "sha-2 with pre-TLS 1.2 client" ) );
markrad 0:cdf462088d13 680 continue;
markrad 0:cdf462088d13 681 }
markrad 0:cdf462088d13 682 }
markrad 0:cdf462088d13 683
markrad 0:cdf462088d13 684 /* If we get there, we got a winner */
markrad 0:cdf462088d13 685 break;
markrad 0:cdf462088d13 686 }
markrad 0:cdf462088d13 687
markrad 0:cdf462088d13 688 if( cur == NULL )
markrad 0:cdf462088d13 689 cur = fallback;
markrad 0:cdf462088d13 690
markrad 0:cdf462088d13 691 /* Do not update ssl->handshake->key_cert unless there is a match */
markrad 0:cdf462088d13 692 if( cur != NULL )
markrad 0:cdf462088d13 693 {
markrad 0:cdf462088d13 694 ssl->handshake->key_cert = cur;
markrad 0:cdf462088d13 695 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
markrad 0:cdf462088d13 696 ssl->handshake->key_cert->cert );
markrad 0:cdf462088d13 697 return( 0 );
markrad 0:cdf462088d13 698 }
markrad 0:cdf462088d13 699
markrad 0:cdf462088d13 700 return( -1 );
markrad 0:cdf462088d13 701 }
markrad 0:cdf462088d13 702 #endif /* MBEDTLS_X509_CRT_PARSE_C */
markrad 0:cdf462088d13 703
markrad 0:cdf462088d13 704 /*
markrad 0:cdf462088d13 705 * Check if a given ciphersuite is suitable for use with our config/keys/etc
markrad 0:cdf462088d13 706 * Sets ciphersuite_info only if the suite matches.
markrad 0:cdf462088d13 707 */
markrad 0:cdf462088d13 708 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
markrad 0:cdf462088d13 709 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
markrad 0:cdf462088d13 710 {
markrad 0:cdf462088d13 711 const mbedtls_ssl_ciphersuite_t *suite_info;
markrad 0:cdf462088d13 712
markrad 0:cdf462088d13 713 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
markrad 0:cdf462088d13 714 if( suite_info == NULL )
markrad 0:cdf462088d13 715 {
markrad 0:cdf462088d13 716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 717 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 718 }
markrad 0:cdf462088d13 719
markrad 0:cdf462088d13 720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
markrad 0:cdf462088d13 721
markrad 0:cdf462088d13 722 if( suite_info->min_minor_ver > ssl->minor_ver ||
markrad 0:cdf462088d13 723 suite_info->max_minor_ver < ssl->minor_ver )
markrad 0:cdf462088d13 724 {
markrad 0:cdf462088d13 725 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
markrad 0:cdf462088d13 726 return( 0 );
markrad 0:cdf462088d13 727 }
markrad 0:cdf462088d13 728
markrad 0:cdf462088d13 729 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 730 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad 0:cdf462088d13 731 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
markrad 0:cdf462088d13 732 return( 0 );
markrad 0:cdf462088d13 733 #endif
markrad 0:cdf462088d13 734
markrad 0:cdf462088d13 735 #if defined(MBEDTLS_ARC4_C)
markrad 0:cdf462088d13 736 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
markrad 0:cdf462088d13 737 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
markrad 0:cdf462088d13 738 {
markrad 0:cdf462088d13 739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
markrad 0:cdf462088d13 740 return( 0 );
markrad 0:cdf462088d13 741 }
markrad 0:cdf462088d13 742 #endif
markrad 0:cdf462088d13 743
markrad 0:cdf462088d13 744 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 745 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
markrad 0:cdf462088d13 746 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
markrad 0:cdf462088d13 747 {
markrad 0:cdf462088d13 748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
markrad 0:cdf462088d13 749 "not configured or ext missing" ) );
markrad 0:cdf462088d13 750 return( 0 );
markrad 0:cdf462088d13 751 }
markrad 0:cdf462088d13 752 #endif
markrad 0:cdf462088d13 753
markrad 0:cdf462088d13 754
markrad 0:cdf462088d13 755 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 756 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
markrad 0:cdf462088d13 757 ( ssl->handshake->curves == NULL ||
markrad 0:cdf462088d13 758 ssl->handshake->curves[0] == NULL ) )
markrad 0:cdf462088d13 759 {
markrad 0:cdf462088d13 760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
markrad 0:cdf462088d13 761 "no common elliptic curve" ) );
markrad 0:cdf462088d13 762 return( 0 );
markrad 0:cdf462088d13 763 }
markrad 0:cdf462088d13 764 #endif
markrad 0:cdf462088d13 765
markrad 0:cdf462088d13 766 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad 0:cdf462088d13 767 /* If the ciphersuite requires a pre-shared key and we don't
markrad 0:cdf462088d13 768 * have one, skip it now rather than failing later */
markrad 0:cdf462088d13 769 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
markrad 0:cdf462088d13 770 ssl->conf->f_psk == NULL &&
markrad 0:cdf462088d13 771 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
markrad 0:cdf462088d13 772 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
markrad 0:cdf462088d13 773 {
markrad 0:cdf462088d13 774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
markrad 0:cdf462088d13 775 return( 0 );
markrad 0:cdf462088d13 776 }
markrad 0:cdf462088d13 777 #endif
markrad 0:cdf462088d13 778
markrad 0:cdf462088d13 779 #if defined(MBEDTLS_X509_CRT_PARSE_C)
markrad 0:cdf462088d13 780 /*
markrad 0:cdf462088d13 781 * Final check: if ciphersuite requires us to have a
markrad 0:cdf462088d13 782 * certificate/key of a particular type:
markrad 0:cdf462088d13 783 * - select the appropriate certificate if we have one, or
markrad 0:cdf462088d13 784 * - try the next ciphersuite if we don't
markrad 0:cdf462088d13 785 * This must be done last since we modify the key_cert list.
markrad 0:cdf462088d13 786 */
markrad 0:cdf462088d13 787 if( ssl_pick_cert( ssl, suite_info ) != 0 )
markrad 0:cdf462088d13 788 {
markrad 0:cdf462088d13 789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
markrad 0:cdf462088d13 790 "no suitable certificate" ) );
markrad 0:cdf462088d13 791 return( 0 );
markrad 0:cdf462088d13 792 }
markrad 0:cdf462088d13 793 #endif
markrad 0:cdf462088d13 794
markrad 0:cdf462088d13 795 *ciphersuite_info = suite_info;
markrad 0:cdf462088d13 796 return( 0 );
markrad 0:cdf462088d13 797 }
markrad 0:cdf462088d13 798
markrad 0:cdf462088d13 799 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
markrad 0:cdf462088d13 800 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 801 {
markrad 0:cdf462088d13 802 int ret, got_common_suite;
markrad 0:cdf462088d13 803 unsigned int i, j;
markrad 0:cdf462088d13 804 size_t n;
markrad 0:cdf462088d13 805 unsigned int ciph_len, sess_len, chal_len;
markrad 0:cdf462088d13 806 unsigned char *buf, *p;
markrad 0:cdf462088d13 807 const int *ciphersuites;
markrad 0:cdf462088d13 808 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad 0:cdf462088d13 809
markrad 0:cdf462088d13 810 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
markrad 0:cdf462088d13 811
markrad 0:cdf462088d13 812 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 813 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 814 {
markrad 0:cdf462088d13 815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
markrad 0:cdf462088d13 816
markrad 0:cdf462088d13 817 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 818 return( ret );
markrad 0:cdf462088d13 819
markrad 0:cdf462088d13 820 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 821 }
markrad 0:cdf462088d13 822 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 823
markrad 0:cdf462088d13 824 buf = ssl->in_hdr;
markrad 0:cdf462088d13 825
markrad 0:cdf462088d13 826 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
markrad 0:cdf462088d13 827
markrad 0:cdf462088d13 828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
markrad 0:cdf462088d13 829 buf[2] ) );
markrad 0:cdf462088d13 830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
markrad 0:cdf462088d13 831 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
markrad 0:cdf462088d13 832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
markrad 0:cdf462088d13 833 buf[3], buf[4] ) );
markrad 0:cdf462088d13 834
markrad 0:cdf462088d13 835 /*
markrad 0:cdf462088d13 836 * SSLv2 Client Hello
markrad 0:cdf462088d13 837 *
markrad 0:cdf462088d13 838 * Record layer:
markrad 0:cdf462088d13 839 * 0 . 1 message length
markrad 0:cdf462088d13 840 *
markrad 0:cdf462088d13 841 * SSL layer:
markrad 0:cdf462088d13 842 * 2 . 2 message type
markrad 0:cdf462088d13 843 * 3 . 4 protocol version
markrad 0:cdf462088d13 844 */
markrad 0:cdf462088d13 845 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
markrad 0:cdf462088d13 846 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
markrad 0:cdf462088d13 847 {
markrad 0:cdf462088d13 848 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 849 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 850 }
markrad 0:cdf462088d13 851
markrad 0:cdf462088d13 852 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
markrad 0:cdf462088d13 853
markrad 0:cdf462088d13 854 if( n < 17 || n > 512 )
markrad 0:cdf462088d13 855 {
markrad 0:cdf462088d13 856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 857 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 858 }
markrad 0:cdf462088d13 859
markrad 0:cdf462088d13 860 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
markrad 0:cdf462088d13 861 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
markrad 0:cdf462088d13 862 ? buf[4] : ssl->conf->max_minor_ver;
markrad 0:cdf462088d13 863
markrad 0:cdf462088d13 864 if( ssl->minor_ver < ssl->conf->min_minor_ver )
markrad 0:cdf462088d13 865 {
markrad 0:cdf462088d13 866 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
markrad 0:cdf462088d13 867 " [%d:%d] < [%d:%d]",
markrad 0:cdf462088d13 868 ssl->major_ver, ssl->minor_ver,
markrad 0:cdf462088d13 869 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
markrad 0:cdf462088d13 870
markrad 0:cdf462088d13 871 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 872 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
markrad 0:cdf462088d13 873 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
markrad 0:cdf462088d13 874 }
markrad 0:cdf462088d13 875
markrad 0:cdf462088d13 876 ssl->handshake->max_major_ver = buf[3];
markrad 0:cdf462088d13 877 ssl->handshake->max_minor_ver = buf[4];
markrad 0:cdf462088d13 878
markrad 0:cdf462088d13 879 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
markrad 0:cdf462088d13 880 {
markrad 0:cdf462088d13 881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad 0:cdf462088d13 882 return( ret );
markrad 0:cdf462088d13 883 }
markrad 0:cdf462088d13 884
markrad 0:cdf462088d13 885 ssl->handshake->update_checksum( ssl, buf + 2, n );
markrad 0:cdf462088d13 886
markrad 0:cdf462088d13 887 buf = ssl->in_msg;
markrad 0:cdf462088d13 888 n = ssl->in_left - 5;
markrad 0:cdf462088d13 889
markrad 0:cdf462088d13 890 /*
markrad 0:cdf462088d13 891 * 0 . 1 ciphersuitelist length
markrad 0:cdf462088d13 892 * 2 . 3 session id length
markrad 0:cdf462088d13 893 * 4 . 5 challenge length
markrad 0:cdf462088d13 894 * 6 . .. ciphersuitelist
markrad 0:cdf462088d13 895 * .. . .. session id
markrad 0:cdf462088d13 896 * .. . .. challenge
markrad 0:cdf462088d13 897 */
markrad 0:cdf462088d13 898 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
markrad 0:cdf462088d13 899
markrad 0:cdf462088d13 900 ciph_len = ( buf[0] << 8 ) | buf[1];
markrad 0:cdf462088d13 901 sess_len = ( buf[2] << 8 ) | buf[3];
markrad 0:cdf462088d13 902 chal_len = ( buf[4] << 8 ) | buf[5];
markrad 0:cdf462088d13 903
markrad 0:cdf462088d13 904 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
markrad 0:cdf462088d13 905 ciph_len, sess_len, chal_len ) );
markrad 0:cdf462088d13 906
markrad 0:cdf462088d13 907 /*
markrad 0:cdf462088d13 908 * Make sure each parameter length is valid
markrad 0:cdf462088d13 909 */
markrad 0:cdf462088d13 910 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
markrad 0:cdf462088d13 911 {
markrad 0:cdf462088d13 912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 913 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 914 }
markrad 0:cdf462088d13 915
markrad 0:cdf462088d13 916 if( sess_len > 32 )
markrad 0:cdf462088d13 917 {
markrad 0:cdf462088d13 918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 919 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 920 }
markrad 0:cdf462088d13 921
markrad 0:cdf462088d13 922 if( chal_len < 8 || chal_len > 32 )
markrad 0:cdf462088d13 923 {
markrad 0:cdf462088d13 924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 925 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 926 }
markrad 0:cdf462088d13 927
markrad 0:cdf462088d13 928 if( n != 6 + ciph_len + sess_len + chal_len )
markrad 0:cdf462088d13 929 {
markrad 0:cdf462088d13 930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 931 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 932 }
markrad 0:cdf462088d13 933
markrad 0:cdf462088d13 934 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
markrad 0:cdf462088d13 935 buf + 6, ciph_len );
markrad 0:cdf462088d13 936 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
markrad 0:cdf462088d13 937 buf + 6 + ciph_len, sess_len );
markrad 0:cdf462088d13 938 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
markrad 0:cdf462088d13 939 buf + 6 + ciph_len + sess_len, chal_len );
markrad 0:cdf462088d13 940
markrad 0:cdf462088d13 941 p = buf + 6 + ciph_len;
markrad 0:cdf462088d13 942 ssl->session_negotiate->id_len = sess_len;
markrad 0:cdf462088d13 943 memset( ssl->session_negotiate->id, 0,
markrad 0:cdf462088d13 944 sizeof( ssl->session_negotiate->id ) );
markrad 0:cdf462088d13 945 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
markrad 0:cdf462088d13 946
markrad 0:cdf462088d13 947 p += sess_len;
markrad 0:cdf462088d13 948 memset( ssl->handshake->randbytes, 0, 64 );
markrad 0:cdf462088d13 949 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
markrad 0:cdf462088d13 950
markrad 0:cdf462088d13 951 /*
markrad 0:cdf462088d13 952 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
markrad 0:cdf462088d13 953 */
markrad 0:cdf462088d13 954 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
markrad 0:cdf462088d13 955 {
markrad 0:cdf462088d13 956 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
markrad 0:cdf462088d13 957 {
markrad 0:cdf462088d13 958 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
markrad 0:cdf462088d13 959 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 960 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad 0:cdf462088d13 961 {
markrad 0:cdf462088d13 962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
markrad 0:cdf462088d13 963 "during renegotiation" ) );
markrad 0:cdf462088d13 964
markrad 0:cdf462088d13 965 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 966 return( ret );
markrad 0:cdf462088d13 967
markrad 0:cdf462088d13 968 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 969 }
markrad 0:cdf462088d13 970 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 971 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad 0:cdf462088d13 972 break;
markrad 0:cdf462088d13 973 }
markrad 0:cdf462088d13 974 }
markrad 0:cdf462088d13 975
markrad 0:cdf462088d13 976 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
markrad 0:cdf462088d13 977 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
markrad 0:cdf462088d13 978 {
markrad 0:cdf462088d13 979 if( p[0] == 0 &&
markrad 0:cdf462088d13 980 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
markrad 0:cdf462088d13 981 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
markrad 0:cdf462088d13 982 {
markrad 0:cdf462088d13 983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
markrad 0:cdf462088d13 984
markrad 0:cdf462088d13 985 if( ssl->minor_ver < ssl->conf->max_minor_ver )
markrad 0:cdf462088d13 986 {
markrad 0:cdf462088d13 987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
markrad 0:cdf462088d13 988
markrad 0:cdf462088d13 989 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 990 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
markrad 0:cdf462088d13 991
markrad 0:cdf462088d13 992 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 993 }
markrad 0:cdf462088d13 994
markrad 0:cdf462088d13 995 break;
markrad 0:cdf462088d13 996 }
markrad 0:cdf462088d13 997 }
markrad 0:cdf462088d13 998 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
markrad 0:cdf462088d13 999
markrad 0:cdf462088d13 1000 got_common_suite = 0;
markrad 0:cdf462088d13 1001 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
markrad 0:cdf462088d13 1002 ciphersuite_info = NULL;
markrad 0:cdf462088d13 1003 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad 0:cdf462088d13 1004 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
markrad 0:cdf462088d13 1005 {
markrad 0:cdf462088d13 1006 for( i = 0; ciphersuites[i] != 0; i++ )
markrad 0:cdf462088d13 1007 #else
markrad 0:cdf462088d13 1008 for( i = 0; ciphersuites[i] != 0; i++ )
markrad 0:cdf462088d13 1009 {
markrad 0:cdf462088d13 1010 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
markrad 0:cdf462088d13 1011 #endif
markrad 0:cdf462088d13 1012 {
markrad 0:cdf462088d13 1013 if( p[0] != 0 ||
markrad 0:cdf462088d13 1014 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
markrad 0:cdf462088d13 1015 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
markrad 0:cdf462088d13 1016 continue;
markrad 0:cdf462088d13 1017
markrad 0:cdf462088d13 1018 got_common_suite = 1;
markrad 0:cdf462088d13 1019
markrad 0:cdf462088d13 1020 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
markrad 0:cdf462088d13 1021 &ciphersuite_info ) ) != 0 )
markrad 0:cdf462088d13 1022 return( ret );
markrad 0:cdf462088d13 1023
markrad 0:cdf462088d13 1024 if( ciphersuite_info != NULL )
markrad 0:cdf462088d13 1025 goto have_ciphersuite_v2;
markrad 0:cdf462088d13 1026 }
markrad 0:cdf462088d13 1027 }
markrad 0:cdf462088d13 1028
markrad 0:cdf462088d13 1029 if( got_common_suite )
markrad 0:cdf462088d13 1030 {
markrad 0:cdf462088d13 1031 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
markrad 0:cdf462088d13 1032 "but none of them usable" ) );
markrad 0:cdf462088d13 1033 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
markrad 0:cdf462088d13 1034 }
markrad 0:cdf462088d13 1035 else
markrad 0:cdf462088d13 1036 {
markrad 0:cdf462088d13 1037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
markrad 0:cdf462088d13 1038 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad 0:cdf462088d13 1039 }
markrad 0:cdf462088d13 1040
markrad 0:cdf462088d13 1041 have_ciphersuite_v2:
markrad 0:cdf462088d13 1042 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
markrad 0:cdf462088d13 1043
markrad 0:cdf462088d13 1044 ssl->session_negotiate->ciphersuite = ciphersuites[i];
markrad 0:cdf462088d13 1045 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
markrad 0:cdf462088d13 1046
markrad 0:cdf462088d13 1047 /*
markrad 0:cdf462088d13 1048 * SSLv2 Client Hello relevant renegotiation security checks
markrad 0:cdf462088d13 1049 */
markrad 0:cdf462088d13 1050 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad 0:cdf462088d13 1051 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
markrad 0:cdf462088d13 1052 {
markrad 0:cdf462088d13 1053 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
markrad 0:cdf462088d13 1054
markrad 0:cdf462088d13 1055 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 1056 return( ret );
markrad 0:cdf462088d13 1057
markrad 0:cdf462088d13 1058 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1059 }
markrad 0:cdf462088d13 1060
markrad 0:cdf462088d13 1061 ssl->in_left = 0;
markrad 0:cdf462088d13 1062 ssl->state++;
markrad 0:cdf462088d13 1063
markrad 0:cdf462088d13 1064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
markrad 0:cdf462088d13 1065
markrad 0:cdf462088d13 1066 return( 0 );
markrad 0:cdf462088d13 1067 }
markrad 0:cdf462088d13 1068 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
markrad 0:cdf462088d13 1069
markrad 0:cdf462088d13 1070 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 1071 {
markrad 0:cdf462088d13 1072 int ret, got_common_suite;
markrad 0:cdf462088d13 1073 size_t i, j;
markrad 0:cdf462088d13 1074 size_t ciph_offset, comp_offset, ext_offset;
markrad 0:cdf462088d13 1075 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
markrad 0:cdf462088d13 1076 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1077 size_t cookie_offset, cookie_len;
markrad 0:cdf462088d13 1078 #endif
markrad 0:cdf462088d13 1079 unsigned char *buf, *p, *ext;
markrad 0:cdf462088d13 1080 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1081 int renegotiation_info_seen = 0;
markrad 0:cdf462088d13 1082 #endif
markrad 0:cdf462088d13 1083 int handshake_failure = 0;
markrad 0:cdf462088d13 1084 const int *ciphersuites;
markrad 0:cdf462088d13 1085 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad 0:cdf462088d13 1086 int major, minor;
markrad 0:cdf462088d13 1087
markrad 0:cdf462088d13 1088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
markrad 0:cdf462088d13 1089
markrad 0:cdf462088d13 1090 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad 0:cdf462088d13 1091 read_record_header:
markrad 0:cdf462088d13 1092 #endif
markrad 0:cdf462088d13 1093 /*
markrad 0:cdf462088d13 1094 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
markrad 0:cdf462088d13 1095 * otherwise read it ourselves manually in order to support SSLv2
markrad 0:cdf462088d13 1096 * ClientHello, which doesn't use the same record layer format.
markrad 0:cdf462088d13 1097 */
markrad 0:cdf462088d13 1098 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1099 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 1100 #endif
markrad 0:cdf462088d13 1101 {
markrad 0:cdf462088d13 1102 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
markrad 0:cdf462088d13 1103 {
markrad 0:cdf462088d13 1104 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad 0:cdf462088d13 1105 return( ret );
markrad 0:cdf462088d13 1106 }
markrad 0:cdf462088d13 1107 }
markrad 0:cdf462088d13 1108
markrad 0:cdf462088d13 1109 buf = ssl->in_hdr;
markrad 0:cdf462088d13 1110
markrad 0:cdf462088d13 1111 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
markrad 0:cdf462088d13 1112 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1113 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
markrad 0:cdf462088d13 1114 #endif
markrad 0:cdf462088d13 1115 if( ( buf[0] & 0x80 ) != 0 )
markrad 0:cdf462088d13 1116 return ssl_parse_client_hello_v2( ssl );
markrad 0:cdf462088d13 1117 #endif
markrad 0:cdf462088d13 1118
markrad 0:cdf462088d13 1119 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
markrad 0:cdf462088d13 1120
markrad 0:cdf462088d13 1121 /*
markrad 0:cdf462088d13 1122 * SSLv3/TLS Client Hello
markrad 0:cdf462088d13 1123 *
markrad 0:cdf462088d13 1124 * Record layer:
markrad 0:cdf462088d13 1125 * 0 . 0 message type
markrad 0:cdf462088d13 1126 * 1 . 2 protocol version
markrad 0:cdf462088d13 1127 * 3 . 11 DTLS: epoch + record sequence number
markrad 0:cdf462088d13 1128 * 3 . 4 message length
markrad 0:cdf462088d13 1129 */
markrad 0:cdf462088d13 1130 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
markrad 0:cdf462088d13 1131 buf[0] ) );
markrad 0:cdf462088d13 1132
markrad 0:cdf462088d13 1133 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad 0:cdf462088d13 1134 {
markrad 0:cdf462088d13 1135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1136 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1137 }
markrad 0:cdf462088d13 1138
markrad 0:cdf462088d13 1139 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
markrad 0:cdf462088d13 1140 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
markrad 0:cdf462088d13 1141
markrad 0:cdf462088d13 1142 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
markrad 0:cdf462088d13 1143 buf[1], buf[2] ) );
markrad 0:cdf462088d13 1144
markrad 0:cdf462088d13 1145 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
markrad 0:cdf462088d13 1146
markrad 0:cdf462088d13 1147 /* According to RFC 5246 Appendix E.1, the version here is typically
markrad 0:cdf462088d13 1148 * "{03,00}, the lowest version number supported by the client, [or] the
markrad 0:cdf462088d13 1149 * value of ClientHello.client_version", so the only meaningful check here
markrad 0:cdf462088d13 1150 * is the major version shouldn't be less than 3 */
markrad 0:cdf462088d13 1151 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
markrad 0:cdf462088d13 1152 {
markrad 0:cdf462088d13 1153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1154 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1155 }
markrad 0:cdf462088d13 1156
markrad 0:cdf462088d13 1157 /* For DTLS if this is the initial handshake, remember the client sequence
markrad 0:cdf462088d13 1158 * number to use it in our next message (RFC 6347 4.2.1) */
markrad 0:cdf462088d13 1159 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1160 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
markrad 0:cdf462088d13 1161 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1162 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
markrad 0:cdf462088d13 1163 #endif
markrad 0:cdf462088d13 1164 )
markrad 0:cdf462088d13 1165 {
markrad 0:cdf462088d13 1166 /* Epoch should be 0 for initial handshakes */
markrad 0:cdf462088d13 1167 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
markrad 0:cdf462088d13 1168 {
markrad 0:cdf462088d13 1169 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1170 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1171 }
markrad 0:cdf462088d13 1172
markrad 0:cdf462088d13 1173 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
markrad 0:cdf462088d13 1174
markrad 0:cdf462088d13 1175 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
markrad 0:cdf462088d13 1176 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
markrad 0:cdf462088d13 1177 {
markrad 0:cdf462088d13 1178 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
markrad 0:cdf462088d13 1179 ssl->next_record_offset = 0;
markrad 0:cdf462088d13 1180 ssl->in_left = 0;
markrad 0:cdf462088d13 1181 goto read_record_header;
markrad 0:cdf462088d13 1182 }
markrad 0:cdf462088d13 1183
markrad 0:cdf462088d13 1184 /* No MAC to check yet, so we can update right now */
markrad 0:cdf462088d13 1185 mbedtls_ssl_dtls_replay_update( ssl );
markrad 0:cdf462088d13 1186 #endif
markrad 0:cdf462088d13 1187 }
markrad 0:cdf462088d13 1188 #endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad 0:cdf462088d13 1189
markrad 0:cdf462088d13 1190 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
markrad 0:cdf462088d13 1191
markrad 0:cdf462088d13 1192 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1193 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 1194 {
markrad 0:cdf462088d13 1195 /* Set by mbedtls_ssl_read_record() */
markrad 0:cdf462088d13 1196 msg_len = ssl->in_hslen;
markrad 0:cdf462088d13 1197 }
markrad 0:cdf462088d13 1198 else
markrad 0:cdf462088d13 1199 #endif
markrad 0:cdf462088d13 1200 {
markrad 0:cdf462088d13 1201 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
markrad 0:cdf462088d13 1202 {
markrad 0:cdf462088d13 1203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1204 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1205 }
markrad 0:cdf462088d13 1206
markrad 0:cdf462088d13 1207 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
markrad 0:cdf462088d13 1208 {
markrad 0:cdf462088d13 1209 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
markrad 0:cdf462088d13 1210 return( ret );
markrad 0:cdf462088d13 1211 }
markrad 0:cdf462088d13 1212
markrad 0:cdf462088d13 1213 /* Done reading this record, get ready for the next one */
markrad 0:cdf462088d13 1214 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1215 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 1216 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
markrad 0:cdf462088d13 1217 else
markrad 0:cdf462088d13 1218 #endif
markrad 0:cdf462088d13 1219 ssl->in_left = 0;
markrad 0:cdf462088d13 1220 }
markrad 0:cdf462088d13 1221
markrad 0:cdf462088d13 1222 buf = ssl->in_msg;
markrad 0:cdf462088d13 1223
markrad 0:cdf462088d13 1224 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
markrad 0:cdf462088d13 1225
markrad 0:cdf462088d13 1226 ssl->handshake->update_checksum( ssl, buf, msg_len );
markrad 0:cdf462088d13 1227
markrad 0:cdf462088d13 1228 /*
markrad 0:cdf462088d13 1229 * Handshake layer:
markrad 0:cdf462088d13 1230 * 0 . 0 handshake type
markrad 0:cdf462088d13 1231 * 1 . 3 handshake length
markrad 0:cdf462088d13 1232 * 4 . 5 DTLS only: message seqence number
markrad 0:cdf462088d13 1233 * 6 . 8 DTLS only: fragment offset
markrad 0:cdf462088d13 1234 * 9 . 11 DTLS only: fragment length
markrad 0:cdf462088d13 1235 */
markrad 0:cdf462088d13 1236 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
markrad 0:cdf462088d13 1237 {
markrad 0:cdf462088d13 1238 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1239 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1240 }
markrad 0:cdf462088d13 1241
markrad 0:cdf462088d13 1242 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
markrad 0:cdf462088d13 1243
markrad 0:cdf462088d13 1244 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
markrad 0:cdf462088d13 1245 {
markrad 0:cdf462088d13 1246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1247 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1248 }
markrad 0:cdf462088d13 1249
markrad 0:cdf462088d13 1250 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
markrad 0:cdf462088d13 1251 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
markrad 0:cdf462088d13 1252
markrad 0:cdf462088d13 1253 /* We don't support fragmentation of ClientHello (yet?) */
markrad 0:cdf462088d13 1254 if( buf[1] != 0 ||
markrad 0:cdf462088d13 1255 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
markrad 0:cdf462088d13 1256 {
markrad 0:cdf462088d13 1257 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1258 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1259 }
markrad 0:cdf462088d13 1260
markrad 0:cdf462088d13 1261 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1262 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 1263 {
markrad 0:cdf462088d13 1264 /*
markrad 0:cdf462088d13 1265 * Copy the client's handshake message_seq on initial handshakes,
markrad 0:cdf462088d13 1266 * check sequence number on renego.
markrad 0:cdf462088d13 1267 */
markrad 0:cdf462088d13 1268 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1269 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad 0:cdf462088d13 1270 {
markrad 0:cdf462088d13 1271 /* This couldn't be done in ssl_prepare_handshake_record() */
markrad 0:cdf462088d13 1272 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
markrad 0:cdf462088d13 1273 ssl->in_msg[5];
markrad 0:cdf462088d13 1274
markrad 0:cdf462088d13 1275 if( cli_msg_seq != ssl->handshake->in_msg_seq )
markrad 0:cdf462088d13 1276 {
markrad 0:cdf462088d13 1277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
markrad 0:cdf462088d13 1278 "%d (expected %d)", cli_msg_seq,
markrad 0:cdf462088d13 1279 ssl->handshake->in_msg_seq ) );
markrad 0:cdf462088d13 1280 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1281 }
markrad 0:cdf462088d13 1282
markrad 0:cdf462088d13 1283 ssl->handshake->in_msg_seq++;
markrad 0:cdf462088d13 1284 }
markrad 0:cdf462088d13 1285 else
markrad 0:cdf462088d13 1286 #endif
markrad 0:cdf462088d13 1287 {
markrad 0:cdf462088d13 1288 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
markrad 0:cdf462088d13 1289 ssl->in_msg[5];
markrad 0:cdf462088d13 1290 ssl->handshake->out_msg_seq = cli_msg_seq;
markrad 0:cdf462088d13 1291 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
markrad 0:cdf462088d13 1292 }
markrad 0:cdf462088d13 1293
markrad 0:cdf462088d13 1294 /*
markrad 0:cdf462088d13 1295 * For now we don't support fragmentation, so make sure
markrad 0:cdf462088d13 1296 * fragment_offset == 0 and fragment_length == length
markrad 0:cdf462088d13 1297 */
markrad 0:cdf462088d13 1298 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
markrad 0:cdf462088d13 1299 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
markrad 0:cdf462088d13 1300 {
markrad 0:cdf462088d13 1301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
markrad 0:cdf462088d13 1302 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
markrad 0:cdf462088d13 1303 }
markrad 0:cdf462088d13 1304 }
markrad 0:cdf462088d13 1305 #endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad 0:cdf462088d13 1306
markrad 0:cdf462088d13 1307 buf += mbedtls_ssl_hs_hdr_len( ssl );
markrad 0:cdf462088d13 1308 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
markrad 0:cdf462088d13 1309
markrad 0:cdf462088d13 1310 /*
markrad 0:cdf462088d13 1311 * ClientHello layer:
markrad 0:cdf462088d13 1312 * 0 . 1 protocol version
markrad 0:cdf462088d13 1313 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
markrad 0:cdf462088d13 1314 * 34 . 35 session id length (1 byte)
markrad 0:cdf462088d13 1315 * 35 . 34+x session id
markrad 0:cdf462088d13 1316 * 35+x . 35+x DTLS only: cookie length (1 byte)
markrad 0:cdf462088d13 1317 * 36+x . .. DTLS only: cookie
markrad 0:cdf462088d13 1318 * .. . .. ciphersuite list length (2 bytes)
markrad 0:cdf462088d13 1319 * .. . .. ciphersuite list
markrad 0:cdf462088d13 1320 * .. . .. compression alg. list length (1 byte)
markrad 0:cdf462088d13 1321 * .. . .. compression alg. list
markrad 0:cdf462088d13 1322 * .. . .. extensions length (2 bytes, optional)
markrad 0:cdf462088d13 1323 * .. . .. extensions (optional)
markrad 0:cdf462088d13 1324 */
markrad 0:cdf462088d13 1325
markrad 0:cdf462088d13 1326 /*
markrad 0:cdf462088d13 1327 * Minimal length (with everything empty and extensions ommitted) is
markrad 0:cdf462088d13 1328 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
markrad 0:cdf462088d13 1329 * read at least up to session id length without worrying.
markrad 0:cdf462088d13 1330 */
markrad 0:cdf462088d13 1331 if( msg_len < 38 )
markrad 0:cdf462088d13 1332 {
markrad 0:cdf462088d13 1333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1334 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1335 }
markrad 0:cdf462088d13 1336
markrad 0:cdf462088d13 1337 /*
markrad 0:cdf462088d13 1338 * Check and save the protocol version
markrad 0:cdf462088d13 1339 */
markrad 0:cdf462088d13 1340 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
markrad 0:cdf462088d13 1341
markrad 0:cdf462088d13 1342 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
markrad 0:cdf462088d13 1343 ssl->conf->transport, buf );
markrad 0:cdf462088d13 1344
markrad 0:cdf462088d13 1345 ssl->handshake->max_major_ver = ssl->major_ver;
markrad 0:cdf462088d13 1346 ssl->handshake->max_minor_ver = ssl->minor_ver;
markrad 0:cdf462088d13 1347
markrad 0:cdf462088d13 1348 if( ssl->major_ver < ssl->conf->min_major_ver ||
markrad 0:cdf462088d13 1349 ssl->minor_ver < ssl->conf->min_minor_ver )
markrad 0:cdf462088d13 1350 {
markrad 0:cdf462088d13 1351 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
markrad 0:cdf462088d13 1352 " [%d:%d] < [%d:%d]",
markrad 0:cdf462088d13 1353 ssl->major_ver, ssl->minor_ver,
markrad 0:cdf462088d13 1354 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
markrad 0:cdf462088d13 1355
markrad 0:cdf462088d13 1356 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 1357 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
markrad 0:cdf462088d13 1358
markrad 0:cdf462088d13 1359 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
markrad 0:cdf462088d13 1360 }
markrad 0:cdf462088d13 1361
markrad 0:cdf462088d13 1362 if( ssl->major_ver > ssl->conf->max_major_ver )
markrad 0:cdf462088d13 1363 {
markrad 0:cdf462088d13 1364 ssl->major_ver = ssl->conf->max_major_ver;
markrad 0:cdf462088d13 1365 ssl->minor_ver = ssl->conf->max_minor_ver;
markrad 0:cdf462088d13 1366 }
markrad 0:cdf462088d13 1367 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
markrad 0:cdf462088d13 1368 ssl->minor_ver = ssl->conf->max_minor_ver;
markrad 0:cdf462088d13 1369
markrad 0:cdf462088d13 1370 /*
markrad 0:cdf462088d13 1371 * Save client random (inc. Unix time)
markrad 0:cdf462088d13 1372 */
markrad 0:cdf462088d13 1373 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
markrad 0:cdf462088d13 1374
markrad 0:cdf462088d13 1375 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
markrad 0:cdf462088d13 1376
markrad 0:cdf462088d13 1377 /*
markrad 0:cdf462088d13 1378 * Check the session ID length and save session ID
markrad 0:cdf462088d13 1379 */
markrad 0:cdf462088d13 1380 sess_len = buf[34];
markrad 0:cdf462088d13 1381
markrad 0:cdf462088d13 1382 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
markrad 0:cdf462088d13 1383 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
markrad 0:cdf462088d13 1384 {
markrad 0:cdf462088d13 1385 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1386 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1387 }
markrad 0:cdf462088d13 1388
markrad 0:cdf462088d13 1389 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
markrad 0:cdf462088d13 1390
markrad 0:cdf462088d13 1391 ssl->session_negotiate->id_len = sess_len;
markrad 0:cdf462088d13 1392 memset( ssl->session_negotiate->id, 0,
markrad 0:cdf462088d13 1393 sizeof( ssl->session_negotiate->id ) );
markrad 0:cdf462088d13 1394 memcpy( ssl->session_negotiate->id, buf + 35,
markrad 0:cdf462088d13 1395 ssl->session_negotiate->id_len );
markrad 0:cdf462088d13 1396
markrad 0:cdf462088d13 1397 /*
markrad 0:cdf462088d13 1398 * Check the cookie length and content
markrad 0:cdf462088d13 1399 */
markrad 0:cdf462088d13 1400 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1401 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 1402 {
markrad 0:cdf462088d13 1403 cookie_offset = 35 + sess_len;
markrad 0:cdf462088d13 1404 cookie_len = buf[cookie_offset];
markrad 0:cdf462088d13 1405
markrad 0:cdf462088d13 1406 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
markrad 0:cdf462088d13 1407 {
markrad 0:cdf462088d13 1408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1409 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1410 }
markrad 0:cdf462088d13 1411
markrad 0:cdf462088d13 1412 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
markrad 0:cdf462088d13 1413 buf + cookie_offset + 1, cookie_len );
markrad 0:cdf462088d13 1414
markrad 0:cdf462088d13 1415 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad 0:cdf462088d13 1416 if( ssl->conf->f_cookie_check != NULL
markrad 0:cdf462088d13 1417 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1418 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
markrad 0:cdf462088d13 1419 #endif
markrad 0:cdf462088d13 1420 )
markrad 0:cdf462088d13 1421 {
markrad 0:cdf462088d13 1422 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
markrad 0:cdf462088d13 1423 buf + cookie_offset + 1, cookie_len,
markrad 0:cdf462088d13 1424 ssl->cli_id, ssl->cli_id_len ) != 0 )
markrad 0:cdf462088d13 1425 {
markrad 0:cdf462088d13 1426 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
markrad 0:cdf462088d13 1427 ssl->handshake->verify_cookie_len = 1;
markrad 0:cdf462088d13 1428 }
markrad 0:cdf462088d13 1429 else
markrad 0:cdf462088d13 1430 {
markrad 0:cdf462088d13 1431 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
markrad 0:cdf462088d13 1432 ssl->handshake->verify_cookie_len = 0;
markrad 0:cdf462088d13 1433 }
markrad 0:cdf462088d13 1434 }
markrad 0:cdf462088d13 1435 else
markrad 0:cdf462088d13 1436 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad 0:cdf462088d13 1437 {
markrad 0:cdf462088d13 1438 /* We know we didn't send a cookie, so it should be empty */
markrad 0:cdf462088d13 1439 if( cookie_len != 0 )
markrad 0:cdf462088d13 1440 {
markrad 0:cdf462088d13 1441 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1442 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1443 }
markrad 0:cdf462088d13 1444
markrad 0:cdf462088d13 1445 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
markrad 0:cdf462088d13 1446 }
markrad 0:cdf462088d13 1447
markrad 0:cdf462088d13 1448 /*
markrad 0:cdf462088d13 1449 * Check the ciphersuitelist length (will be parsed later)
markrad 0:cdf462088d13 1450 */
markrad 0:cdf462088d13 1451 ciph_offset = cookie_offset + 1 + cookie_len;
markrad 0:cdf462088d13 1452 }
markrad 0:cdf462088d13 1453 else
markrad 0:cdf462088d13 1454 #endif /* MBEDTLS_SSL_PROTO_DTLS */
markrad 0:cdf462088d13 1455 ciph_offset = 35 + sess_len;
markrad 0:cdf462088d13 1456
markrad 0:cdf462088d13 1457 ciph_len = ( buf[ciph_offset + 0] << 8 )
markrad 0:cdf462088d13 1458 | ( buf[ciph_offset + 1] );
markrad 0:cdf462088d13 1459
markrad 0:cdf462088d13 1460 if( ciph_len < 2 ||
markrad 0:cdf462088d13 1461 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
markrad 0:cdf462088d13 1462 ( ciph_len % 2 ) != 0 )
markrad 0:cdf462088d13 1463 {
markrad 0:cdf462088d13 1464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1465 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1466 }
markrad 0:cdf462088d13 1467
markrad 0:cdf462088d13 1468 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
markrad 0:cdf462088d13 1469 buf + ciph_offset + 2, ciph_len );
markrad 0:cdf462088d13 1470
markrad 0:cdf462088d13 1471 /*
markrad 0:cdf462088d13 1472 * Check the compression algorithms length and pick one
markrad 0:cdf462088d13 1473 */
markrad 0:cdf462088d13 1474 comp_offset = ciph_offset + 2 + ciph_len;
markrad 0:cdf462088d13 1475
markrad 0:cdf462088d13 1476 comp_len = buf[comp_offset];
markrad 0:cdf462088d13 1477
markrad 0:cdf462088d13 1478 if( comp_len < 1 ||
markrad 0:cdf462088d13 1479 comp_len > 16 ||
markrad 0:cdf462088d13 1480 comp_len + comp_offset + 1 > msg_len )
markrad 0:cdf462088d13 1481 {
markrad 0:cdf462088d13 1482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1483 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1484 }
markrad 0:cdf462088d13 1485
markrad 0:cdf462088d13 1486 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
markrad 0:cdf462088d13 1487 buf + comp_offset + 1, comp_len );
markrad 0:cdf462088d13 1488
markrad 0:cdf462088d13 1489 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
markrad 0:cdf462088d13 1490 #if defined(MBEDTLS_ZLIB_SUPPORT)
markrad 0:cdf462088d13 1491 for( i = 0; i < comp_len; ++i )
markrad 0:cdf462088d13 1492 {
markrad 0:cdf462088d13 1493 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
markrad 0:cdf462088d13 1494 {
markrad 0:cdf462088d13 1495 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
markrad 0:cdf462088d13 1496 break;
markrad 0:cdf462088d13 1497 }
markrad 0:cdf462088d13 1498 }
markrad 0:cdf462088d13 1499 #endif
markrad 0:cdf462088d13 1500
markrad 0:cdf462088d13 1501 /* See comments in ssl_write_client_hello() */
markrad 0:cdf462088d13 1502 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1503 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 1504 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
markrad 0:cdf462088d13 1505 #endif
markrad 0:cdf462088d13 1506
markrad 0:cdf462088d13 1507 /* Do not parse the extensions if the protocol is SSLv3 */
markrad 0:cdf462088d13 1508 #if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad 0:cdf462088d13 1509 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
markrad 0:cdf462088d13 1510 {
markrad 0:cdf462088d13 1511 #endif
markrad 0:cdf462088d13 1512 /*
markrad 0:cdf462088d13 1513 * Check the extension length
markrad 0:cdf462088d13 1514 */
markrad 0:cdf462088d13 1515 ext_offset = comp_offset + 1 + comp_len;
markrad 0:cdf462088d13 1516 if( msg_len > ext_offset )
markrad 0:cdf462088d13 1517 {
markrad 0:cdf462088d13 1518 if( msg_len < ext_offset + 2 )
markrad 0:cdf462088d13 1519 {
markrad 0:cdf462088d13 1520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1521 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1522 }
markrad 0:cdf462088d13 1523
markrad 0:cdf462088d13 1524 ext_len = ( buf[ext_offset + 0] << 8 )
markrad 0:cdf462088d13 1525 | ( buf[ext_offset + 1] );
markrad 0:cdf462088d13 1526
markrad 0:cdf462088d13 1527 if( ( ext_len > 0 && ext_len < 4 ) ||
markrad 0:cdf462088d13 1528 msg_len != ext_offset + 2 + ext_len )
markrad 0:cdf462088d13 1529 {
markrad 0:cdf462088d13 1530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1531 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1532 }
markrad 0:cdf462088d13 1533 }
markrad 0:cdf462088d13 1534 else
markrad 0:cdf462088d13 1535 ext_len = 0;
markrad 0:cdf462088d13 1536
markrad 0:cdf462088d13 1537 ext = buf + ext_offset + 2;
markrad 0:cdf462088d13 1538 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
markrad 0:cdf462088d13 1539
markrad 0:cdf462088d13 1540 while( ext_len != 0 )
markrad 0:cdf462088d13 1541 {
markrad 0:cdf462088d13 1542 unsigned int ext_id = ( ( ext[0] << 8 )
markrad 0:cdf462088d13 1543 | ( ext[1] ) );
markrad 0:cdf462088d13 1544 unsigned int ext_size = ( ( ext[2] << 8 )
markrad 0:cdf462088d13 1545 | ( ext[3] ) );
markrad 0:cdf462088d13 1546
markrad 0:cdf462088d13 1547 if( ext_size + 4 > ext_len )
markrad 0:cdf462088d13 1548 {
markrad 0:cdf462088d13 1549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1550 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1551 }
markrad 0:cdf462088d13 1552 switch( ext_id )
markrad 0:cdf462088d13 1553 {
markrad 0:cdf462088d13 1554 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad 0:cdf462088d13 1555 case MBEDTLS_TLS_EXT_SERVERNAME:
markrad 0:cdf462088d13 1556 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
markrad 0:cdf462088d13 1557 if( ssl->conf->f_sni == NULL )
markrad 0:cdf462088d13 1558 break;
markrad 0:cdf462088d13 1559
markrad 0:cdf462088d13 1560 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1561 if( ret != 0 )
markrad 0:cdf462088d13 1562 return( ret );
markrad 0:cdf462088d13 1563 break;
markrad 0:cdf462088d13 1564 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
markrad 0:cdf462088d13 1565
markrad 0:cdf462088d13 1566 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
markrad 0:cdf462088d13 1567 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
markrad 0:cdf462088d13 1568 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1569 renegotiation_info_seen = 1;
markrad 0:cdf462088d13 1570 #endif
markrad 0:cdf462088d13 1571
markrad 0:cdf462088d13 1572 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1573 if( ret != 0 )
markrad 0:cdf462088d13 1574 return( ret );
markrad 0:cdf462088d13 1575 break;
markrad 0:cdf462088d13 1576
markrad 0:cdf462088d13 1577 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
markrad 0:cdf462088d13 1578 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
markrad 0:cdf462088d13 1579 case MBEDTLS_TLS_EXT_SIG_ALG:
markrad 0:cdf462088d13 1580 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
markrad 0:cdf462088d13 1581 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1582 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad 0:cdf462088d13 1583 break;
markrad 0:cdf462088d13 1584 #endif
markrad 0:cdf462088d13 1585
markrad 0:cdf462088d13 1586 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1587 if( ret != 0 )
markrad 0:cdf462088d13 1588 return( ret );
markrad 0:cdf462088d13 1589 break;
markrad 0:cdf462088d13 1590 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
markrad 0:cdf462088d13 1591 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
markrad 0:cdf462088d13 1592
markrad 0:cdf462088d13 1593 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
markrad 0:cdf462088d13 1594 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 1595 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
markrad 0:cdf462088d13 1596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
markrad 0:cdf462088d13 1597
markrad 0:cdf462088d13 1598 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1599 if( ret != 0 )
markrad 0:cdf462088d13 1600 return( ret );
markrad 0:cdf462088d13 1601 break;
markrad 0:cdf462088d13 1602
markrad 0:cdf462088d13 1603 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
markrad 0:cdf462088d13 1604 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
markrad 0:cdf462088d13 1605 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
markrad 0:cdf462088d13 1606
markrad 0:cdf462088d13 1607 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1608 if( ret != 0 )
markrad 0:cdf462088d13 1609 return( ret );
markrad 0:cdf462088d13 1610 break;
markrad 0:cdf462088d13 1611 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
markrad 0:cdf462088d13 1612 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 1613
markrad 0:cdf462088d13 1614 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 1615 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
markrad 0:cdf462088d13 1616 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
markrad 0:cdf462088d13 1617
markrad 0:cdf462088d13 1618 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1619 if( ret != 0 )
markrad 0:cdf462088d13 1620 return( ret );
markrad 0:cdf462088d13 1621 break;
markrad 0:cdf462088d13 1622 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 1623
markrad 0:cdf462088d13 1624 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad 0:cdf462088d13 1625 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
markrad 0:cdf462088d13 1626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
markrad 0:cdf462088d13 1627
markrad 0:cdf462088d13 1628 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1629 if( ret != 0 )
markrad 0:cdf462088d13 1630 return( ret );
markrad 0:cdf462088d13 1631 break;
markrad 0:cdf462088d13 1632 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad 0:cdf462088d13 1633
markrad 0:cdf462088d13 1634 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad 0:cdf462088d13 1635 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
markrad 0:cdf462088d13 1636 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
markrad 0:cdf462088d13 1637
markrad 0:cdf462088d13 1638 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1639 if( ret != 0 )
markrad 0:cdf462088d13 1640 return( ret );
markrad 0:cdf462088d13 1641 break;
markrad 0:cdf462088d13 1642 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad 0:cdf462088d13 1643
markrad 0:cdf462088d13 1644 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad 0:cdf462088d13 1645 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
markrad 0:cdf462088d13 1646 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
markrad 0:cdf462088d13 1647
markrad 0:cdf462088d13 1648 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1649 if( ret != 0 )
markrad 0:cdf462088d13 1650 return( ret );
markrad 0:cdf462088d13 1651 break;
markrad 0:cdf462088d13 1652 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad 0:cdf462088d13 1653
markrad 0:cdf462088d13 1654 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad 0:cdf462088d13 1655 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
markrad 0:cdf462088d13 1656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
markrad 0:cdf462088d13 1657
markrad 0:cdf462088d13 1658 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1659 if( ret != 0 )
markrad 0:cdf462088d13 1660 return( ret );
markrad 0:cdf462088d13 1661 break;
markrad 0:cdf462088d13 1662 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad 0:cdf462088d13 1663
markrad 0:cdf462088d13 1664 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 1665 case MBEDTLS_TLS_EXT_SESSION_TICKET:
markrad 0:cdf462088d13 1666 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
markrad 0:cdf462088d13 1667
markrad 0:cdf462088d13 1668 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1669 if( ret != 0 )
markrad 0:cdf462088d13 1670 return( ret );
markrad 0:cdf462088d13 1671 break;
markrad 0:cdf462088d13 1672 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 1673
markrad 0:cdf462088d13 1674 #if defined(MBEDTLS_SSL_ALPN)
markrad 0:cdf462088d13 1675 case MBEDTLS_TLS_EXT_ALPN:
markrad 0:cdf462088d13 1676 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
markrad 0:cdf462088d13 1677
markrad 0:cdf462088d13 1678 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
markrad 0:cdf462088d13 1679 if( ret != 0 )
markrad 0:cdf462088d13 1680 return( ret );
markrad 0:cdf462088d13 1681 break;
markrad 0:cdf462088d13 1682 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 1683
markrad 0:cdf462088d13 1684 default:
markrad 0:cdf462088d13 1685 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
markrad 0:cdf462088d13 1686 ext_id ) );
markrad 0:cdf462088d13 1687 }
markrad 0:cdf462088d13 1688
markrad 0:cdf462088d13 1689 ext_len -= 4 + ext_size;
markrad 0:cdf462088d13 1690 ext += 4 + ext_size;
markrad 0:cdf462088d13 1691
markrad 0:cdf462088d13 1692 if( ext_len > 0 && ext_len < 4 )
markrad 0:cdf462088d13 1693 {
markrad 0:cdf462088d13 1694 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
markrad 0:cdf462088d13 1695 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1696 }
markrad 0:cdf462088d13 1697 }
markrad 0:cdf462088d13 1698 #if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad 0:cdf462088d13 1699 }
markrad 0:cdf462088d13 1700 #endif
markrad 0:cdf462088d13 1701
markrad 0:cdf462088d13 1702 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
markrad 0:cdf462088d13 1703 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
markrad 0:cdf462088d13 1704 {
markrad 0:cdf462088d13 1705 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
markrad 0:cdf462088d13 1706 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
markrad 0:cdf462088d13 1707 {
markrad 0:cdf462088d13 1708 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
markrad 0:cdf462088d13 1709
markrad 0:cdf462088d13 1710 if( ssl->minor_ver < ssl->conf->max_minor_ver )
markrad 0:cdf462088d13 1711 {
markrad 0:cdf462088d13 1712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
markrad 0:cdf462088d13 1713
markrad 0:cdf462088d13 1714 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 1715 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
markrad 0:cdf462088d13 1716
markrad 0:cdf462088d13 1717 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1718 }
markrad 0:cdf462088d13 1719
markrad 0:cdf462088d13 1720 break;
markrad 0:cdf462088d13 1721 }
markrad 0:cdf462088d13 1722 }
markrad 0:cdf462088d13 1723 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
markrad 0:cdf462088d13 1724
markrad 0:cdf462088d13 1725 /*
markrad 0:cdf462088d13 1726 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
markrad 0:cdf462088d13 1727 */
markrad 0:cdf462088d13 1728 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
markrad 0:cdf462088d13 1729 {
markrad 0:cdf462088d13 1730 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
markrad 0:cdf462088d13 1731 {
markrad 0:cdf462088d13 1732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
markrad 0:cdf462088d13 1733 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1734 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
markrad 0:cdf462088d13 1735 {
markrad 0:cdf462088d13 1736 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
markrad 0:cdf462088d13 1737
markrad 0:cdf462088d13 1738 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 1739 return( ret );
markrad 0:cdf462088d13 1740
markrad 0:cdf462088d13 1741 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1742 }
markrad 0:cdf462088d13 1743 #endif
markrad 0:cdf462088d13 1744 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
markrad 0:cdf462088d13 1745 break;
markrad 0:cdf462088d13 1746 }
markrad 0:cdf462088d13 1747 }
markrad 0:cdf462088d13 1748
markrad 0:cdf462088d13 1749 /*
markrad 0:cdf462088d13 1750 * Renegotiation security checks
markrad 0:cdf462088d13 1751 */
markrad 0:cdf462088d13 1752 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
markrad 0:cdf462088d13 1753 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
markrad 0:cdf462088d13 1754 {
markrad 0:cdf462088d13 1755 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
markrad 0:cdf462088d13 1756 handshake_failure = 1;
markrad 0:cdf462088d13 1757 }
markrad 0:cdf462088d13 1758 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1759 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad 0:cdf462088d13 1760 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
markrad 0:cdf462088d13 1761 renegotiation_info_seen == 0 )
markrad 0:cdf462088d13 1762 {
markrad 0:cdf462088d13 1763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
markrad 0:cdf462088d13 1764 handshake_failure = 1;
markrad 0:cdf462088d13 1765 }
markrad 0:cdf462088d13 1766 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad 0:cdf462088d13 1767 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad 0:cdf462088d13 1768 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
markrad 0:cdf462088d13 1769 {
markrad 0:cdf462088d13 1770 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
markrad 0:cdf462088d13 1771 handshake_failure = 1;
markrad 0:cdf462088d13 1772 }
markrad 0:cdf462088d13 1773 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
markrad 0:cdf462088d13 1774 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
markrad 0:cdf462088d13 1775 renegotiation_info_seen == 1 )
markrad 0:cdf462088d13 1776 {
markrad 0:cdf462088d13 1777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
markrad 0:cdf462088d13 1778 handshake_failure = 1;
markrad 0:cdf462088d13 1779 }
markrad 0:cdf462088d13 1780 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 1781
markrad 0:cdf462088d13 1782 if( handshake_failure == 1 )
markrad 0:cdf462088d13 1783 {
markrad 0:cdf462088d13 1784 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
markrad 0:cdf462088d13 1785 return( ret );
markrad 0:cdf462088d13 1786
markrad 0:cdf462088d13 1787 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
markrad 0:cdf462088d13 1788 }
markrad 0:cdf462088d13 1789
markrad 0:cdf462088d13 1790 /*
markrad 0:cdf462088d13 1791 * Search for a matching ciphersuite
markrad 0:cdf462088d13 1792 * (At the end because we need information from the EC-based extensions
markrad 0:cdf462088d13 1793 * and certificate from the SNI callback triggered by the SNI extension.)
markrad 0:cdf462088d13 1794 */
markrad 0:cdf462088d13 1795 got_common_suite = 0;
markrad 0:cdf462088d13 1796 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
markrad 0:cdf462088d13 1797 ciphersuite_info = NULL;
markrad 0:cdf462088d13 1798 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad 0:cdf462088d13 1799 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
markrad 0:cdf462088d13 1800 {
markrad 0:cdf462088d13 1801 for( i = 0; ciphersuites[i] != 0; i++ )
markrad 0:cdf462088d13 1802 #else
markrad 0:cdf462088d13 1803 for( i = 0; ciphersuites[i] != 0; i++ )
markrad 0:cdf462088d13 1804 {
markrad 0:cdf462088d13 1805 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
markrad 0:cdf462088d13 1806 #endif
markrad 0:cdf462088d13 1807 {
markrad 0:cdf462088d13 1808 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
markrad 0:cdf462088d13 1809 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
markrad 0:cdf462088d13 1810 continue;
markrad 0:cdf462088d13 1811
markrad 0:cdf462088d13 1812 got_common_suite = 1;
markrad 0:cdf462088d13 1813
markrad 0:cdf462088d13 1814 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
markrad 0:cdf462088d13 1815 &ciphersuite_info ) ) != 0 )
markrad 0:cdf462088d13 1816 return( ret );
markrad 0:cdf462088d13 1817
markrad 0:cdf462088d13 1818 if( ciphersuite_info != NULL )
markrad 0:cdf462088d13 1819 goto have_ciphersuite;
markrad 0:cdf462088d13 1820 }
markrad 0:cdf462088d13 1821 }
markrad 0:cdf462088d13 1822
markrad 0:cdf462088d13 1823 if( got_common_suite )
markrad 0:cdf462088d13 1824 {
markrad 0:cdf462088d13 1825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
markrad 0:cdf462088d13 1826 "but none of them usable" ) );
markrad 0:cdf462088d13 1827 mbedtls_ssl_send_fatal_handshake_failure( ssl );
markrad 0:cdf462088d13 1828 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
markrad 0:cdf462088d13 1829 }
markrad 0:cdf462088d13 1830 else
markrad 0:cdf462088d13 1831 {
markrad 0:cdf462088d13 1832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
markrad 0:cdf462088d13 1833 mbedtls_ssl_send_fatal_handshake_failure( ssl );
markrad 0:cdf462088d13 1834 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad 0:cdf462088d13 1835 }
markrad 0:cdf462088d13 1836
markrad 0:cdf462088d13 1837 have_ciphersuite:
markrad 0:cdf462088d13 1838 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
markrad 0:cdf462088d13 1839
markrad 0:cdf462088d13 1840 ssl->session_negotiate->ciphersuite = ciphersuites[i];
markrad 0:cdf462088d13 1841 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
markrad 0:cdf462088d13 1842
markrad 0:cdf462088d13 1843 ssl->state++;
markrad 0:cdf462088d13 1844
markrad 0:cdf462088d13 1845 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 1846 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 1847 mbedtls_ssl_recv_flight_completed( ssl );
markrad 0:cdf462088d13 1848 #endif
markrad 0:cdf462088d13 1849
markrad 0:cdf462088d13 1850 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
markrad 0:cdf462088d13 1851
markrad 0:cdf462088d13 1852 return( 0 );
markrad 0:cdf462088d13 1853 }
markrad 0:cdf462088d13 1854
markrad 0:cdf462088d13 1855 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad 0:cdf462088d13 1856 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 1857 unsigned char *buf,
markrad 0:cdf462088d13 1858 size_t *olen )
markrad 0:cdf462088d13 1859 {
markrad 0:cdf462088d13 1860 unsigned char *p = buf;
markrad 0:cdf462088d13 1861
markrad 0:cdf462088d13 1862 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
markrad 0:cdf462088d13 1863 {
markrad 0:cdf462088d13 1864 *olen = 0;
markrad 0:cdf462088d13 1865 return;
markrad 0:cdf462088d13 1866 }
markrad 0:cdf462088d13 1867
markrad 0:cdf462088d13 1868 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
markrad 0:cdf462088d13 1869
markrad 0:cdf462088d13 1870 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
markrad 0:cdf462088d13 1871 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
markrad 0:cdf462088d13 1872
markrad 0:cdf462088d13 1873 *p++ = 0x00;
markrad 0:cdf462088d13 1874 *p++ = 0x00;
markrad 0:cdf462088d13 1875
markrad 0:cdf462088d13 1876 *olen = 4;
markrad 0:cdf462088d13 1877 }
markrad 0:cdf462088d13 1878 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
markrad 0:cdf462088d13 1879
markrad 0:cdf462088d13 1880 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad 0:cdf462088d13 1881 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 1882 unsigned char *buf,
markrad 0:cdf462088d13 1883 size_t *olen )
markrad 0:cdf462088d13 1884 {
markrad 0:cdf462088d13 1885 unsigned char *p = buf;
markrad 0:cdf462088d13 1886 const mbedtls_ssl_ciphersuite_t *suite = NULL;
markrad 0:cdf462088d13 1887 const mbedtls_cipher_info_t *cipher = NULL;
markrad 0:cdf462088d13 1888
markrad 0:cdf462088d13 1889 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
markrad 0:cdf462088d13 1890 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad 0:cdf462088d13 1891 {
markrad 0:cdf462088d13 1892 *olen = 0;
markrad 0:cdf462088d13 1893 return;
markrad 0:cdf462088d13 1894 }
markrad 0:cdf462088d13 1895
markrad 0:cdf462088d13 1896 /*
markrad 0:cdf462088d13 1897 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
markrad 0:cdf462088d13 1898 * from a client and then selects a stream or Authenticated Encryption
markrad 0:cdf462088d13 1899 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
markrad 0:cdf462088d13 1900 * encrypt-then-MAC response extension back to the client."
markrad 0:cdf462088d13 1901 */
markrad 0:cdf462088d13 1902 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
markrad 0:cdf462088d13 1903 ssl->session_negotiate->ciphersuite ) ) == NULL ||
markrad 0:cdf462088d13 1904 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
markrad 0:cdf462088d13 1905 cipher->mode != MBEDTLS_MODE_CBC )
markrad 0:cdf462088d13 1906 {
markrad 0:cdf462088d13 1907 *olen = 0;
markrad 0:cdf462088d13 1908 return;
markrad 0:cdf462088d13 1909 }
markrad 0:cdf462088d13 1910
markrad 0:cdf462088d13 1911 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
markrad 0:cdf462088d13 1912
markrad 0:cdf462088d13 1913 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
markrad 0:cdf462088d13 1914 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
markrad 0:cdf462088d13 1915
markrad 0:cdf462088d13 1916 *p++ = 0x00;
markrad 0:cdf462088d13 1917 *p++ = 0x00;
markrad 0:cdf462088d13 1918
markrad 0:cdf462088d13 1919 *olen = 4;
markrad 0:cdf462088d13 1920 }
markrad 0:cdf462088d13 1921 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
markrad 0:cdf462088d13 1922
markrad 0:cdf462088d13 1923 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad 0:cdf462088d13 1924 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 1925 unsigned char *buf,
markrad 0:cdf462088d13 1926 size_t *olen )
markrad 0:cdf462088d13 1927 {
markrad 0:cdf462088d13 1928 unsigned char *p = buf;
markrad 0:cdf462088d13 1929
markrad 0:cdf462088d13 1930 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
markrad 0:cdf462088d13 1931 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
markrad 0:cdf462088d13 1932 {
markrad 0:cdf462088d13 1933 *olen = 0;
markrad 0:cdf462088d13 1934 return;
markrad 0:cdf462088d13 1935 }
markrad 0:cdf462088d13 1936
markrad 0:cdf462088d13 1937 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
markrad 0:cdf462088d13 1938 "extension" ) );
markrad 0:cdf462088d13 1939
markrad 0:cdf462088d13 1940 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
markrad 0:cdf462088d13 1941 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
markrad 0:cdf462088d13 1942
markrad 0:cdf462088d13 1943 *p++ = 0x00;
markrad 0:cdf462088d13 1944 *p++ = 0x00;
markrad 0:cdf462088d13 1945
markrad 0:cdf462088d13 1946 *olen = 4;
markrad 0:cdf462088d13 1947 }
markrad 0:cdf462088d13 1948 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
markrad 0:cdf462088d13 1949
markrad 0:cdf462088d13 1950 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 1951 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 1952 unsigned char *buf,
markrad 0:cdf462088d13 1953 size_t *olen )
markrad 0:cdf462088d13 1954 {
markrad 0:cdf462088d13 1955 unsigned char *p = buf;
markrad 0:cdf462088d13 1956
markrad 0:cdf462088d13 1957 if( ssl->handshake->new_session_ticket == 0 )
markrad 0:cdf462088d13 1958 {
markrad 0:cdf462088d13 1959 *olen = 0;
markrad 0:cdf462088d13 1960 return;
markrad 0:cdf462088d13 1961 }
markrad 0:cdf462088d13 1962
markrad 0:cdf462088d13 1963 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
markrad 0:cdf462088d13 1964
markrad 0:cdf462088d13 1965 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
markrad 0:cdf462088d13 1966 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
markrad 0:cdf462088d13 1967
markrad 0:cdf462088d13 1968 *p++ = 0x00;
markrad 0:cdf462088d13 1969 *p++ = 0x00;
markrad 0:cdf462088d13 1970
markrad 0:cdf462088d13 1971 *olen = 4;
markrad 0:cdf462088d13 1972 }
markrad 0:cdf462088d13 1973 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 1974
markrad 0:cdf462088d13 1975 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 1976 unsigned char *buf,
markrad 0:cdf462088d13 1977 size_t *olen )
markrad 0:cdf462088d13 1978 {
markrad 0:cdf462088d13 1979 unsigned char *p = buf;
markrad 0:cdf462088d13 1980
markrad 0:cdf462088d13 1981 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
markrad 0:cdf462088d13 1982 {
markrad 0:cdf462088d13 1983 *olen = 0;
markrad 0:cdf462088d13 1984 return;
markrad 0:cdf462088d13 1985 }
markrad 0:cdf462088d13 1986
markrad 0:cdf462088d13 1987 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
markrad 0:cdf462088d13 1988
markrad 0:cdf462088d13 1989 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
markrad 0:cdf462088d13 1990 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
markrad 0:cdf462088d13 1991
markrad 0:cdf462088d13 1992 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 1993 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
markrad 0:cdf462088d13 1994 {
markrad 0:cdf462088d13 1995 *p++ = 0x00;
markrad 0:cdf462088d13 1996 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
markrad 0:cdf462088d13 1997 *p++ = ssl->verify_data_len * 2 & 0xFF;
markrad 0:cdf462088d13 1998
markrad 0:cdf462088d13 1999 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
markrad 0:cdf462088d13 2000 p += ssl->verify_data_len;
markrad 0:cdf462088d13 2001 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
markrad 0:cdf462088d13 2002 p += ssl->verify_data_len;
markrad 0:cdf462088d13 2003 }
markrad 0:cdf462088d13 2004 else
markrad 0:cdf462088d13 2005 #endif /* MBEDTLS_SSL_RENEGOTIATION */
markrad 0:cdf462088d13 2006 {
markrad 0:cdf462088d13 2007 *p++ = 0x00;
markrad 0:cdf462088d13 2008 *p++ = 0x01;
markrad 0:cdf462088d13 2009 *p++ = 0x00;
markrad 0:cdf462088d13 2010 }
markrad 0:cdf462088d13 2011
markrad 0:cdf462088d13 2012 *olen = p - buf;
markrad 0:cdf462088d13 2013 }
markrad 0:cdf462088d13 2014
markrad 0:cdf462088d13 2015 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad 0:cdf462088d13 2016 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 2017 unsigned char *buf,
markrad 0:cdf462088d13 2018 size_t *olen )
markrad 0:cdf462088d13 2019 {
markrad 0:cdf462088d13 2020 unsigned char *p = buf;
markrad 0:cdf462088d13 2021
markrad 0:cdf462088d13 2022 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
markrad 0:cdf462088d13 2023 {
markrad 0:cdf462088d13 2024 *olen = 0;
markrad 0:cdf462088d13 2025 return;
markrad 0:cdf462088d13 2026 }
markrad 0:cdf462088d13 2027
markrad 0:cdf462088d13 2028 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
markrad 0:cdf462088d13 2029
markrad 0:cdf462088d13 2030 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2031 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
markrad 0:cdf462088d13 2032
markrad 0:cdf462088d13 2033 *p++ = 0x00;
markrad 0:cdf462088d13 2034 *p++ = 1;
markrad 0:cdf462088d13 2035
markrad 0:cdf462088d13 2036 *p++ = ssl->session_negotiate->mfl_code;
markrad 0:cdf462088d13 2037
markrad 0:cdf462088d13 2038 *olen = 5;
markrad 0:cdf462088d13 2039 }
markrad 0:cdf462088d13 2040 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
markrad 0:cdf462088d13 2041
markrad 0:cdf462088d13 2042 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
markrad 0:cdf462088d13 2043 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2044 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 2045 unsigned char *buf,
markrad 0:cdf462088d13 2046 size_t *olen )
markrad 0:cdf462088d13 2047 {
markrad 0:cdf462088d13 2048 unsigned char *p = buf;
markrad 0:cdf462088d13 2049 ((void) ssl);
markrad 0:cdf462088d13 2050
markrad 0:cdf462088d13 2051 if( ( ssl->handshake->cli_exts &
markrad 0:cdf462088d13 2052 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
markrad 0:cdf462088d13 2053 {
markrad 0:cdf462088d13 2054 *olen = 0;
markrad 0:cdf462088d13 2055 return;
markrad 0:cdf462088d13 2056 }
markrad 0:cdf462088d13 2057
markrad 0:cdf462088d13 2058 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
markrad 0:cdf462088d13 2059
markrad 0:cdf462088d13 2060 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2061 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
markrad 0:cdf462088d13 2062
markrad 0:cdf462088d13 2063 *p++ = 0x00;
markrad 0:cdf462088d13 2064 *p++ = 2;
markrad 0:cdf462088d13 2065
markrad 0:cdf462088d13 2066 *p++ = 1;
markrad 0:cdf462088d13 2067 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
markrad 0:cdf462088d13 2068
markrad 0:cdf462088d13 2069 *olen = 6;
markrad 0:cdf462088d13 2070 }
markrad 0:cdf462088d13 2071 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 2072
markrad 0:cdf462088d13 2073 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2074 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 2075 unsigned char *buf,
markrad 0:cdf462088d13 2076 size_t *olen )
markrad 0:cdf462088d13 2077 {
markrad 0:cdf462088d13 2078 int ret;
markrad 0:cdf462088d13 2079 unsigned char *p = buf;
markrad 0:cdf462088d13 2080 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad 0:cdf462088d13 2081 size_t kkpp_len;
markrad 0:cdf462088d13 2082
markrad 0:cdf462088d13 2083 *olen = 0;
markrad 0:cdf462088d13 2084
markrad 0:cdf462088d13 2085 /* Skip costly computation if not needed */
markrad 0:cdf462088d13 2086 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
markrad 0:cdf462088d13 2087 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad 0:cdf462088d13 2088 return;
markrad 0:cdf462088d13 2089
markrad 0:cdf462088d13 2090 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
markrad 0:cdf462088d13 2091
markrad 0:cdf462088d13 2092 if( end - p < 4 )
markrad 0:cdf462088d13 2093 {
markrad 0:cdf462088d13 2094 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
markrad 0:cdf462088d13 2095 return;
markrad 0:cdf462088d13 2096 }
markrad 0:cdf462088d13 2097
markrad 0:cdf462088d13 2098 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2099 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
markrad 0:cdf462088d13 2100
markrad 0:cdf462088d13 2101 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
markrad 0:cdf462088d13 2102 p + 2, end - p - 2, &kkpp_len,
markrad 0:cdf462088d13 2103 ssl->conf->f_rng, ssl->conf->p_rng );
markrad 0:cdf462088d13 2104 if( ret != 0 )
markrad 0:cdf462088d13 2105 {
markrad 0:cdf462088d13 2106 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
markrad 0:cdf462088d13 2107 return;
markrad 0:cdf462088d13 2108 }
markrad 0:cdf462088d13 2109
markrad 0:cdf462088d13 2110 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2111 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
markrad 0:cdf462088d13 2112
markrad 0:cdf462088d13 2113 *olen = kkpp_len + 4;
markrad 0:cdf462088d13 2114 }
markrad 0:cdf462088d13 2115 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 2116
markrad 0:cdf462088d13 2117 #if defined(MBEDTLS_SSL_ALPN )
markrad 0:cdf462088d13 2118 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 2119 unsigned char *buf, size_t *olen )
markrad 0:cdf462088d13 2120 {
markrad 0:cdf462088d13 2121 if( ssl->alpn_chosen == NULL )
markrad 0:cdf462088d13 2122 {
markrad 0:cdf462088d13 2123 *olen = 0;
markrad 0:cdf462088d13 2124 return;
markrad 0:cdf462088d13 2125 }
markrad 0:cdf462088d13 2126
markrad 0:cdf462088d13 2127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
markrad 0:cdf462088d13 2128
markrad 0:cdf462088d13 2129 /*
markrad 0:cdf462088d13 2130 * 0 . 1 ext identifier
markrad 0:cdf462088d13 2131 * 2 . 3 ext length
markrad 0:cdf462088d13 2132 * 4 . 5 protocol list length
markrad 0:cdf462088d13 2133 * 6 . 6 protocol name length
markrad 0:cdf462088d13 2134 * 7 . 7+n protocol name
markrad 0:cdf462088d13 2135 */
markrad 0:cdf462088d13 2136 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2137 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
markrad 0:cdf462088d13 2138
markrad 0:cdf462088d13 2139 *olen = 7 + strlen( ssl->alpn_chosen );
markrad 0:cdf462088d13 2140
markrad 0:cdf462088d13 2141 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2142 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
markrad 0:cdf462088d13 2143
markrad 0:cdf462088d13 2144 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2145 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
markrad 0:cdf462088d13 2146
markrad 0:cdf462088d13 2147 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
markrad 0:cdf462088d13 2148
markrad 0:cdf462088d13 2149 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
markrad 0:cdf462088d13 2150 }
markrad 0:cdf462088d13 2151 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
markrad 0:cdf462088d13 2152
markrad 0:cdf462088d13 2153 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad 0:cdf462088d13 2154 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2155 {
markrad 0:cdf462088d13 2156 int ret;
markrad 0:cdf462088d13 2157 unsigned char *p = ssl->out_msg + 4;
markrad 0:cdf462088d13 2158 unsigned char *cookie_len_byte;
markrad 0:cdf462088d13 2159
markrad 0:cdf462088d13 2160 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
markrad 0:cdf462088d13 2161
markrad 0:cdf462088d13 2162 /*
markrad 0:cdf462088d13 2163 * struct {
markrad 0:cdf462088d13 2164 * ProtocolVersion server_version;
markrad 0:cdf462088d13 2165 * opaque cookie<0..2^8-1>;
markrad 0:cdf462088d13 2166 * } HelloVerifyRequest;
markrad 0:cdf462088d13 2167 */
markrad 0:cdf462088d13 2168
markrad 0:cdf462088d13 2169 /* The RFC is not clear on this point, but sending the actual negotiated
markrad 0:cdf462088d13 2170 * version looks like the most interoperable thing to do. */
markrad 0:cdf462088d13 2171 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad 0:cdf462088d13 2172 ssl->conf->transport, p );
markrad 0:cdf462088d13 2173 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
markrad 0:cdf462088d13 2174 p += 2;
markrad 0:cdf462088d13 2175
markrad 0:cdf462088d13 2176 /* If we get here, f_cookie_check is not null */
markrad 0:cdf462088d13 2177 if( ssl->conf->f_cookie_write == NULL )
markrad 0:cdf462088d13 2178 {
markrad 0:cdf462088d13 2179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
markrad 0:cdf462088d13 2180 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 2181 }
markrad 0:cdf462088d13 2182
markrad 0:cdf462088d13 2183 /* Skip length byte until we know the length */
markrad 0:cdf462088d13 2184 cookie_len_byte = p++;
markrad 0:cdf462088d13 2185
markrad 0:cdf462088d13 2186 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
markrad 0:cdf462088d13 2187 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
markrad 0:cdf462088d13 2188 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
markrad 0:cdf462088d13 2189 {
markrad 0:cdf462088d13 2190 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
markrad 0:cdf462088d13 2191 return( ret );
markrad 0:cdf462088d13 2192 }
markrad 0:cdf462088d13 2193
markrad 0:cdf462088d13 2194 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
markrad 0:cdf462088d13 2195
markrad 0:cdf462088d13 2196 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
markrad 0:cdf462088d13 2197
markrad 0:cdf462088d13 2198 ssl->out_msglen = p - ssl->out_msg;
markrad 0:cdf462088d13 2199 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 2200 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
markrad 0:cdf462088d13 2201
markrad 0:cdf462088d13 2202 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
markrad 0:cdf462088d13 2203
markrad 0:cdf462088d13 2204 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad 0:cdf462088d13 2205 {
markrad 0:cdf462088d13 2206 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad 0:cdf462088d13 2207 return( ret );
markrad 0:cdf462088d13 2208 }
markrad 0:cdf462088d13 2209
markrad 0:cdf462088d13 2210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
markrad 0:cdf462088d13 2211
markrad 0:cdf462088d13 2212 return( 0 );
markrad 0:cdf462088d13 2213 }
markrad 0:cdf462088d13 2214 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad 0:cdf462088d13 2215
markrad 0:cdf462088d13 2216 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2217 {
markrad 0:cdf462088d13 2218 #if defined(MBEDTLS_HAVE_TIME)
markrad 0:cdf462088d13 2219 mbedtls_time_t t;
markrad 0:cdf462088d13 2220 #endif
markrad 0:cdf462088d13 2221 int ret;
markrad 0:cdf462088d13 2222 size_t olen, ext_len = 0, n;
markrad 0:cdf462088d13 2223 unsigned char *buf, *p;
markrad 0:cdf462088d13 2224
markrad 0:cdf462088d13 2225 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
markrad 0:cdf462088d13 2226
markrad 0:cdf462088d13 2227 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
markrad 0:cdf462088d13 2228 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad 0:cdf462088d13 2229 ssl->handshake->verify_cookie_len != 0 )
markrad 0:cdf462088d13 2230 {
markrad 0:cdf462088d13 2231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
markrad 0:cdf462088d13 2232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
markrad 0:cdf462088d13 2233
markrad 0:cdf462088d13 2234 return( ssl_write_hello_verify_request( ssl ) );
markrad 0:cdf462088d13 2235 }
markrad 0:cdf462088d13 2236 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
markrad 0:cdf462088d13 2237
markrad 0:cdf462088d13 2238 if( ssl->conf->f_rng == NULL )
markrad 0:cdf462088d13 2239 {
markrad 0:cdf462088d13 2240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
markrad 0:cdf462088d13 2241 return( MBEDTLS_ERR_SSL_NO_RNG );
markrad 0:cdf462088d13 2242 }
markrad 0:cdf462088d13 2243
markrad 0:cdf462088d13 2244 /*
markrad 0:cdf462088d13 2245 * 0 . 0 handshake type
markrad 0:cdf462088d13 2246 * 1 . 3 handshake length
markrad 0:cdf462088d13 2247 * 4 . 5 protocol version
markrad 0:cdf462088d13 2248 * 6 . 9 UNIX time()
markrad 0:cdf462088d13 2249 * 10 . 37 random bytes
markrad 0:cdf462088d13 2250 */
markrad 0:cdf462088d13 2251 buf = ssl->out_msg;
markrad 0:cdf462088d13 2252 p = buf + 4;
markrad 0:cdf462088d13 2253
markrad 0:cdf462088d13 2254 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
markrad 0:cdf462088d13 2255 ssl->conf->transport, p );
markrad 0:cdf462088d13 2256 p += 2;
markrad 0:cdf462088d13 2257
markrad 0:cdf462088d13 2258 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
markrad 0:cdf462088d13 2259 buf[4], buf[5] ) );
markrad 0:cdf462088d13 2260
markrad 0:cdf462088d13 2261 #if defined(MBEDTLS_HAVE_TIME)
markrad 0:cdf462088d13 2262 t = mbedtls_time( NULL );
markrad 0:cdf462088d13 2263 *p++ = (unsigned char)( t >> 24 );
markrad 0:cdf462088d13 2264 *p++ = (unsigned char)( t >> 16 );
markrad 0:cdf462088d13 2265 *p++ = (unsigned char)( t >> 8 );
markrad 0:cdf462088d13 2266 *p++ = (unsigned char)( t );
markrad 0:cdf462088d13 2267
markrad 0:cdf462088d13 2268 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
markrad 0:cdf462088d13 2269 #else
markrad 0:cdf462088d13 2270 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
markrad 0:cdf462088d13 2271 return( ret );
markrad 0:cdf462088d13 2272
markrad 0:cdf462088d13 2273 p += 4;
markrad 0:cdf462088d13 2274 #endif /* MBEDTLS_HAVE_TIME */
markrad 0:cdf462088d13 2275
markrad 0:cdf462088d13 2276 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
markrad 0:cdf462088d13 2277 return( ret );
markrad 0:cdf462088d13 2278
markrad 0:cdf462088d13 2279 p += 28;
markrad 0:cdf462088d13 2280
markrad 0:cdf462088d13 2281 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
markrad 0:cdf462088d13 2282
markrad 0:cdf462088d13 2283 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
markrad 0:cdf462088d13 2284
markrad 0:cdf462088d13 2285 /*
markrad 0:cdf462088d13 2286 * Resume is 0 by default, see ssl_handshake_init().
markrad 0:cdf462088d13 2287 * It may be already set to 1 by ssl_parse_session_ticket_ext().
markrad 0:cdf462088d13 2288 * If not, try looking up session ID in our cache.
markrad 0:cdf462088d13 2289 */
markrad 0:cdf462088d13 2290 if( ssl->handshake->resume == 0 &&
markrad 0:cdf462088d13 2291 #if defined(MBEDTLS_SSL_RENEGOTIATION)
markrad 0:cdf462088d13 2292 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
markrad 0:cdf462088d13 2293 #endif
markrad 0:cdf462088d13 2294 ssl->session_negotiate->id_len != 0 &&
markrad 0:cdf462088d13 2295 ssl->conf->f_get_cache != NULL &&
markrad 0:cdf462088d13 2296 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
markrad 0:cdf462088d13 2297 {
markrad 0:cdf462088d13 2298 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
markrad 0:cdf462088d13 2299 ssl->handshake->resume = 1;
markrad 0:cdf462088d13 2300 }
markrad 0:cdf462088d13 2301
markrad 0:cdf462088d13 2302 if( ssl->handshake->resume == 0 )
markrad 0:cdf462088d13 2303 {
markrad 0:cdf462088d13 2304 /*
markrad 0:cdf462088d13 2305 * New session, create a new session id,
markrad 0:cdf462088d13 2306 * unless we're about to issue a session ticket
markrad 0:cdf462088d13 2307 */
markrad 0:cdf462088d13 2308 ssl->state++;
markrad 0:cdf462088d13 2309
markrad 0:cdf462088d13 2310 #if defined(MBEDTLS_HAVE_TIME)
markrad 0:cdf462088d13 2311 ssl->session_negotiate->start = mbedtls_time( NULL );
markrad 0:cdf462088d13 2312 #endif
markrad 0:cdf462088d13 2313
markrad 0:cdf462088d13 2314 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 2315 if( ssl->handshake->new_session_ticket != 0 )
markrad 0:cdf462088d13 2316 {
markrad 0:cdf462088d13 2317 ssl->session_negotiate->id_len = n = 0;
markrad 0:cdf462088d13 2318 memset( ssl->session_negotiate->id, 0, 32 );
markrad 0:cdf462088d13 2319 }
markrad 0:cdf462088d13 2320 else
markrad 0:cdf462088d13 2321 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 2322 {
markrad 0:cdf462088d13 2323 ssl->session_negotiate->id_len = n = 32;
markrad 0:cdf462088d13 2324 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
markrad 0:cdf462088d13 2325 n ) ) != 0 )
markrad 0:cdf462088d13 2326 return( ret );
markrad 0:cdf462088d13 2327 }
markrad 0:cdf462088d13 2328 }
markrad 0:cdf462088d13 2329 else
markrad 0:cdf462088d13 2330 {
markrad 0:cdf462088d13 2331 /*
markrad 0:cdf462088d13 2332 * Resuming a session
markrad 0:cdf462088d13 2333 */
markrad 0:cdf462088d13 2334 n = ssl->session_negotiate->id_len;
markrad 0:cdf462088d13 2335 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
markrad 0:cdf462088d13 2336
markrad 0:cdf462088d13 2337 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
markrad 0:cdf462088d13 2338 {
markrad 0:cdf462088d13 2339 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
markrad 0:cdf462088d13 2340 return( ret );
markrad 0:cdf462088d13 2341 }
markrad 0:cdf462088d13 2342 }
markrad 0:cdf462088d13 2343
markrad 0:cdf462088d13 2344 /*
markrad 0:cdf462088d13 2345 * 38 . 38 session id length
markrad 0:cdf462088d13 2346 * 39 . 38+n session id
markrad 0:cdf462088d13 2347 * 39+n . 40+n chosen ciphersuite
markrad 0:cdf462088d13 2348 * 41+n . 41+n chosen compression alg.
markrad 0:cdf462088d13 2349 * 42+n . 43+n extensions length
markrad 0:cdf462088d13 2350 * 44+n . 43+n+m extensions
markrad 0:cdf462088d13 2351 */
markrad 0:cdf462088d13 2352 *p++ = (unsigned char) ssl->session_negotiate->id_len;
markrad 0:cdf462088d13 2353 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
markrad 0:cdf462088d13 2354 p += ssl->session_negotiate->id_len;
markrad 0:cdf462088d13 2355
markrad 0:cdf462088d13 2356 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
markrad 0:cdf462088d13 2357 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
markrad 0:cdf462088d13 2358 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
markrad 0:cdf462088d13 2359 ssl->handshake->resume ? "a" : "no" ) );
markrad 0:cdf462088d13 2360
markrad 0:cdf462088d13 2361 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
markrad 0:cdf462088d13 2362 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
markrad 0:cdf462088d13 2363 *p++ = (unsigned char)( ssl->session_negotiate->compression );
markrad 0:cdf462088d13 2364
markrad 0:cdf462088d13 2365 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
markrad 0:cdf462088d13 2366 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
markrad 0:cdf462088d13 2367 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
markrad 0:cdf462088d13 2368 ssl->session_negotiate->compression ) );
markrad 0:cdf462088d13 2369
markrad 0:cdf462088d13 2370 /* Do not write the extensions if the protocol is SSLv3 */
markrad 0:cdf462088d13 2371 #if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad 0:cdf462088d13 2372 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
markrad 0:cdf462088d13 2373 {
markrad 0:cdf462088d13 2374 #endif
markrad 0:cdf462088d13 2375
markrad 0:cdf462088d13 2376 /*
markrad 0:cdf462088d13 2377 * First write extensions, then the total length
markrad 0:cdf462088d13 2378 */
markrad 0:cdf462088d13 2379 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2380 ext_len += olen;
markrad 0:cdf462088d13 2381
markrad 0:cdf462088d13 2382 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
markrad 0:cdf462088d13 2383 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2384 ext_len += olen;
markrad 0:cdf462088d13 2385 #endif
markrad 0:cdf462088d13 2386
markrad 0:cdf462088d13 2387 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
markrad 0:cdf462088d13 2388 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2389 ext_len += olen;
markrad 0:cdf462088d13 2390 #endif
markrad 0:cdf462088d13 2391
markrad 0:cdf462088d13 2392 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
markrad 0:cdf462088d13 2393 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2394 ext_len += olen;
markrad 0:cdf462088d13 2395 #endif
markrad 0:cdf462088d13 2396
markrad 0:cdf462088d13 2397 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
markrad 0:cdf462088d13 2398 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2399 ext_len += olen;
markrad 0:cdf462088d13 2400 #endif
markrad 0:cdf462088d13 2401
markrad 0:cdf462088d13 2402 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 2403 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2404 ext_len += olen;
markrad 0:cdf462088d13 2405 #endif
markrad 0:cdf462088d13 2406
markrad 0:cdf462088d13 2407 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
markrad 0:cdf462088d13 2408 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2409 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2410 ext_len += olen;
markrad 0:cdf462088d13 2411 #endif
markrad 0:cdf462088d13 2412
markrad 0:cdf462088d13 2413 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2414 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2415 ext_len += olen;
markrad 0:cdf462088d13 2416 #endif
markrad 0:cdf462088d13 2417
markrad 0:cdf462088d13 2418 #if defined(MBEDTLS_SSL_ALPN)
markrad 0:cdf462088d13 2419 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
markrad 0:cdf462088d13 2420 ext_len += olen;
markrad 0:cdf462088d13 2421 #endif
markrad 0:cdf462088d13 2422
markrad 0:cdf462088d13 2423 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
markrad 0:cdf462088d13 2424
markrad 0:cdf462088d13 2425 if( ext_len > 0 )
markrad 0:cdf462088d13 2426 {
markrad 0:cdf462088d13 2427 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
markrad 0:cdf462088d13 2428 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
markrad 0:cdf462088d13 2429 p += ext_len;
markrad 0:cdf462088d13 2430 }
markrad 0:cdf462088d13 2431
markrad 0:cdf462088d13 2432 #if defined(MBEDTLS_SSL_PROTO_SSL3)
markrad 0:cdf462088d13 2433 }
markrad 0:cdf462088d13 2434 #endif
markrad 0:cdf462088d13 2435
markrad 0:cdf462088d13 2436 ssl->out_msglen = p - buf;
markrad 0:cdf462088d13 2437 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 2438 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
markrad 0:cdf462088d13 2439
markrad 0:cdf462088d13 2440 ret = mbedtls_ssl_write_record( ssl );
markrad 0:cdf462088d13 2441
markrad 0:cdf462088d13 2442 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
markrad 0:cdf462088d13 2443
markrad 0:cdf462088d13 2444 return( ret );
markrad 0:cdf462088d13 2445 }
markrad 0:cdf462088d13 2446
markrad 0:cdf462088d13 2447 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
markrad 0:cdf462088d13 2448 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
markrad 0:cdf462088d13 2449 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
markrad 0:cdf462088d13 2450 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
markrad 0:cdf462088d13 2451 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
markrad 0:cdf462088d13 2452 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad 0:cdf462088d13 2453 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2454 {
markrad 0:cdf462088d13 2455 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 2456
markrad 0:cdf462088d13 2457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
markrad 0:cdf462088d13 2458
markrad 0:cdf462088d13 2459 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
markrad 0:cdf462088d13 2460 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
markrad 0:cdf462088d13 2461 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
markrad 0:cdf462088d13 2462 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
markrad 0:cdf462088d13 2463 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad 0:cdf462088d13 2464 {
markrad 0:cdf462088d13 2465 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
markrad 0:cdf462088d13 2466 ssl->state++;
markrad 0:cdf462088d13 2467 return( 0 );
markrad 0:cdf462088d13 2468 }
markrad 0:cdf462088d13 2469
markrad 0:cdf462088d13 2470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 2471 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 2472 }
markrad 0:cdf462088d13 2473 #else
markrad 0:cdf462088d13 2474 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2475 {
markrad 0:cdf462088d13 2476 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad 0:cdf462088d13 2477 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 2478 size_t dn_size, total_dn_size; /* excluding length bytes */
markrad 0:cdf462088d13 2479 size_t ct_len, sa_len; /* including length bytes */
markrad 0:cdf462088d13 2480 unsigned char *buf, *p;
markrad 0:cdf462088d13 2481 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad 0:cdf462088d13 2482 const mbedtls_x509_crt *crt;
markrad 0:cdf462088d13 2483 int authmode;
markrad 0:cdf462088d13 2484
markrad 0:cdf462088d13 2485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
markrad 0:cdf462088d13 2486
markrad 0:cdf462088d13 2487 ssl->state++;
markrad 0:cdf462088d13 2488
markrad 0:cdf462088d13 2489 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad 0:cdf462088d13 2490 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
markrad 0:cdf462088d13 2491 authmode = ssl->handshake->sni_authmode;
markrad 0:cdf462088d13 2492 else
markrad 0:cdf462088d13 2493 #endif
markrad 0:cdf462088d13 2494 authmode = ssl->conf->authmode;
markrad 0:cdf462088d13 2495
markrad 0:cdf462088d13 2496 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
markrad 0:cdf462088d13 2497 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
markrad 0:cdf462088d13 2498 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
markrad 0:cdf462088d13 2499 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
markrad 0:cdf462088d13 2500 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
markrad 0:cdf462088d13 2501 authmode == MBEDTLS_SSL_VERIFY_NONE )
markrad 0:cdf462088d13 2502 {
markrad 0:cdf462088d13 2503 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
markrad 0:cdf462088d13 2504 return( 0 );
markrad 0:cdf462088d13 2505 }
markrad 0:cdf462088d13 2506
markrad 0:cdf462088d13 2507 /*
markrad 0:cdf462088d13 2508 * 0 . 0 handshake type
markrad 0:cdf462088d13 2509 * 1 . 3 handshake length
markrad 0:cdf462088d13 2510 * 4 . 4 cert type count
markrad 0:cdf462088d13 2511 * 5 .. m-1 cert types
markrad 0:cdf462088d13 2512 * m .. m+1 sig alg length (TLS 1.2 only)
markrad 0:cdf462088d13 2513 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
markrad 0:cdf462088d13 2514 * n .. n+1 length of all DNs
markrad 0:cdf462088d13 2515 * n+2 .. n+3 length of DN 1
markrad 0:cdf462088d13 2516 * n+4 .. ... Distinguished Name #1
markrad 0:cdf462088d13 2517 * ... .. ... length of DN 2, etc.
markrad 0:cdf462088d13 2518 */
markrad 0:cdf462088d13 2519 buf = ssl->out_msg;
markrad 0:cdf462088d13 2520 p = buf + 4;
markrad 0:cdf462088d13 2521
markrad 0:cdf462088d13 2522 /*
markrad 0:cdf462088d13 2523 * Supported certificate types
markrad 0:cdf462088d13 2524 *
markrad 0:cdf462088d13 2525 * ClientCertificateType certificate_types<1..2^8-1>;
markrad 0:cdf462088d13 2526 * enum { (255) } ClientCertificateType;
markrad 0:cdf462088d13 2527 */
markrad 0:cdf462088d13 2528 ct_len = 0;
markrad 0:cdf462088d13 2529
markrad 0:cdf462088d13 2530 #if defined(MBEDTLS_RSA_C)
markrad 0:cdf462088d13 2531 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
markrad 0:cdf462088d13 2532 #endif
markrad 0:cdf462088d13 2533 #if defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 2534 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
markrad 0:cdf462088d13 2535 #endif
markrad 0:cdf462088d13 2536
markrad 0:cdf462088d13 2537 p[0] = (unsigned char) ct_len++;
markrad 0:cdf462088d13 2538 p += ct_len;
markrad 0:cdf462088d13 2539
markrad 0:cdf462088d13 2540 sa_len = 0;
markrad 0:cdf462088d13 2541 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 2542 /*
markrad 0:cdf462088d13 2543 * Add signature_algorithms for verify (TLS 1.2)
markrad 0:cdf462088d13 2544 *
markrad 0:cdf462088d13 2545 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
markrad 0:cdf462088d13 2546 *
markrad 0:cdf462088d13 2547 * struct {
markrad 0:cdf462088d13 2548 * HashAlgorithm hash;
markrad 0:cdf462088d13 2549 * SignatureAlgorithm signature;
markrad 0:cdf462088d13 2550 * } SignatureAndHashAlgorithm;
markrad 0:cdf462088d13 2551 *
markrad 0:cdf462088d13 2552 * enum { (255) } HashAlgorithm;
markrad 0:cdf462088d13 2553 * enum { (255) } SignatureAlgorithm;
markrad 0:cdf462088d13 2554 */
markrad 0:cdf462088d13 2555 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad 0:cdf462088d13 2556 {
markrad 0:cdf462088d13 2557 const int *cur;
markrad 0:cdf462088d13 2558
markrad 0:cdf462088d13 2559 /*
markrad 0:cdf462088d13 2560 * Supported signature algorithms
markrad 0:cdf462088d13 2561 */
markrad 0:cdf462088d13 2562 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
markrad 0:cdf462088d13 2563 {
markrad 0:cdf462088d13 2564 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
markrad 0:cdf462088d13 2565
markrad 0:cdf462088d13 2566 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
markrad 0:cdf462088d13 2567 continue;
markrad 0:cdf462088d13 2568
markrad 0:cdf462088d13 2569 #if defined(MBEDTLS_RSA_C)
markrad 0:cdf462088d13 2570 p[2 + sa_len++] = hash;
markrad 0:cdf462088d13 2571 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
markrad 0:cdf462088d13 2572 #endif
markrad 0:cdf462088d13 2573 #if defined(MBEDTLS_ECDSA_C)
markrad 0:cdf462088d13 2574 p[2 + sa_len++] = hash;
markrad 0:cdf462088d13 2575 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
markrad 0:cdf462088d13 2576 #endif
markrad 0:cdf462088d13 2577 }
markrad 0:cdf462088d13 2578
markrad 0:cdf462088d13 2579 p[0] = (unsigned char)( sa_len >> 8 );
markrad 0:cdf462088d13 2580 p[1] = (unsigned char)( sa_len );
markrad 0:cdf462088d13 2581 sa_len += 2;
markrad 0:cdf462088d13 2582 p += sa_len;
markrad 0:cdf462088d13 2583 }
markrad 0:cdf462088d13 2584 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad 0:cdf462088d13 2585
markrad 0:cdf462088d13 2586 /*
markrad 0:cdf462088d13 2587 * DistinguishedName certificate_authorities<0..2^16-1>;
markrad 0:cdf462088d13 2588 * opaque DistinguishedName<1..2^16-1>;
markrad 0:cdf462088d13 2589 */
markrad 0:cdf462088d13 2590 p += 2;
markrad 0:cdf462088d13 2591 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
markrad 0:cdf462088d13 2592 if( ssl->handshake->sni_ca_chain != NULL )
markrad 0:cdf462088d13 2593 crt = ssl->handshake->sni_ca_chain;
markrad 0:cdf462088d13 2594 else
markrad 0:cdf462088d13 2595 #endif
markrad 0:cdf462088d13 2596 crt = ssl->conf->ca_chain;
markrad 0:cdf462088d13 2597
markrad 0:cdf462088d13 2598 total_dn_size = 0;
markrad 0:cdf462088d13 2599 while( crt != NULL && crt->version != 0 )
markrad 0:cdf462088d13 2600 {
markrad 0:cdf462088d13 2601 dn_size = crt->subject_raw.len;
markrad 0:cdf462088d13 2602
markrad 0:cdf462088d13 2603 if( end < p ||
markrad 0:cdf462088d13 2604 (size_t)( end - p ) < dn_size ||
markrad 0:cdf462088d13 2605 (size_t)( end - p ) < 2 + dn_size )
markrad 0:cdf462088d13 2606 {
markrad 0:cdf462088d13 2607 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
markrad 0:cdf462088d13 2608 break;
markrad 0:cdf462088d13 2609 }
markrad 0:cdf462088d13 2610
markrad 0:cdf462088d13 2611 *p++ = (unsigned char)( dn_size >> 8 );
markrad 0:cdf462088d13 2612 *p++ = (unsigned char)( dn_size );
markrad 0:cdf462088d13 2613 memcpy( p, crt->subject_raw.p, dn_size );
markrad 0:cdf462088d13 2614 p += dn_size;
markrad 0:cdf462088d13 2615
markrad 0:cdf462088d13 2616 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
markrad 0:cdf462088d13 2617
markrad 0:cdf462088d13 2618 total_dn_size += 2 + dn_size;
markrad 0:cdf462088d13 2619 crt = crt->next;
markrad 0:cdf462088d13 2620 }
markrad 0:cdf462088d13 2621
markrad 0:cdf462088d13 2622 ssl->out_msglen = p - buf;
markrad 0:cdf462088d13 2623 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 2624 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
markrad 0:cdf462088d13 2625 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
markrad 0:cdf462088d13 2626 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
markrad 0:cdf462088d13 2627
markrad 0:cdf462088d13 2628 ret = mbedtls_ssl_write_record( ssl );
markrad 0:cdf462088d13 2629
markrad 0:cdf462088d13 2630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
markrad 0:cdf462088d13 2631
markrad 0:cdf462088d13 2632 return( ret );
markrad 0:cdf462088d13 2633 }
markrad 0:cdf462088d13 2634 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
markrad 0:cdf462088d13 2635 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
markrad 0:cdf462088d13 2636 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
markrad 0:cdf462088d13 2637 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
markrad 0:cdf462088d13 2638 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
markrad 0:cdf462088d13 2639 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad 0:cdf462088d13 2640
markrad 0:cdf462088d13 2641 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
markrad 0:cdf462088d13 2642 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad 0:cdf462088d13 2643 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2644 {
markrad 0:cdf462088d13 2645 int ret;
markrad 0:cdf462088d13 2646
markrad 0:cdf462088d13 2647 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
markrad 0:cdf462088d13 2648 {
markrad 0:cdf462088d13 2649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
markrad 0:cdf462088d13 2650 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
markrad 0:cdf462088d13 2651 }
markrad 0:cdf462088d13 2652
markrad 0:cdf462088d13 2653 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
markrad 0:cdf462088d13 2654 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
markrad 0:cdf462088d13 2655 MBEDTLS_ECDH_OURS ) ) != 0 )
markrad 0:cdf462088d13 2656 {
markrad 0:cdf462088d13 2657 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
markrad 0:cdf462088d13 2658 return( ret );
markrad 0:cdf462088d13 2659 }
markrad 0:cdf462088d13 2660
markrad 0:cdf462088d13 2661 return( 0 );
markrad 0:cdf462088d13 2662 }
markrad 0:cdf462088d13 2663 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
markrad 0:cdf462088d13 2664 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
markrad 0:cdf462088d13 2665
markrad 0:cdf462088d13 2666 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 2667 {
markrad 0:cdf462088d13 2668 int ret;
markrad 0:cdf462088d13 2669 size_t n = 0;
markrad 0:cdf462088d13 2670 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
markrad 0:cdf462088d13 2671 ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 2672
markrad 0:cdf462088d13 2673 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2674 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
markrad 0:cdf462088d13 2675 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2676 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
markrad 0:cdf462088d13 2677 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
markrad 0:cdf462088d13 2678 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2679 unsigned char *p = ssl->out_msg + 4;
markrad 0:cdf462088d13 2680 unsigned char *dig_signed = p;
markrad 0:cdf462088d13 2681 size_t dig_signed_len = 0, len;
markrad 0:cdf462088d13 2682 ((void) dig_signed);
markrad 0:cdf462088d13 2683 ((void) dig_signed_len);
markrad 0:cdf462088d13 2684 ((void) len);
markrad 0:cdf462088d13 2685 #endif
markrad 0:cdf462088d13 2686
markrad 0:cdf462088d13 2687 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
markrad 0:cdf462088d13 2688
markrad 0:cdf462088d13 2689 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2690 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
markrad 0:cdf462088d13 2691 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad 0:cdf462088d13 2692 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
markrad 0:cdf462088d13 2693 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
markrad 0:cdf462088d13 2694 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad 0:cdf462088d13 2695 {
markrad 0:cdf462088d13 2696 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
markrad 0:cdf462088d13 2697 ssl->state++;
markrad 0:cdf462088d13 2698 return( 0 );
markrad 0:cdf462088d13 2699 }
markrad 0:cdf462088d13 2700 #endif
markrad 0:cdf462088d13 2701
markrad 0:cdf462088d13 2702 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
markrad 0:cdf462088d13 2703 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad 0:cdf462088d13 2704 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
markrad 0:cdf462088d13 2705 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
markrad 0:cdf462088d13 2706 {
markrad 0:cdf462088d13 2707 ssl_get_ecdh_params_from_cert( ssl );
markrad 0:cdf462088d13 2708
markrad 0:cdf462088d13 2709 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
markrad 0:cdf462088d13 2710 ssl->state++;
markrad 0:cdf462088d13 2711 return( 0 );
markrad 0:cdf462088d13 2712 }
markrad 0:cdf462088d13 2713 #endif
markrad 0:cdf462088d13 2714
markrad 0:cdf462088d13 2715 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 2716 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad 0:cdf462088d13 2717 {
markrad 0:cdf462088d13 2718 size_t jlen;
markrad 0:cdf462088d13 2719 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
markrad 0:cdf462088d13 2720
markrad 0:cdf462088d13 2721 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
markrad 0:cdf462088d13 2722 p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
markrad 0:cdf462088d13 2723 if( ret != 0 )
markrad 0:cdf462088d13 2724 {
markrad 0:cdf462088d13 2725 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
markrad 0:cdf462088d13 2726 return( ret );
markrad 0:cdf462088d13 2727 }
markrad 0:cdf462088d13 2728
markrad 0:cdf462088d13 2729 p += jlen;
markrad 0:cdf462088d13 2730 n += jlen;
markrad 0:cdf462088d13 2731 }
markrad 0:cdf462088d13 2732 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 2733
markrad 0:cdf462088d13 2734 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
markrad 0:cdf462088d13 2735 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
markrad 0:cdf462088d13 2736 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
markrad 0:cdf462088d13 2737 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad 0:cdf462088d13 2738 {
markrad 0:cdf462088d13 2739 /* Note: we don't support identity hints, until someone asks
markrad 0:cdf462088d13 2740 * for them. */
markrad 0:cdf462088d13 2741 *(p++) = 0x00;
markrad 0:cdf462088d13 2742 *(p++) = 0x00;
markrad 0:cdf462088d13 2743
markrad 0:cdf462088d13 2744 n += 2;
markrad 0:cdf462088d13 2745 }
markrad 0:cdf462088d13 2746 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
markrad 0:cdf462088d13 2747 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
markrad 0:cdf462088d13 2748
markrad 0:cdf462088d13 2749 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2750 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad 0:cdf462088d13 2751 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
markrad 0:cdf462088d13 2752 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
markrad 0:cdf462088d13 2753 {
markrad 0:cdf462088d13 2754 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
markrad 0:cdf462088d13 2755 {
markrad 0:cdf462088d13 2756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
markrad 0:cdf462088d13 2757 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad 0:cdf462088d13 2758 }
markrad 0:cdf462088d13 2759
markrad 0:cdf462088d13 2760 /*
markrad 0:cdf462088d13 2761 * Ephemeral DH parameters:
markrad 0:cdf462088d13 2762 *
markrad 0:cdf462088d13 2763 * struct {
markrad 0:cdf462088d13 2764 * opaque dh_p<1..2^16-1>;
markrad 0:cdf462088d13 2765 * opaque dh_g<1..2^16-1>;
markrad 0:cdf462088d13 2766 * opaque dh_Ys<1..2^16-1>;
markrad 0:cdf462088d13 2767 * } ServerDHParams;
markrad 0:cdf462088d13 2768 */
markrad 0:cdf462088d13 2769 if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 ||
markrad 0:cdf462088d13 2770 ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
markrad 0:cdf462088d13 2771 {
markrad 0:cdf462088d13 2772 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
markrad 0:cdf462088d13 2773 return( ret );
markrad 0:cdf462088d13 2774 }
markrad 0:cdf462088d13 2775
markrad 0:cdf462088d13 2776 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
markrad 0:cdf462088d13 2777 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
markrad 0:cdf462088d13 2778 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad 0:cdf462088d13 2779 {
markrad 0:cdf462088d13 2780 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
markrad 0:cdf462088d13 2781 return( ret );
markrad 0:cdf462088d13 2782 }
markrad 0:cdf462088d13 2783
markrad 0:cdf462088d13 2784 dig_signed = p;
markrad 0:cdf462088d13 2785 dig_signed_len = len;
markrad 0:cdf462088d13 2786
markrad 0:cdf462088d13 2787 p += len;
markrad 0:cdf462088d13 2788 n += len;
markrad 0:cdf462088d13 2789
markrad 0:cdf462088d13 2790 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
markrad 0:cdf462088d13 2791 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
markrad 0:cdf462088d13 2792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
markrad 0:cdf462088d13 2793 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
markrad 0:cdf462088d13 2794 }
markrad 0:cdf462088d13 2795 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
markrad 0:cdf462088d13 2796 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad 0:cdf462088d13 2797
markrad 0:cdf462088d13 2798 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
markrad 0:cdf462088d13 2799 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
markrad 0:cdf462088d13 2800 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
markrad 0:cdf462088d13 2801 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad 0:cdf462088d13 2802 {
markrad 0:cdf462088d13 2803 /*
markrad 0:cdf462088d13 2804 * Ephemeral ECDH parameters:
markrad 0:cdf462088d13 2805 *
markrad 0:cdf462088d13 2806 * struct {
markrad 0:cdf462088d13 2807 * ECParameters curve_params;
markrad 0:cdf462088d13 2808 * ECPoint public;
markrad 0:cdf462088d13 2809 * } ServerECDHParams;
markrad 0:cdf462088d13 2810 */
markrad 0:cdf462088d13 2811 const mbedtls_ecp_curve_info **curve = NULL;
markrad 0:cdf462088d13 2812 const mbedtls_ecp_group_id *gid;
markrad 0:cdf462088d13 2813
markrad 0:cdf462088d13 2814 /* Match our preference list against the offered curves */
markrad 0:cdf462088d13 2815 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
markrad 0:cdf462088d13 2816 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
markrad 0:cdf462088d13 2817 if( (*curve)->grp_id == *gid )
markrad 0:cdf462088d13 2818 goto curve_matching_done;
markrad 0:cdf462088d13 2819
markrad 0:cdf462088d13 2820 curve_matching_done:
markrad 0:cdf462088d13 2821 if( curve == NULL || *curve == NULL )
markrad 0:cdf462088d13 2822 {
markrad 0:cdf462088d13 2823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
markrad 0:cdf462088d13 2824 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
markrad 0:cdf462088d13 2825 }
markrad 0:cdf462088d13 2826
markrad 0:cdf462088d13 2827 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
markrad 0:cdf462088d13 2828
markrad 0:cdf462088d13 2829 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
markrad 0:cdf462088d13 2830 (*curve)->grp_id ) ) != 0 )
markrad 0:cdf462088d13 2831 {
markrad 0:cdf462088d13 2832 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
markrad 0:cdf462088d13 2833 return( ret );
markrad 0:cdf462088d13 2834 }
markrad 0:cdf462088d13 2835
markrad 0:cdf462088d13 2836 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
markrad 0:cdf462088d13 2837 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
markrad 0:cdf462088d13 2838 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad 0:cdf462088d13 2839 {
markrad 0:cdf462088d13 2840 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
markrad 0:cdf462088d13 2841 return( ret );
markrad 0:cdf462088d13 2842 }
markrad 0:cdf462088d13 2843
markrad 0:cdf462088d13 2844 dig_signed = p;
markrad 0:cdf462088d13 2845 dig_signed_len = len;
markrad 0:cdf462088d13 2846
markrad 0:cdf462088d13 2847 p += len;
markrad 0:cdf462088d13 2848 n += len;
markrad 0:cdf462088d13 2849
markrad 0:cdf462088d13 2850 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
markrad 0:cdf462088d13 2851 }
markrad 0:cdf462088d13 2852 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
markrad 0:cdf462088d13 2853
markrad 0:cdf462088d13 2854 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2855 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 2856 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad 0:cdf462088d13 2857 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
markrad 0:cdf462088d13 2858 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
markrad 0:cdf462088d13 2859 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
markrad 0:cdf462088d13 2860 {
markrad 0:cdf462088d13 2861 size_t signature_len = 0;
markrad 0:cdf462088d13 2862 unsigned int hashlen = 0;
markrad 0:cdf462088d13 2863 unsigned char hash[64];
markrad 0:cdf462088d13 2864 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
markrad 0:cdf462088d13 2865
markrad 0:cdf462088d13 2866 /*
markrad 0:cdf462088d13 2867 * Choose hash algorithm. NONE means MD5 + SHA1 here.
markrad 0:cdf462088d13 2868 */
markrad 0:cdf462088d13 2869 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 2870 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad 0:cdf462088d13 2871 {
markrad 0:cdf462088d13 2872 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
markrad 0:cdf462088d13 2873
markrad 0:cdf462088d13 2874 if( md_alg == MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 2875 {
markrad 0:cdf462088d13 2876 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 2877 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 2878 }
markrad 0:cdf462088d13 2879 }
markrad 0:cdf462088d13 2880 else
markrad 0:cdf462088d13 2881 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad 0:cdf462088d13 2882 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
markrad 0:cdf462088d13 2883 defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad 0:cdf462088d13 2884 if( ciphersuite_info->key_exchange ==
markrad 0:cdf462088d13 2885 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
markrad 0:cdf462088d13 2886 {
markrad 0:cdf462088d13 2887 md_alg = MBEDTLS_MD_SHA1;
markrad 0:cdf462088d13 2888 }
markrad 0:cdf462088d13 2889 else
markrad 0:cdf462088d13 2890 #endif
markrad 0:cdf462088d13 2891 {
markrad 0:cdf462088d13 2892 md_alg = MBEDTLS_MD_NONE;
markrad 0:cdf462088d13 2893 }
markrad 0:cdf462088d13 2894
markrad 0:cdf462088d13 2895 /*
markrad 0:cdf462088d13 2896 * Compute the hash to be signed
markrad 0:cdf462088d13 2897 */
markrad 0:cdf462088d13 2898 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
markrad 0:cdf462088d13 2899 defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad 0:cdf462088d13 2900 if( md_alg == MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 2901 {
markrad 0:cdf462088d13 2902 mbedtls_md5_context mbedtls_md5;
markrad 0:cdf462088d13 2903 mbedtls_sha1_context mbedtls_sha1;
markrad 0:cdf462088d13 2904
markrad 0:cdf462088d13 2905 mbedtls_md5_init( &mbedtls_md5 );
markrad 0:cdf462088d13 2906 mbedtls_sha1_init( &mbedtls_sha1 );
markrad 0:cdf462088d13 2907
markrad 0:cdf462088d13 2908 /*
markrad 0:cdf462088d13 2909 * digitally-signed struct {
markrad 0:cdf462088d13 2910 * opaque md5_hash[16];
markrad 0:cdf462088d13 2911 * opaque sha_hash[20];
markrad 0:cdf462088d13 2912 * };
markrad 0:cdf462088d13 2913 *
markrad 0:cdf462088d13 2914 * md5_hash
markrad 0:cdf462088d13 2915 * MD5(ClientHello.random + ServerHello.random
markrad 0:cdf462088d13 2916 * + ServerParams);
markrad 0:cdf462088d13 2917 * sha_hash
markrad 0:cdf462088d13 2918 * SHA(ClientHello.random + ServerHello.random
markrad 0:cdf462088d13 2919 * + ServerParams);
markrad 0:cdf462088d13 2920 */
markrad 0:cdf462088d13 2921 mbedtls_md5_starts( &mbedtls_md5 );
markrad 0:cdf462088d13 2922 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
markrad 0:cdf462088d13 2923 mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
markrad 0:cdf462088d13 2924 mbedtls_md5_finish( &mbedtls_md5, hash );
markrad 0:cdf462088d13 2925
markrad 0:cdf462088d13 2926 mbedtls_sha1_starts( &mbedtls_sha1 );
markrad 0:cdf462088d13 2927 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
markrad 0:cdf462088d13 2928 mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
markrad 0:cdf462088d13 2929 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
markrad 0:cdf462088d13 2930
markrad 0:cdf462088d13 2931 hashlen = 36;
markrad 0:cdf462088d13 2932
markrad 0:cdf462088d13 2933 mbedtls_md5_free( &mbedtls_md5 );
markrad 0:cdf462088d13 2934 mbedtls_sha1_free( &mbedtls_sha1 );
markrad 0:cdf462088d13 2935 }
markrad 0:cdf462088d13 2936 else
markrad 0:cdf462088d13 2937 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
markrad 0:cdf462088d13 2938 MBEDTLS_SSL_PROTO_TLS1_1 */
markrad 0:cdf462088d13 2939 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
markrad 0:cdf462088d13 2940 defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 2941 if( md_alg != MBEDTLS_MD_NONE )
markrad 0:cdf462088d13 2942 {
markrad 0:cdf462088d13 2943 mbedtls_md_context_t ctx;
markrad 0:cdf462088d13 2944 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
markrad 0:cdf462088d13 2945
markrad 0:cdf462088d13 2946 mbedtls_md_init( &ctx );
markrad 0:cdf462088d13 2947
markrad 0:cdf462088d13 2948 /* Info from md_alg will be used instead */
markrad 0:cdf462088d13 2949 hashlen = 0;
markrad 0:cdf462088d13 2950
markrad 0:cdf462088d13 2951 /*
markrad 0:cdf462088d13 2952 * digitally-signed struct {
markrad 0:cdf462088d13 2953 * opaque client_random[32];
markrad 0:cdf462088d13 2954 * opaque server_random[32];
markrad 0:cdf462088d13 2955 * ServerDHParams params;
markrad 0:cdf462088d13 2956 * };
markrad 0:cdf462088d13 2957 */
markrad 0:cdf462088d13 2958 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
markrad 0:cdf462088d13 2959 {
markrad 0:cdf462088d13 2960 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
markrad 0:cdf462088d13 2961 return( ret );
markrad 0:cdf462088d13 2962 }
markrad 0:cdf462088d13 2963
markrad 0:cdf462088d13 2964 mbedtls_md_starts( &ctx );
markrad 0:cdf462088d13 2965 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
markrad 0:cdf462088d13 2966 mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
markrad 0:cdf462088d13 2967 mbedtls_md_finish( &ctx, hash );
markrad 0:cdf462088d13 2968 mbedtls_md_free( &ctx );
markrad 0:cdf462088d13 2969 }
markrad 0:cdf462088d13 2970 else
markrad 0:cdf462088d13 2971 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
markrad 0:cdf462088d13 2972 MBEDTLS_SSL_PROTO_TLS1_2 */
markrad 0:cdf462088d13 2973 {
markrad 0:cdf462088d13 2974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 2975 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 2976 }
markrad 0:cdf462088d13 2977
markrad 0:cdf462088d13 2978 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
markrad 0:cdf462088d13 2979 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
markrad 0:cdf462088d13 2980
markrad 0:cdf462088d13 2981 /*
markrad 0:cdf462088d13 2982 * Make the signature
markrad 0:cdf462088d13 2983 */
markrad 0:cdf462088d13 2984 if( mbedtls_ssl_own_key( ssl ) == NULL )
markrad 0:cdf462088d13 2985 {
markrad 0:cdf462088d13 2986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
markrad 0:cdf462088d13 2987 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad 0:cdf462088d13 2988 }
markrad 0:cdf462088d13 2989
markrad 0:cdf462088d13 2990 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 2991 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad 0:cdf462088d13 2992 {
markrad 0:cdf462088d13 2993 *(p++) = ssl->handshake->sig_alg;
markrad 0:cdf462088d13 2994 *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
markrad 0:cdf462088d13 2995
markrad 0:cdf462088d13 2996 n += 2;
markrad 0:cdf462088d13 2997 }
markrad 0:cdf462088d13 2998 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad 0:cdf462088d13 2999
markrad 0:cdf462088d13 3000 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
markrad 0:cdf462088d13 3001 p + 2 , &signature_len,
markrad 0:cdf462088d13 3002 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad 0:cdf462088d13 3003 {
markrad 0:cdf462088d13 3004 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
markrad 0:cdf462088d13 3005 return( ret );
markrad 0:cdf462088d13 3006 }
markrad 0:cdf462088d13 3007
markrad 0:cdf462088d13 3008 *(p++) = (unsigned char)( signature_len >> 8 );
markrad 0:cdf462088d13 3009 *(p++) = (unsigned char)( signature_len );
markrad 0:cdf462088d13 3010 n += 2;
markrad 0:cdf462088d13 3011
markrad 0:cdf462088d13 3012 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
markrad 0:cdf462088d13 3013
markrad 0:cdf462088d13 3014 n += signature_len;
markrad 0:cdf462088d13 3015 }
markrad 0:cdf462088d13 3016 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
markrad 0:cdf462088d13 3017 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
markrad 0:cdf462088d13 3018 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad 0:cdf462088d13 3019
markrad 0:cdf462088d13 3020 ssl->out_msglen = 4 + n;
markrad 0:cdf462088d13 3021 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 3022 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
markrad 0:cdf462088d13 3023
markrad 0:cdf462088d13 3024 ssl->state++;
markrad 0:cdf462088d13 3025
markrad 0:cdf462088d13 3026 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad 0:cdf462088d13 3027 {
markrad 0:cdf462088d13 3028 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad 0:cdf462088d13 3029 return( ret );
markrad 0:cdf462088d13 3030 }
markrad 0:cdf462088d13 3031
markrad 0:cdf462088d13 3032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
markrad 0:cdf462088d13 3033
markrad 0:cdf462088d13 3034 return( 0 );
markrad 0:cdf462088d13 3035 }
markrad 0:cdf462088d13 3036
markrad 0:cdf462088d13 3037 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3038 {
markrad 0:cdf462088d13 3039 int ret;
markrad 0:cdf462088d13 3040
markrad 0:cdf462088d13 3041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
markrad 0:cdf462088d13 3042
markrad 0:cdf462088d13 3043 ssl->out_msglen = 4;
markrad 0:cdf462088d13 3044 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 3045 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
markrad 0:cdf462088d13 3046
markrad 0:cdf462088d13 3047 ssl->state++;
markrad 0:cdf462088d13 3048
markrad 0:cdf462088d13 3049 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 3050 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
markrad 0:cdf462088d13 3051 mbedtls_ssl_send_flight_completed( ssl );
markrad 0:cdf462088d13 3052 #endif
markrad 0:cdf462088d13 3053
markrad 0:cdf462088d13 3054 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad 0:cdf462088d13 3055 {
markrad 0:cdf462088d13 3056 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad 0:cdf462088d13 3057 return( ret );
markrad 0:cdf462088d13 3058 }
markrad 0:cdf462088d13 3059
markrad 0:cdf462088d13 3060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
markrad 0:cdf462088d13 3061
markrad 0:cdf462088d13 3062 return( 0 );
markrad 0:cdf462088d13 3063 }
markrad 0:cdf462088d13 3064
markrad 0:cdf462088d13 3065 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 3066 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad 0:cdf462088d13 3067 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
markrad 0:cdf462088d13 3068 const unsigned char *end )
markrad 0:cdf462088d13 3069 {
markrad 0:cdf462088d13 3070 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad 0:cdf462088d13 3071 size_t n;
markrad 0:cdf462088d13 3072
markrad 0:cdf462088d13 3073 /*
markrad 0:cdf462088d13 3074 * Receive G^Y mod P, premaster = (G^Y)^X mod P
markrad 0:cdf462088d13 3075 */
markrad 0:cdf462088d13 3076 if( *p + 2 > end )
markrad 0:cdf462088d13 3077 {
markrad 0:cdf462088d13 3078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3079 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3080 }
markrad 0:cdf462088d13 3081
markrad 0:cdf462088d13 3082 n = ( (*p)[0] << 8 ) | (*p)[1];
markrad 0:cdf462088d13 3083 *p += 2;
markrad 0:cdf462088d13 3084
markrad 0:cdf462088d13 3085 if( *p + n > end )
markrad 0:cdf462088d13 3086 {
markrad 0:cdf462088d13 3087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3088 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3089 }
markrad 0:cdf462088d13 3090
markrad 0:cdf462088d13 3091 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
markrad 0:cdf462088d13 3092 {
markrad 0:cdf462088d13 3093 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
markrad 0:cdf462088d13 3094 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad 0:cdf462088d13 3095 }
markrad 0:cdf462088d13 3096
markrad 0:cdf462088d13 3097 *p += n;
markrad 0:cdf462088d13 3098
markrad 0:cdf462088d13 3099 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
markrad 0:cdf462088d13 3100
markrad 0:cdf462088d13 3101 return( ret );
markrad 0:cdf462088d13 3102 }
markrad 0:cdf462088d13 3103 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
markrad 0:cdf462088d13 3104 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad 0:cdf462088d13 3105
markrad 0:cdf462088d13 3106 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
markrad 0:cdf462088d13 3107 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad 0:cdf462088d13 3108 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
markrad 0:cdf462088d13 3109 const unsigned char *p,
markrad 0:cdf462088d13 3110 const unsigned char *end,
markrad 0:cdf462088d13 3111 size_t pms_offset )
markrad 0:cdf462088d13 3112 {
markrad 0:cdf462088d13 3113 int ret;
markrad 0:cdf462088d13 3114 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
markrad 0:cdf462088d13 3115 unsigned char *pms = ssl->handshake->premaster + pms_offset;
markrad 0:cdf462088d13 3116 unsigned char ver[2];
markrad 0:cdf462088d13 3117 unsigned char fake_pms[48], peer_pms[48];
markrad 0:cdf462088d13 3118 unsigned char mask;
markrad 0:cdf462088d13 3119 size_t i, peer_pmslen;
markrad 0:cdf462088d13 3120 unsigned int diff;
markrad 0:cdf462088d13 3121
markrad 0:cdf462088d13 3122 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
markrad 0:cdf462088d13 3123 {
markrad 0:cdf462088d13 3124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
markrad 0:cdf462088d13 3125 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad 0:cdf462088d13 3126 }
markrad 0:cdf462088d13 3127
markrad 0:cdf462088d13 3128 /*
markrad 0:cdf462088d13 3129 * Decrypt the premaster using own private RSA key
markrad 0:cdf462088d13 3130 */
markrad 0:cdf462088d13 3131 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
markrad 0:cdf462088d13 3132 defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 3133 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
markrad 0:cdf462088d13 3134 {
markrad 0:cdf462088d13 3135 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
markrad 0:cdf462088d13 3136 *p++ != ( ( len ) & 0xFF ) )
markrad 0:cdf462088d13 3137 {
markrad 0:cdf462088d13 3138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3139 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3140 }
markrad 0:cdf462088d13 3141 }
markrad 0:cdf462088d13 3142 #endif
markrad 0:cdf462088d13 3143
markrad 0:cdf462088d13 3144 if( p + len != end )
markrad 0:cdf462088d13 3145 {
markrad 0:cdf462088d13 3146 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3147 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3148 }
markrad 0:cdf462088d13 3149
markrad 0:cdf462088d13 3150 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
markrad 0:cdf462088d13 3151 ssl->handshake->max_minor_ver,
markrad 0:cdf462088d13 3152 ssl->conf->transport, ver );
markrad 0:cdf462088d13 3153
markrad 0:cdf462088d13 3154 /*
markrad 0:cdf462088d13 3155 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
markrad 0:cdf462088d13 3156 * must not cause the connection to end immediately; instead, send a
markrad 0:cdf462088d13 3157 * bad_record_mac later in the handshake.
markrad 0:cdf462088d13 3158 * Also, avoid data-dependant branches here to protect against
markrad 0:cdf462088d13 3159 * timing-based variants.
markrad 0:cdf462088d13 3160 */
markrad 0:cdf462088d13 3161 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
markrad 0:cdf462088d13 3162 if( ret != 0 )
markrad 0:cdf462088d13 3163 return( ret );
markrad 0:cdf462088d13 3164
markrad 0:cdf462088d13 3165 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
markrad 0:cdf462088d13 3166 peer_pms, &peer_pmslen,
markrad 0:cdf462088d13 3167 sizeof( peer_pms ),
markrad 0:cdf462088d13 3168 ssl->conf->f_rng, ssl->conf->p_rng );
markrad 0:cdf462088d13 3169
markrad 0:cdf462088d13 3170 diff = (unsigned int) ret;
markrad 0:cdf462088d13 3171 diff |= peer_pmslen ^ 48;
markrad 0:cdf462088d13 3172 diff |= peer_pms[0] ^ ver[0];
markrad 0:cdf462088d13 3173 diff |= peer_pms[1] ^ ver[1];
markrad 0:cdf462088d13 3174
markrad 0:cdf462088d13 3175 #if defined(MBEDTLS_SSL_DEBUG_ALL)
markrad 0:cdf462088d13 3176 if( diff != 0 )
markrad 0:cdf462088d13 3177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3178 #endif
markrad 0:cdf462088d13 3179
markrad 0:cdf462088d13 3180 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
markrad 0:cdf462088d13 3181 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
markrad 0:cdf462088d13 3182 {
markrad 0:cdf462088d13 3183 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 3184 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 3185 }
markrad 0:cdf462088d13 3186 ssl->handshake->pmslen = 48;
markrad 0:cdf462088d13 3187
markrad 0:cdf462088d13 3188 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
markrad 0:cdf462088d13 3189 /* MSVC has a warning about unary minus on unsigned, but this is
markrad 0:cdf462088d13 3190 * well-defined and precisely what we want to do here */
markrad 0:cdf462088d13 3191 #if defined(_MSC_VER)
markrad 0:cdf462088d13 3192 #pragma warning( push )
markrad 0:cdf462088d13 3193 #pragma warning( disable : 4146 )
markrad 0:cdf462088d13 3194 #endif
markrad 0:cdf462088d13 3195 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
markrad 0:cdf462088d13 3196 #if defined(_MSC_VER)
markrad 0:cdf462088d13 3197 #pragma warning( pop )
markrad 0:cdf462088d13 3198 #endif
markrad 0:cdf462088d13 3199
markrad 0:cdf462088d13 3200 for( i = 0; i < ssl->handshake->pmslen; i++ )
markrad 0:cdf462088d13 3201 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
markrad 0:cdf462088d13 3202
markrad 0:cdf462088d13 3203 return( 0 );
markrad 0:cdf462088d13 3204 }
markrad 0:cdf462088d13 3205 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
markrad 0:cdf462088d13 3206 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
markrad 0:cdf462088d13 3207
markrad 0:cdf462088d13 3208 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
markrad 0:cdf462088d13 3209 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
markrad 0:cdf462088d13 3210 const unsigned char *end )
markrad 0:cdf462088d13 3211 {
markrad 0:cdf462088d13 3212 int ret = 0;
markrad 0:cdf462088d13 3213 size_t n;
markrad 0:cdf462088d13 3214
markrad 0:cdf462088d13 3215 if( ssl->conf->f_psk == NULL &&
markrad 0:cdf462088d13 3216 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
markrad 0:cdf462088d13 3217 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
markrad 0:cdf462088d13 3218 {
markrad 0:cdf462088d13 3219 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
markrad 0:cdf462088d13 3220 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
markrad 0:cdf462088d13 3221 }
markrad 0:cdf462088d13 3222
markrad 0:cdf462088d13 3223 /*
markrad 0:cdf462088d13 3224 * Receive client pre-shared key identity name
markrad 0:cdf462088d13 3225 */
markrad 0:cdf462088d13 3226 if( *p + 2 > end )
markrad 0:cdf462088d13 3227 {
markrad 0:cdf462088d13 3228 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3229 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3230 }
markrad 0:cdf462088d13 3231
markrad 0:cdf462088d13 3232 n = ( (*p)[0] << 8 ) | (*p)[1];
markrad 0:cdf462088d13 3233 *p += 2;
markrad 0:cdf462088d13 3234
markrad 0:cdf462088d13 3235 if( n < 1 || n > 65535 || *p + n > end )
markrad 0:cdf462088d13 3236 {
markrad 0:cdf462088d13 3237 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3238 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3239 }
markrad 0:cdf462088d13 3240
markrad 0:cdf462088d13 3241 if( ssl->conf->f_psk != NULL )
markrad 0:cdf462088d13 3242 {
markrad 0:cdf462088d13 3243 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
markrad 0:cdf462088d13 3244 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
markrad 0:cdf462088d13 3245 }
markrad 0:cdf462088d13 3246 else
markrad 0:cdf462088d13 3247 {
markrad 0:cdf462088d13 3248 /* Identity is not a big secret since clients send it in the clear,
markrad 0:cdf462088d13 3249 * but treat it carefully anyway, just in case */
markrad 0:cdf462088d13 3250 if( n != ssl->conf->psk_identity_len ||
markrad 0:cdf462088d13 3251 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
markrad 0:cdf462088d13 3252 {
markrad 0:cdf462088d13 3253 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
markrad 0:cdf462088d13 3254 }
markrad 0:cdf462088d13 3255 }
markrad 0:cdf462088d13 3256
markrad 0:cdf462088d13 3257 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
markrad 0:cdf462088d13 3258 {
markrad 0:cdf462088d13 3259 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
markrad 0:cdf462088d13 3260 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
markrad 0:cdf462088d13 3261 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
markrad 0:cdf462088d13 3262 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
markrad 0:cdf462088d13 3263 {
markrad 0:cdf462088d13 3264 return( ret );
markrad 0:cdf462088d13 3265 }
markrad 0:cdf462088d13 3266
markrad 0:cdf462088d13 3267 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
markrad 0:cdf462088d13 3268 }
markrad 0:cdf462088d13 3269
markrad 0:cdf462088d13 3270 *p += n;
markrad 0:cdf462088d13 3271
markrad 0:cdf462088d13 3272 return( 0 );
markrad 0:cdf462088d13 3273 }
markrad 0:cdf462088d13 3274 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
markrad 0:cdf462088d13 3275
markrad 0:cdf462088d13 3276 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3277 {
markrad 0:cdf462088d13 3278 int ret;
markrad 0:cdf462088d13 3279 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
markrad 0:cdf462088d13 3280 unsigned char *p, *end;
markrad 0:cdf462088d13 3281
markrad 0:cdf462088d13 3282 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 3283
markrad 0:cdf462088d13 3284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
markrad 0:cdf462088d13 3285
markrad 0:cdf462088d13 3286 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
markrad 0:cdf462088d13 3287 {
markrad 0:cdf462088d13 3288 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
markrad 0:cdf462088d13 3289 return( ret );
markrad 0:cdf462088d13 3290 }
markrad 0:cdf462088d13 3291
markrad 0:cdf462088d13 3292 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
markrad 0:cdf462088d13 3293 end = ssl->in_msg + ssl->in_hslen;
markrad 0:cdf462088d13 3294
markrad 0:cdf462088d13 3295 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
markrad 0:cdf462088d13 3296 {
markrad 0:cdf462088d13 3297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3298 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3299 }
markrad 0:cdf462088d13 3300
markrad 0:cdf462088d13 3301 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
markrad 0:cdf462088d13 3302 {
markrad 0:cdf462088d13 3303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
markrad 0:cdf462088d13 3304 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3305 }
markrad 0:cdf462088d13 3306
markrad 0:cdf462088d13 3307 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
markrad 0:cdf462088d13 3308 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
markrad 0:cdf462088d13 3309 {
markrad 0:cdf462088d13 3310 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3311 {
markrad 0:cdf462088d13 3312 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
markrad 0:cdf462088d13 3313 return( ret );
markrad 0:cdf462088d13 3314 }
markrad 0:cdf462088d13 3315
markrad 0:cdf462088d13 3316 if( p != end )
markrad 0:cdf462088d13 3317 {
markrad 0:cdf462088d13 3318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad 0:cdf462088d13 3319 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3320 }
markrad 0:cdf462088d13 3321
markrad 0:cdf462088d13 3322 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
markrad 0:cdf462088d13 3323 ssl->handshake->premaster,
markrad 0:cdf462088d13 3324 MBEDTLS_PREMASTER_SIZE,
markrad 0:cdf462088d13 3325 &ssl->handshake->pmslen,
markrad 0:cdf462088d13 3326 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad 0:cdf462088d13 3327 {
markrad 0:cdf462088d13 3328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
markrad 0:cdf462088d13 3329 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
markrad 0:cdf462088d13 3330 }
markrad 0:cdf462088d13 3331
markrad 0:cdf462088d13 3332 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
markrad 0:cdf462088d13 3333 }
markrad 0:cdf462088d13 3334 else
markrad 0:cdf462088d13 3335 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
markrad 0:cdf462088d13 3336 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
markrad 0:cdf462088d13 3337 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
markrad 0:cdf462088d13 3338 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
markrad 0:cdf462088d13 3339 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
markrad 0:cdf462088d13 3340 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
markrad 0:cdf462088d13 3341 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
markrad 0:cdf462088d13 3342 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
markrad 0:cdf462088d13 3343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
markrad 0:cdf462088d13 3344 {
markrad 0:cdf462088d13 3345 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
markrad 0:cdf462088d13 3346 p, end - p) ) != 0 )
markrad 0:cdf462088d13 3347 {
markrad 0:cdf462088d13 3348 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
markrad 0:cdf462088d13 3349 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad 0:cdf462088d13 3350 }
markrad 0:cdf462088d13 3351
markrad 0:cdf462088d13 3352 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
markrad 0:cdf462088d13 3353
markrad 0:cdf462088d13 3354 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
markrad 0:cdf462088d13 3355 &ssl->handshake->pmslen,
markrad 0:cdf462088d13 3356 ssl->handshake->premaster,
markrad 0:cdf462088d13 3357 MBEDTLS_MPI_MAX_SIZE,
markrad 0:cdf462088d13 3358 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
markrad 0:cdf462088d13 3359 {
markrad 0:cdf462088d13 3360 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
markrad 0:cdf462088d13 3361 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
markrad 0:cdf462088d13 3362 }
markrad 0:cdf462088d13 3363
markrad 0:cdf462088d13 3364 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
markrad 0:cdf462088d13 3365 }
markrad 0:cdf462088d13 3366 else
markrad 0:cdf462088d13 3367 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
markrad 0:cdf462088d13 3368 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
markrad 0:cdf462088d13 3369 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
markrad 0:cdf462088d13 3370 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
markrad 0:cdf462088d13 3371 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
markrad 0:cdf462088d13 3372 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
markrad 0:cdf462088d13 3373 {
markrad 0:cdf462088d13 3374 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3375 {
markrad 0:cdf462088d13 3376 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad 0:cdf462088d13 3377 return( ret );
markrad 0:cdf462088d13 3378 }
markrad 0:cdf462088d13 3379
markrad 0:cdf462088d13 3380 if( p != end )
markrad 0:cdf462088d13 3381 {
markrad 0:cdf462088d13 3382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad 0:cdf462088d13 3383 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3384 }
markrad 0:cdf462088d13 3385
markrad 0:cdf462088d13 3386 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad 0:cdf462088d13 3387 ciphersuite_info->key_exchange ) ) != 0 )
markrad 0:cdf462088d13 3388 {
markrad 0:cdf462088d13 3389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad 0:cdf462088d13 3390 return( ret );
markrad 0:cdf462088d13 3391 }
markrad 0:cdf462088d13 3392 }
markrad 0:cdf462088d13 3393 else
markrad 0:cdf462088d13 3394 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
markrad 0:cdf462088d13 3395 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
markrad 0:cdf462088d13 3396 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
markrad 0:cdf462088d13 3397 {
markrad 0:cdf462088d13 3398 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3399 {
markrad 0:cdf462088d13 3400 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad 0:cdf462088d13 3401 return( ret );
markrad 0:cdf462088d13 3402 }
markrad 0:cdf462088d13 3403
markrad 0:cdf462088d13 3404 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
markrad 0:cdf462088d13 3405 {
markrad 0:cdf462088d13 3406 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
markrad 0:cdf462088d13 3407 return( ret );
markrad 0:cdf462088d13 3408 }
markrad 0:cdf462088d13 3409
markrad 0:cdf462088d13 3410 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad 0:cdf462088d13 3411 ciphersuite_info->key_exchange ) ) != 0 )
markrad 0:cdf462088d13 3412 {
markrad 0:cdf462088d13 3413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad 0:cdf462088d13 3414 return( ret );
markrad 0:cdf462088d13 3415 }
markrad 0:cdf462088d13 3416 }
markrad 0:cdf462088d13 3417 else
markrad 0:cdf462088d13 3418 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
markrad 0:cdf462088d13 3419 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
markrad 0:cdf462088d13 3420 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
markrad 0:cdf462088d13 3421 {
markrad 0:cdf462088d13 3422 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3423 {
markrad 0:cdf462088d13 3424 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad 0:cdf462088d13 3425 return( ret );
markrad 0:cdf462088d13 3426 }
markrad 0:cdf462088d13 3427 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3428 {
markrad 0:cdf462088d13 3429 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
markrad 0:cdf462088d13 3430 return( ret );
markrad 0:cdf462088d13 3431 }
markrad 0:cdf462088d13 3432
markrad 0:cdf462088d13 3433 if( p != end )
markrad 0:cdf462088d13 3434 {
markrad 0:cdf462088d13 3435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
markrad 0:cdf462088d13 3436 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
markrad 0:cdf462088d13 3437 }
markrad 0:cdf462088d13 3438
markrad 0:cdf462088d13 3439 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad 0:cdf462088d13 3440 ciphersuite_info->key_exchange ) ) != 0 )
markrad 0:cdf462088d13 3441 {
markrad 0:cdf462088d13 3442 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad 0:cdf462088d13 3443 return( ret );
markrad 0:cdf462088d13 3444 }
markrad 0:cdf462088d13 3445 }
markrad 0:cdf462088d13 3446 else
markrad 0:cdf462088d13 3447 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
markrad 0:cdf462088d13 3448 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
markrad 0:cdf462088d13 3449 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
markrad 0:cdf462088d13 3450 {
markrad 0:cdf462088d13 3451 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
markrad 0:cdf462088d13 3452 {
markrad 0:cdf462088d13 3453 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
markrad 0:cdf462088d13 3454 return( ret );
markrad 0:cdf462088d13 3455 }
markrad 0:cdf462088d13 3456
markrad 0:cdf462088d13 3457 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
markrad 0:cdf462088d13 3458 p, end - p ) ) != 0 )
markrad 0:cdf462088d13 3459 {
markrad 0:cdf462088d13 3460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
markrad 0:cdf462088d13 3461 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
markrad 0:cdf462088d13 3462 }
markrad 0:cdf462088d13 3463
markrad 0:cdf462088d13 3464 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
markrad 0:cdf462088d13 3465
markrad 0:cdf462088d13 3466 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
markrad 0:cdf462088d13 3467 ciphersuite_info->key_exchange ) ) != 0 )
markrad 0:cdf462088d13 3468 {
markrad 0:cdf462088d13 3469 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
markrad 0:cdf462088d13 3470 return( ret );
markrad 0:cdf462088d13 3471 }
markrad 0:cdf462088d13 3472 }
markrad 0:cdf462088d13 3473 else
markrad 0:cdf462088d13 3474 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
markrad 0:cdf462088d13 3475 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
markrad 0:cdf462088d13 3476 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
markrad 0:cdf462088d13 3477 {
markrad 0:cdf462088d13 3478 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
markrad 0:cdf462088d13 3479 {
markrad 0:cdf462088d13 3480 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
markrad 0:cdf462088d13 3481 return( ret );
markrad 0:cdf462088d13 3482 }
markrad 0:cdf462088d13 3483 }
markrad 0:cdf462088d13 3484 else
markrad 0:cdf462088d13 3485 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
markrad 0:cdf462088d13 3486 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
markrad 0:cdf462088d13 3487 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad 0:cdf462088d13 3488 {
markrad 0:cdf462088d13 3489 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
markrad 0:cdf462088d13 3490 p, end - p );
markrad 0:cdf462088d13 3491 if( ret != 0 )
markrad 0:cdf462088d13 3492 {
markrad 0:cdf462088d13 3493 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
markrad 0:cdf462088d13 3494 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
markrad 0:cdf462088d13 3495 }
markrad 0:cdf462088d13 3496
markrad 0:cdf462088d13 3497 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
markrad 0:cdf462088d13 3498 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
markrad 0:cdf462088d13 3499 ssl->conf->f_rng, ssl->conf->p_rng );
markrad 0:cdf462088d13 3500 if( ret != 0 )
markrad 0:cdf462088d13 3501 {
markrad 0:cdf462088d13 3502 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
markrad 0:cdf462088d13 3503 return( ret );
markrad 0:cdf462088d13 3504 }
markrad 0:cdf462088d13 3505 }
markrad 0:cdf462088d13 3506 else
markrad 0:cdf462088d13 3507 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
markrad 0:cdf462088d13 3508 {
markrad 0:cdf462088d13 3509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 3510 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 3511 }
markrad 0:cdf462088d13 3512
markrad 0:cdf462088d13 3513 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
markrad 0:cdf462088d13 3514 {
markrad 0:cdf462088d13 3515 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
markrad 0:cdf462088d13 3516 return( ret );
markrad 0:cdf462088d13 3517 }
markrad 0:cdf462088d13 3518
markrad 0:cdf462088d13 3519 ssl->state++;
markrad 0:cdf462088d13 3520
markrad 0:cdf462088d13 3521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
markrad 0:cdf462088d13 3522
markrad 0:cdf462088d13 3523 return( 0 );
markrad 0:cdf462088d13 3524 }
markrad 0:cdf462088d13 3525
markrad 0:cdf462088d13 3526 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
markrad 0:cdf462088d13 3527 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
markrad 0:cdf462088d13 3528 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
markrad 0:cdf462088d13 3529 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
markrad 0:cdf462088d13 3530 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
markrad 0:cdf462088d13 3531 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
markrad 0:cdf462088d13 3532 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3533 {
markrad 0:cdf462088d13 3534 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 3535
markrad 0:cdf462088d13 3536 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
markrad 0:cdf462088d13 3537
markrad 0:cdf462088d13 3538 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
markrad 0:cdf462088d13 3539 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
markrad 0:cdf462088d13 3540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
markrad 0:cdf462088d13 3541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
markrad 0:cdf462088d13 3542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
markrad 0:cdf462088d13 3543 {
markrad 0:cdf462088d13 3544 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
markrad 0:cdf462088d13 3545 ssl->state++;
markrad 0:cdf462088d13 3546 return( 0 );
markrad 0:cdf462088d13 3547 }
markrad 0:cdf462088d13 3548
markrad 0:cdf462088d13 3549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 3550 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 3551 }
markrad 0:cdf462088d13 3552 #else
markrad 0:cdf462088d13 3553 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3554 {
markrad 0:cdf462088d13 3555 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
markrad 0:cdf462088d13 3556 size_t i, sig_len;
markrad 0:cdf462088d13 3557 unsigned char hash[48];
markrad 0:cdf462088d13 3558 unsigned char *hash_start = hash;
markrad 0:cdf462088d13 3559 size_t hashlen;
markrad 0:cdf462088d13 3560 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 3561 mbedtls_pk_type_t pk_alg;
markrad 0:cdf462088d13 3562 #endif
markrad 0:cdf462088d13 3563 mbedtls_md_type_t md_alg;
markrad 0:cdf462088d13 3564 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
markrad 0:cdf462088d13 3565
markrad 0:cdf462088d13 3566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
markrad 0:cdf462088d13 3567
markrad 0:cdf462088d13 3568 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
markrad 0:cdf462088d13 3569 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
markrad 0:cdf462088d13 3570 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
markrad 0:cdf462088d13 3571 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
markrad 0:cdf462088d13 3572 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
markrad 0:cdf462088d13 3573 ssl->session_negotiate->peer_cert == NULL )
markrad 0:cdf462088d13 3574 {
markrad 0:cdf462088d13 3575 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
markrad 0:cdf462088d13 3576 ssl->state++;
markrad 0:cdf462088d13 3577 return( 0 );
markrad 0:cdf462088d13 3578 }
markrad 0:cdf462088d13 3579
markrad 0:cdf462088d13 3580 /* Read the message without adding it to the checksum */
markrad 0:cdf462088d13 3581 do {
markrad 0:cdf462088d13 3582
markrad 0:cdf462088d13 3583 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
markrad 0:cdf462088d13 3584 {
markrad 0:cdf462088d13 3585 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
markrad 0:cdf462088d13 3586 return( ret );
markrad 0:cdf462088d13 3587 }
markrad 0:cdf462088d13 3588
markrad 0:cdf462088d13 3589 ret = mbedtls_ssl_handle_message_type( ssl );
markrad 0:cdf462088d13 3590
markrad 0:cdf462088d13 3591 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
markrad 0:cdf462088d13 3592
markrad 0:cdf462088d13 3593 if( 0 != ret )
markrad 0:cdf462088d13 3594 {
markrad 0:cdf462088d13 3595 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
markrad 0:cdf462088d13 3596 return( ret );
markrad 0:cdf462088d13 3597 }
markrad 0:cdf462088d13 3598
markrad 0:cdf462088d13 3599 ssl->state++;
markrad 0:cdf462088d13 3600
markrad 0:cdf462088d13 3601 /* Process the message contents */
markrad 0:cdf462088d13 3602 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
markrad 0:cdf462088d13 3603 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
markrad 0:cdf462088d13 3604 {
markrad 0:cdf462088d13 3605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad 0:cdf462088d13 3606 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3607 }
markrad 0:cdf462088d13 3608
markrad 0:cdf462088d13 3609 i = mbedtls_ssl_hs_hdr_len( ssl );
markrad 0:cdf462088d13 3610
markrad 0:cdf462088d13 3611 /*
markrad 0:cdf462088d13 3612 * struct {
markrad 0:cdf462088d13 3613 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
markrad 0:cdf462088d13 3614 * opaque signature<0..2^16-1>;
markrad 0:cdf462088d13 3615 * } DigitallySigned;
markrad 0:cdf462088d13 3616 */
markrad 0:cdf462088d13 3617 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
markrad 0:cdf462088d13 3618 defined(MBEDTLS_SSL_PROTO_TLS1_1)
markrad 0:cdf462088d13 3619 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
markrad 0:cdf462088d13 3620 {
markrad 0:cdf462088d13 3621 md_alg = MBEDTLS_MD_NONE;
markrad 0:cdf462088d13 3622 hashlen = 36;
markrad 0:cdf462088d13 3623
markrad 0:cdf462088d13 3624 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
markrad 0:cdf462088d13 3625 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
markrad 0:cdf462088d13 3626 MBEDTLS_PK_ECDSA ) )
markrad 0:cdf462088d13 3627 {
markrad 0:cdf462088d13 3628 hash_start += 16;
markrad 0:cdf462088d13 3629 hashlen -= 16;
markrad 0:cdf462088d13 3630 md_alg = MBEDTLS_MD_SHA1;
markrad 0:cdf462088d13 3631 }
markrad 0:cdf462088d13 3632 }
markrad 0:cdf462088d13 3633 else
markrad 0:cdf462088d13 3634 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
markrad 0:cdf462088d13 3635 MBEDTLS_SSL_PROTO_TLS1_1 */
markrad 0:cdf462088d13 3636 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
markrad 0:cdf462088d13 3637 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
markrad 0:cdf462088d13 3638 {
markrad 0:cdf462088d13 3639 if( i + 2 > ssl->in_hslen )
markrad 0:cdf462088d13 3640 {
markrad 0:cdf462088d13 3641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad 0:cdf462088d13 3642 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3643 }
markrad 0:cdf462088d13 3644
markrad 0:cdf462088d13 3645 /*
markrad 0:cdf462088d13 3646 * Hash
markrad 0:cdf462088d13 3647 */
markrad 0:cdf462088d13 3648 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
markrad 0:cdf462088d13 3649
markrad 0:cdf462088d13 3650 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
markrad 0:cdf462088d13 3651 {
markrad 0:cdf462088d13 3652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
markrad 0:cdf462088d13 3653 " for verify message" ) );
markrad 0:cdf462088d13 3654 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3655 }
markrad 0:cdf462088d13 3656
markrad 0:cdf462088d13 3657 #if !defined(MBEDTLS_MD_SHA1)
markrad 0:cdf462088d13 3658 if( MBEDTLS_MD_SHA1 == md_alg )
markrad 0:cdf462088d13 3659 hash_start += 16;
markrad 0:cdf462088d13 3660 #endif
markrad 0:cdf462088d13 3661
markrad 0:cdf462088d13 3662 /* Info from md_alg will be used instead */
markrad 0:cdf462088d13 3663 hashlen = 0;
markrad 0:cdf462088d13 3664
markrad 0:cdf462088d13 3665 i++;
markrad 0:cdf462088d13 3666
markrad 0:cdf462088d13 3667 /*
markrad 0:cdf462088d13 3668 * Signature
markrad 0:cdf462088d13 3669 */
markrad 0:cdf462088d13 3670 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
markrad 0:cdf462088d13 3671 == MBEDTLS_PK_NONE )
markrad 0:cdf462088d13 3672 {
markrad 0:cdf462088d13 3673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
markrad 0:cdf462088d13 3674 " for verify message" ) );
markrad 0:cdf462088d13 3675 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3676 }
markrad 0:cdf462088d13 3677
markrad 0:cdf462088d13 3678 /*
markrad 0:cdf462088d13 3679 * Check the certificate's key type matches the signature alg
markrad 0:cdf462088d13 3680 */
markrad 0:cdf462088d13 3681 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
markrad 0:cdf462088d13 3682 {
markrad 0:cdf462088d13 3683 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
markrad 0:cdf462088d13 3684 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3685 }
markrad 0:cdf462088d13 3686
markrad 0:cdf462088d13 3687 i++;
markrad 0:cdf462088d13 3688 }
markrad 0:cdf462088d13 3689 else
markrad 0:cdf462088d13 3690 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
markrad 0:cdf462088d13 3691 {
markrad 0:cdf462088d13 3692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
markrad 0:cdf462088d13 3693 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
markrad 0:cdf462088d13 3694 }
markrad 0:cdf462088d13 3695
markrad 0:cdf462088d13 3696 if( i + 2 > ssl->in_hslen )
markrad 0:cdf462088d13 3697 {
markrad 0:cdf462088d13 3698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad 0:cdf462088d13 3699 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3700 }
markrad 0:cdf462088d13 3701
markrad 0:cdf462088d13 3702 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
markrad 0:cdf462088d13 3703 i += 2;
markrad 0:cdf462088d13 3704
markrad 0:cdf462088d13 3705 if( i + sig_len != ssl->in_hslen )
markrad 0:cdf462088d13 3706 {
markrad 0:cdf462088d13 3707 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
markrad 0:cdf462088d13 3708 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
markrad 0:cdf462088d13 3709 }
markrad 0:cdf462088d13 3710
markrad 0:cdf462088d13 3711 /* Calculate hash and verify signature */
markrad 0:cdf462088d13 3712 ssl->handshake->calc_verify( ssl, hash );
markrad 0:cdf462088d13 3713
markrad 0:cdf462088d13 3714 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
markrad 0:cdf462088d13 3715 md_alg, hash_start, hashlen,
markrad 0:cdf462088d13 3716 ssl->in_msg + i, sig_len ) ) != 0 )
markrad 0:cdf462088d13 3717 {
markrad 0:cdf462088d13 3718 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
markrad 0:cdf462088d13 3719 return( ret );
markrad 0:cdf462088d13 3720 }
markrad 0:cdf462088d13 3721
markrad 0:cdf462088d13 3722 mbedtls_ssl_update_handshake_status( ssl );
markrad 0:cdf462088d13 3723
markrad 0:cdf462088d13 3724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
markrad 0:cdf462088d13 3725
markrad 0:cdf462088d13 3726 return( ret );
markrad 0:cdf462088d13 3727 }
markrad 0:cdf462088d13 3728 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
markrad 0:cdf462088d13 3729 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
markrad 0:cdf462088d13 3730 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
markrad 0:cdf462088d13 3731 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
markrad 0:cdf462088d13 3732 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
markrad 0:cdf462088d13 3733 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
markrad 0:cdf462088d13 3734
markrad 0:cdf462088d13 3735 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 3736 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3737 {
markrad 0:cdf462088d13 3738 int ret;
markrad 0:cdf462088d13 3739 size_t tlen;
markrad 0:cdf462088d13 3740 uint32_t lifetime;
markrad 0:cdf462088d13 3741
markrad 0:cdf462088d13 3742 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
markrad 0:cdf462088d13 3743
markrad 0:cdf462088d13 3744 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
markrad 0:cdf462088d13 3745 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
markrad 0:cdf462088d13 3746
markrad 0:cdf462088d13 3747 /*
markrad 0:cdf462088d13 3748 * struct {
markrad 0:cdf462088d13 3749 * uint32 ticket_lifetime_hint;
markrad 0:cdf462088d13 3750 * opaque ticket<0..2^16-1>;
markrad 0:cdf462088d13 3751 * } NewSessionTicket;
markrad 0:cdf462088d13 3752 *
markrad 0:cdf462088d13 3753 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
markrad 0:cdf462088d13 3754 * 8 . 9 ticket_len (n)
markrad 0:cdf462088d13 3755 * 10 . 9+n ticket content
markrad 0:cdf462088d13 3756 */
markrad 0:cdf462088d13 3757
markrad 0:cdf462088d13 3758 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
markrad 0:cdf462088d13 3759 ssl->session_negotiate,
markrad 0:cdf462088d13 3760 ssl->out_msg + 10,
markrad 0:cdf462088d13 3761 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
markrad 0:cdf462088d13 3762 &tlen, &lifetime ) ) != 0 )
markrad 0:cdf462088d13 3763 {
markrad 0:cdf462088d13 3764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
markrad 0:cdf462088d13 3765 tlen = 0;
markrad 0:cdf462088d13 3766 }
markrad 0:cdf462088d13 3767
markrad 0:cdf462088d13 3768 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
markrad 0:cdf462088d13 3769 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
markrad 0:cdf462088d13 3770 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
markrad 0:cdf462088d13 3771 ssl->out_msg[7] = ( lifetime ) & 0xFF;
markrad 0:cdf462088d13 3772
markrad 0:cdf462088d13 3773 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
markrad 0:cdf462088d13 3774 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
markrad 0:cdf462088d13 3775
markrad 0:cdf462088d13 3776 ssl->out_msglen = 10 + tlen;
markrad 0:cdf462088d13 3777
markrad 0:cdf462088d13 3778 /*
markrad 0:cdf462088d13 3779 * Morally equivalent to updating ssl->state, but NewSessionTicket and
markrad 0:cdf462088d13 3780 * ChangeCipherSpec share the same state.
markrad 0:cdf462088d13 3781 */
markrad 0:cdf462088d13 3782 ssl->handshake->new_session_ticket = 0;
markrad 0:cdf462088d13 3783
markrad 0:cdf462088d13 3784 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
markrad 0:cdf462088d13 3785 {
markrad 0:cdf462088d13 3786 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
markrad 0:cdf462088d13 3787 return( ret );
markrad 0:cdf462088d13 3788 }
markrad 0:cdf462088d13 3789
markrad 0:cdf462088d13 3790 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
markrad 0:cdf462088d13 3791
markrad 0:cdf462088d13 3792 return( 0 );
markrad 0:cdf462088d13 3793 }
markrad 0:cdf462088d13 3794 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
markrad 0:cdf462088d13 3795
markrad 0:cdf462088d13 3796 /*
markrad 0:cdf462088d13 3797 * SSL handshake -- server side -- single step
markrad 0:cdf462088d13 3798 */
markrad 0:cdf462088d13 3799 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
markrad 0:cdf462088d13 3800 {
markrad 0:cdf462088d13 3801 int ret = 0;
markrad 0:cdf462088d13 3802
markrad 0:cdf462088d13 3803 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
markrad 0:cdf462088d13 3804 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad 0:cdf462088d13 3805
markrad 0:cdf462088d13 3806 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
markrad 0:cdf462088d13 3807
markrad 0:cdf462088d13 3808 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
markrad 0:cdf462088d13 3809 return( ret );
markrad 0:cdf462088d13 3810
markrad 0:cdf462088d13 3811 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 3812 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
markrad 0:cdf462088d13 3813 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
markrad 0:cdf462088d13 3814 {
markrad 0:cdf462088d13 3815 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
markrad 0:cdf462088d13 3816 return( ret );
markrad 0:cdf462088d13 3817 }
markrad 0:cdf462088d13 3818 #endif
markrad 0:cdf462088d13 3819
markrad 0:cdf462088d13 3820 switch( ssl->state )
markrad 0:cdf462088d13 3821 {
markrad 0:cdf462088d13 3822 case MBEDTLS_SSL_HELLO_REQUEST:
markrad 0:cdf462088d13 3823 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
markrad 0:cdf462088d13 3824 break;
markrad 0:cdf462088d13 3825
markrad 0:cdf462088d13 3826 /*
markrad 0:cdf462088d13 3827 * <== ClientHello
markrad 0:cdf462088d13 3828 */
markrad 0:cdf462088d13 3829 case MBEDTLS_SSL_CLIENT_HELLO:
markrad 0:cdf462088d13 3830 ret = ssl_parse_client_hello( ssl );
markrad 0:cdf462088d13 3831 break;
markrad 0:cdf462088d13 3832
markrad 0:cdf462088d13 3833 #if defined(MBEDTLS_SSL_PROTO_DTLS)
markrad 0:cdf462088d13 3834 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
markrad 0:cdf462088d13 3835 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
markrad 0:cdf462088d13 3836 #endif
markrad 0:cdf462088d13 3837
markrad 0:cdf462088d13 3838 /*
markrad 0:cdf462088d13 3839 * ==> ServerHello
markrad 0:cdf462088d13 3840 * Certificate
markrad 0:cdf462088d13 3841 * ( ServerKeyExchange )
markrad 0:cdf462088d13 3842 * ( CertificateRequest )
markrad 0:cdf462088d13 3843 * ServerHelloDone
markrad 0:cdf462088d13 3844 */
markrad 0:cdf462088d13 3845 case MBEDTLS_SSL_SERVER_HELLO:
markrad 0:cdf462088d13 3846 ret = ssl_write_server_hello( ssl );
markrad 0:cdf462088d13 3847 break;
markrad 0:cdf462088d13 3848
markrad 0:cdf462088d13 3849 case MBEDTLS_SSL_SERVER_CERTIFICATE:
markrad 0:cdf462088d13 3850 ret = mbedtls_ssl_write_certificate( ssl );
markrad 0:cdf462088d13 3851 break;
markrad 0:cdf462088d13 3852
markrad 0:cdf462088d13 3853 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
markrad 0:cdf462088d13 3854 ret = ssl_write_server_key_exchange( ssl );
markrad 0:cdf462088d13 3855 break;
markrad 0:cdf462088d13 3856
markrad 0:cdf462088d13 3857 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
markrad 0:cdf462088d13 3858 ret = ssl_write_certificate_request( ssl );
markrad 0:cdf462088d13 3859 break;
markrad 0:cdf462088d13 3860
markrad 0:cdf462088d13 3861 case MBEDTLS_SSL_SERVER_HELLO_DONE:
markrad 0:cdf462088d13 3862 ret = ssl_write_server_hello_done( ssl );
markrad 0:cdf462088d13 3863 break;
markrad 0:cdf462088d13 3864
markrad 0:cdf462088d13 3865 /*
markrad 0:cdf462088d13 3866 * <== ( Certificate/Alert )
markrad 0:cdf462088d13 3867 * ClientKeyExchange
markrad 0:cdf462088d13 3868 * ( CertificateVerify )
markrad 0:cdf462088d13 3869 * ChangeCipherSpec
markrad 0:cdf462088d13 3870 * Finished
markrad 0:cdf462088d13 3871 */
markrad 0:cdf462088d13 3872 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
markrad 0:cdf462088d13 3873 ret = mbedtls_ssl_parse_certificate( ssl );
markrad 0:cdf462088d13 3874 break;
markrad 0:cdf462088d13 3875
markrad 0:cdf462088d13 3876 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
markrad 0:cdf462088d13 3877 ret = ssl_parse_client_key_exchange( ssl );
markrad 0:cdf462088d13 3878 break;
markrad 0:cdf462088d13 3879
markrad 0:cdf462088d13 3880 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
markrad 0:cdf462088d13 3881 ret = ssl_parse_certificate_verify( ssl );
markrad 0:cdf462088d13 3882 break;
markrad 0:cdf462088d13 3883
markrad 0:cdf462088d13 3884 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
markrad 0:cdf462088d13 3885 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
markrad 0:cdf462088d13 3886 break;
markrad 0:cdf462088d13 3887
markrad 0:cdf462088d13 3888 case MBEDTLS_SSL_CLIENT_FINISHED:
markrad 0:cdf462088d13 3889 ret = mbedtls_ssl_parse_finished( ssl );
markrad 0:cdf462088d13 3890 break;
markrad 0:cdf462088d13 3891
markrad 0:cdf462088d13 3892 /*
markrad 0:cdf462088d13 3893 * ==> ( NewSessionTicket )
markrad 0:cdf462088d13 3894 * ChangeCipherSpec
markrad 0:cdf462088d13 3895 * Finished
markrad 0:cdf462088d13 3896 */
markrad 0:cdf462088d13 3897 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
markrad 0:cdf462088d13 3898 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
markrad 0:cdf462088d13 3899 if( ssl->handshake->new_session_ticket != 0 )
markrad 0:cdf462088d13 3900 ret = ssl_write_new_session_ticket( ssl );
markrad 0:cdf462088d13 3901 else
markrad 0:cdf462088d13 3902 #endif
markrad 0:cdf462088d13 3903 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
markrad 0:cdf462088d13 3904 break;
markrad 0:cdf462088d13 3905
markrad 0:cdf462088d13 3906 case MBEDTLS_SSL_SERVER_FINISHED:
markrad 0:cdf462088d13 3907 ret = mbedtls_ssl_write_finished( ssl );
markrad 0:cdf462088d13 3908 break;
markrad 0:cdf462088d13 3909
markrad 0:cdf462088d13 3910 case MBEDTLS_SSL_FLUSH_BUFFERS:
markrad 0:cdf462088d13 3911 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
markrad 0:cdf462088d13 3912 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
markrad 0:cdf462088d13 3913 break;
markrad 0:cdf462088d13 3914
markrad 0:cdf462088d13 3915 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
markrad 0:cdf462088d13 3916 mbedtls_ssl_handshake_wrapup( ssl );
markrad 0:cdf462088d13 3917 break;
markrad 0:cdf462088d13 3918
markrad 0:cdf462088d13 3919 default:
markrad 0:cdf462088d13 3920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
markrad 0:cdf462088d13 3921 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
markrad 0:cdf462088d13 3922 }
markrad 0:cdf462088d13 3923
markrad 0:cdf462088d13 3924 return( ret );
markrad 0:cdf462088d13 3925 }
markrad 0:cdf462088d13 3926 #endif /* MBEDTLS_SSL_SRV_C */