1 /*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52
53 #if defined(MBEDTLS_SSL_CLI_C)
54
55 #if defined(MBEDTLS_PLATFORM_C)
56 #include "mbedtls/platform.h"
57 #else
58 #include <stdlib.h>
59 #define mbedtls_calloc calloc
60 #define mbedtls_free free
61 #endif
62
63 #include "mbedtls/debug.h"
64 #include "mbedtls/ssl.h"
65 #include "mbedtls/ssl_internal.h"
66
67 #include <string.h>
68
69 #include <stdint.h>
70
71 #if defined(MBEDTLS_HAVE_TIME)
72 #include "mbedtls/platform_time.h"
73 #endif
74
75 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
76 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)77 static void mbedtls_zeroize( void *v, size_t n ) {
78 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
79 }
80 #endif
81
82 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl_write_hostname_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)83 static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
84 unsigned char *buf,
85 const unsigned char *end,
86 size_t *olen )
87 {
88 unsigned char *p = buf;
89 size_t hostname_len;
90
91 *olen = 0;
92
93 if( ssl->hostname == NULL )
94 return( 0 );
95
96 MBEDTLS_SSL_DEBUG_MSG( 3,
97 ( "client hello, adding server name extension: %s",
98 ssl->hostname ) );
99
100 hostname_len = strlen( ssl->hostname );
101
102 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
103
104 /*
105 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
106 *
107 * In order to provide any of the server names, clients MAY include an
108 * extension of type "server_name" in the (extended) client hello. The
109 * "extension_data" field of this extension SHALL contain
110 * "ServerNameList" where:
111 *
112 * struct {
113 * NameType name_type;
114 * select (name_type) {
115 * case host_name: HostName;
116 * } name;
117 * } ServerName;
118 *
119 * enum {
120 * host_name(0), (255)
121 * } NameType;
122 *
123 * opaque HostName<1..2^16-1>;
124 *
125 * struct {
126 * ServerName server_name_list<1..2^16-1>
127 * } ServerNameList;
128 *
129 */
130 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
131 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
132
133 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
134 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
135
136 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
137 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
138
139 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
140 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
141 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
142
143 memcpy( p, ssl->hostname, hostname_len );
144
145 *olen = hostname_len + 9;
146
147 return( 0 );
148 }
149 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
150
151 #if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)152 static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
153 unsigned char *buf,
154 const unsigned char *end,
155 size_t *olen )
156 {
157 unsigned char *p = buf;
158
159 *olen = 0;
160
161 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
162 * initial ClientHello, in which case also adding the renegotiation
163 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
164 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
165 return( 0 );
166
167 MBEDTLS_SSL_DEBUG_MSG( 3,
168 ( "client hello, adding renegotiation extension" ) );
169
170 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
171
172 /*
173 * Secure renegotiation
174 */
175 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
176 & 0xFF );
177 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
178 & 0xFF );
179
180 *p++ = 0x00;
181 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
182 *p++ = ssl->verify_data_len & 0xFF;
183
184 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
185
186 *olen = 5 + ssl->verify_data_len;
187
188 return( 0 );
189 }
190 #endif /* MBEDTLS_SSL_RENEGOTIATION */
191
192 /*
193 * Only if we handle at least one key exchange that needs signatures.
194 */
195 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
196 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
ssl_write_signature_algorithms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)197 static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
198 unsigned char *buf,
199 const unsigned char *end,
200 size_t *olen )
201 {
202 unsigned char *p = buf;
203 size_t sig_alg_len = 0;
204 const int *md;
205
206 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
207 unsigned char *sig_alg_list = buf + 6;
208 #endif
209
210 *olen = 0;
211
212 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
213 return( 0 );
214
215 MBEDTLS_SSL_DEBUG_MSG( 3,
216 ( "client hello, adding signature_algorithms extension" ) );
217
218 if( ssl->conf->sig_hashes == NULL )
219 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
220
221 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
222 {
223 #if defined(MBEDTLS_ECDSA_C)
224 sig_alg_len += 2;
225 #endif
226 #if defined(MBEDTLS_RSA_C)
227 sig_alg_len += 2;
228 #endif
229 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
230 {
231 MBEDTLS_SSL_DEBUG_MSG( 3,
232 ( "length in bytes of sig-hash-alg extension too big" ) );
233 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
234 }
235 }
236
237 /* Empty signature algorithms list, this is a configuration error. */
238 if( sig_alg_len == 0 )
239 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
240
241 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
242
243 /*
244 * Prepare signature_algorithms extension (TLS 1.2)
245 */
246 sig_alg_len = 0;
247
248 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
249 {
250 #if defined(MBEDTLS_ECDSA_C)
251 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
252 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
253 #endif
254 #if defined(MBEDTLS_RSA_C)
255 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
256 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
257 #endif
258 }
259
260 /*
261 * enum {
262 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
263 * sha512(6), (255)
264 * } HashAlgorithm;
265 *
266 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
267 * SignatureAlgorithm;
268 *
269 * struct {
270 * HashAlgorithm hash;
271 * SignatureAlgorithm signature;
272 * } SignatureAndHashAlgorithm;
273 *
274 * SignatureAndHashAlgorithm
275 * supported_signature_algorithms<2..2^16-2>;
276 */
277 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
278 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
279
280 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
282
283 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
284 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
285
286 *olen = 6 + sig_alg_len;
287
288 return( 0 );
289 }
290 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
291 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
292
293 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
294 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)295 static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
296 unsigned char *buf,
297 const unsigned char *end,
298 size_t *olen )
299 {
300 unsigned char *p = buf;
301 unsigned char *elliptic_curve_list = p + 6;
302 size_t elliptic_curve_len = 0;
303 const mbedtls_ecp_curve_info *info;
304 const mbedtls_ecp_group_id *grp_id;
305
306 *olen = 0;
307
308 MBEDTLS_SSL_DEBUG_MSG( 3,
309 ( "client hello, adding supported_elliptic_curves extension" ) );
310
311 if( ssl->conf->curve_list == NULL )
312 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
313
314 for( grp_id = ssl->conf->curve_list;
315 *grp_id != MBEDTLS_ECP_DP_NONE;
316 grp_id++ )
317 {
318 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
319 if( info == NULL )
320 {
321 MBEDTLS_SSL_DEBUG_MSG( 1,
322 ( "invalid curve in ssl configuration" ) );
323 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
324 }
325 elliptic_curve_len += 2;
326
327 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
328 {
329 MBEDTLS_SSL_DEBUG_MSG( 3,
330 ( "malformed supported_elliptic_curves extension in config" ) );
331 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
332 }
333 }
334
335 /* Empty elliptic curve list, this is a configuration error. */
336 if( elliptic_curve_len == 0 )
337 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
338
339 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
340
341 elliptic_curve_len = 0;
342
343 for( grp_id = ssl->conf->curve_list;
344 *grp_id != MBEDTLS_ECP_DP_NONE;
345 grp_id++ )
346 {
347 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
348 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
349 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
350 }
351
352 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
353 & 0xFF );
354 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
355 & 0xFF );
356
357 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
358 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
359
360 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
361 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
362
363 *olen = 6 + elliptic_curve_len;
364
365 return( 0 );
366 }
367
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)368 static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
369 unsigned char *buf,
370 const unsigned char *end,
371 size_t *olen )
372 {
373 unsigned char *p = buf;
374 (void) ssl; /* ssl used for debugging only */
375
376 *olen = 0;
377
378 MBEDTLS_SSL_DEBUG_MSG( 3,
379 ( "client hello, adding supported_point_formats extension" ) );
380 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
381
382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
383 & 0xFF );
384 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
385 & 0xFF );
386
387 *p++ = 0x00;
388 *p++ = 2;
389
390 *p++ = 1;
391 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
392
393 *olen = 6;
394
395 return( 0 );
396 }
397 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
398 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
399
400 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)401 static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
402 unsigned char *buf,
403 const unsigned char *end,
404 size_t *olen )
405 {
406 int ret;
407 unsigned char *p = buf;
408 size_t kkpp_len;
409
410 *olen = 0;
411
412 /* Skip costly extension if we can't use EC J-PAKE anyway */
413 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
414 return( 0 );
415
416 MBEDTLS_SSL_DEBUG_MSG( 3,
417 ( "client hello, adding ecjpake_kkpp extension" ) );
418
419 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
420
421 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
422 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
423
424 /*
425 * We may need to send ClientHello multiple times for Hello verification.
426 * We don't want to compute fresh values every time (both for performance
427 * and consistency reasons), so cache the extension content.
428 */
429 if( ssl->handshake->ecjpake_cache == NULL ||
430 ssl->handshake->ecjpake_cache_len == 0 )
431 {
432 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
433
434 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
435 p + 2, end - p - 2, &kkpp_len,
436 ssl->conf->f_rng, ssl->conf->p_rng );
437 if( ret != 0 )
438 {
439 MBEDTLS_SSL_DEBUG_RET( 1 ,
440 "mbedtls_ecjpake_write_round_one", ret );
441 return( ret );
442 }
443
444 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
445 if( ssl->handshake->ecjpake_cache == NULL )
446 {
447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
448 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
449 }
450
451 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
452 ssl->handshake->ecjpake_cache_len = kkpp_len;
453 }
454 else
455 {
456 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
457
458 kkpp_len = ssl->handshake->ecjpake_cache_len;
459 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
460
461 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
462 }
463
464 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
465 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
466
467 *olen = kkpp_len + 4;
468
469 return( 0 );
470 }
471 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
472
473 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)474 static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
475 unsigned char *buf,
476 const unsigned char *end,
477 size_t *olen )
478 {
479 unsigned char *p = buf;
480
481 *olen = 0;
482
483 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
484 return( 0 );
485
486 MBEDTLS_SSL_DEBUG_MSG( 3,
487 ( "client hello, adding max_fragment_length extension" ) );
488
489 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
490
491 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
492 & 0xFF );
493 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
494 & 0xFF );
495
496 *p++ = 0x00;
497 *p++ = 1;
498
499 *p++ = ssl->conf->mfl_code;
500
501 *olen = 5;
502
503 return( 0 );
504 }
505 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
506
507 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_write_truncated_hmac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)508 static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
509 unsigned char *buf,
510 const unsigned char *end,
511 size_t *olen )
512 {
513 unsigned char *p = buf;
514
515 *olen = 0;
516
517 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
518 return( 0 );
519
520 MBEDTLS_SSL_DEBUG_MSG( 3,
521 ( "client hello, adding truncated_hmac extension" ) );
522
523 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
524
525 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
526 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
527
528 *p++ = 0x00;
529 *p++ = 0x00;
530
531 *olen = 4;
532
533 return( 0 );
534 }
535 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
536
537 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)538 static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
539 unsigned char *buf,
540 const unsigned char *end,
541 size_t *olen )
542 {
543 unsigned char *p = buf;
544
545 *olen = 0;
546
547 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
548 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
549 return( 0 );
550
551 MBEDTLS_SSL_DEBUG_MSG( 3,
552 ( "client hello, adding encrypt_then_mac extension" ) );
553
554 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
555
556 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
557 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
558
559 *p++ = 0x00;
560 *p++ = 0x00;
561
562 *olen = 4;
563
564 return( 0 );
565 }
566 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
567
568 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)569 static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
570 unsigned char *buf,
571 const unsigned char *end,
572 size_t *olen )
573 {
574 unsigned char *p = buf;
575
576 *olen = 0;
577
578 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
579 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
580 return( 0 );
581
582 MBEDTLS_SSL_DEBUG_MSG( 3,
583 ( "client hello, adding extended_master_secret extension" ) );
584
585 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
586
587 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
588 & 0xFF );
589 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
590 & 0xFF );
591
592 *p++ = 0x00;
593 *p++ = 0x00;
594
595 *olen = 4;
596
597 return( 0 );
598 }
599 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
600
601 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)602 static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
603 unsigned char *buf,
604 const unsigned char *end,
605 size_t *olen )
606 {
607 unsigned char *p = buf;
608 size_t tlen = ssl->session_negotiate->ticket_len;
609
610 *olen = 0;
611
612 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
613 return( 0 );
614
615 MBEDTLS_SSL_DEBUG_MSG( 3,
616 ( "client hello, adding session ticket extension" ) );
617
618 /* The addition is safe here since the ticket length is 16 bit. */
619 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
620
621 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
622 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
623
624 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
625 *p++ = (unsigned char)( ( tlen ) & 0xFF );
626
627 *olen = 4;
628
629 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
630 return( 0 );
631
632 MBEDTLS_SSL_DEBUG_MSG( 3,
633 ( "sending session ticket of length %d", tlen ) );
634
635 memcpy( p, ssl->session_negotiate->ticket, tlen );
636
637 *olen += tlen;
638
639 return( 0 );
640 }
641 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
642
643 #if defined(MBEDTLS_SSL_ALPN)
ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)644 static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
645 unsigned char *buf,
646 const unsigned char *end,
647 size_t *olen )
648 {
649 unsigned char *p = buf;
650 size_t alpnlen = 0;
651 const char **cur;
652
653 *olen = 0;
654
655 if( ssl->conf->alpn_list == NULL )
656 return( 0 );
657
658 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
659
660 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
661 alpnlen += strlen( *cur ) + 1;
662
663 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
664
665 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
666 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
667
668 /*
669 * opaque ProtocolName<1..2^8-1>;
670 *
671 * struct {
672 * ProtocolName protocol_name_list<2..2^16-1>
673 * } ProtocolNameList;
674 */
675
676 /* Skip writing extension and list length for now */
677 p += 4;
678
679 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
680 {
681 /*
682 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
683 * protocol names is less than 255.
684 */
685 *p = (unsigned char)strlen( *cur );
686 memcpy( p + 1, *cur, *p );
687 p += 1 + *p;
688 }
689
690 *olen = p - buf;
691
692 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
693 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
694 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
695
696 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
697 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
698 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
699
700 return( 0 );
701 }
702 #endif /* MBEDTLS_SSL_ALPN */
703
704 /*
705 * Generate random bytes for ClientHello
706 */
ssl_generate_random(mbedtls_ssl_context * ssl)707 static int ssl_generate_random( mbedtls_ssl_context *ssl )
708 {
709 int ret;
710 unsigned char *p = ssl->handshake->randbytes;
711 #if defined(MBEDTLS_HAVE_TIME)
712 mbedtls_time_t t;
713 #endif
714
715 /*
716 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
717 */
718 #if defined(MBEDTLS_SSL_PROTO_DTLS)
719 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
720 ssl->handshake->verify_cookie != NULL )
721 {
722 return( 0 );
723 }
724 #endif
725
726 #if defined(MBEDTLS_HAVE_TIME)
727 t = mbedtls_time( NULL );
728 *p++ = (unsigned char)( t >> 24 );
729 *p++ = (unsigned char)( t >> 16 );
730 *p++ = (unsigned char)( t >> 8 );
731 *p++ = (unsigned char)( t );
732
733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
734 #else
735 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
736 return( ret );
737
738 p += 4;
739 #endif /* MBEDTLS_HAVE_TIME */
740
741 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
742 return( ret );
743
744 return( 0 );
745 }
746
747 /**
748 * \brief Validate cipher suite against config in SSL context.
749 *
750 * \param suite_info cipher suite to validate
751 * \param ssl SSL context
752 * \param min_minor_ver Minimal minor version to accept a cipher suite
753 * \param max_minor_ver Maximal minor version to accept a cipher suite
754 *
755 * \return 0 if valid, else 1
756 */
ssl_validate_ciphersuite(const mbedtls_ssl_ciphersuite_t * suite_info,const mbedtls_ssl_context * ssl,int min_minor_ver,int max_minor_ver)757 static int ssl_validate_ciphersuite(
758 const mbedtls_ssl_ciphersuite_t * suite_info,
759 const mbedtls_ssl_context * ssl,
760 int min_minor_ver, int max_minor_ver )
761 {
762 (void) ssl;
763 if( suite_info == NULL )
764 return( 1 );
765
766 if( suite_info->min_minor_ver > max_minor_ver ||
767 suite_info->max_minor_ver < min_minor_ver )
768 return( 1 );
769
770 #if defined(MBEDTLS_SSL_PROTO_DTLS)
771 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
772 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
773 return( 1 );
774 #endif
775
776 #if defined(MBEDTLS_ARC4_C)
777 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
778 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
779 return( 1 );
780 #endif
781
782 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
783 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
784 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
785 return( 1 );
786 #endif
787
788 return( 0 );
789 }
790
ssl_write_client_hello(mbedtls_ssl_context * ssl)791 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
792 {
793 int ret;
794 size_t i, n, olen, ext_len = 0;
795
796 unsigned char *buf;
797 unsigned char *p, *q;
798 const unsigned char *end;
799
800 unsigned char offer_compress;
801 const int *ciphersuites;
802 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
803 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
804 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
805 int uses_ec = 0;
806 #endif
807
808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
809
810 if( ssl->conf->f_rng == NULL )
811 {
812 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
813 return( MBEDTLS_ERR_SSL_NO_RNG );
814 }
815
816 #if defined(MBEDTLS_SSL_RENEGOTIATION)
817 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
818 #endif
819 {
820 ssl->major_ver = ssl->conf->min_major_ver;
821 ssl->minor_ver = ssl->conf->min_minor_ver;
822 }
823
824 if( ssl->conf->max_major_ver == 0 )
825 {
826 MBEDTLS_SSL_DEBUG_MSG( 1,
827 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
828 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
829 }
830
831 buf = ssl->out_msg;
832 end = buf + MBEDTLS_SSL_MAX_CONTENT_LEN;
833
834 /*
835 * Check if there's enough space for the first part of the ClientHello
836 * consisting of the 38 bytes described below, the session identifier (at
837 * most 32 bytes) and its length (1 byte).
838 *
839 * Use static upper bounds instead of the actual values
840 * to allow the compiler to optimize this away.
841 */
842 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
843
844 /*
845 * The 38 first bytes of the ClientHello:
846 * 0 . 0 handshake type (written later)
847 * 1 . 3 handshake length (written later)
848 * 4 . 5 highest version supported
849 * 6 . 9 current UNIX time
850 * 10 . 37 random bytes
851 *
852 * The current UNIX time (4 bytes) and following 28 random bytes are written
853 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
854 * copied from there into the output buffer.
855 */
856
857 p = buf + 4;
858 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
859 ssl->conf->max_minor_ver,
860 ssl->conf->transport, p );
861 p += 2;
862
863 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
864 buf[4], buf[5] ) );
865
866 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
867 {
868 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
869 return( ret );
870 }
871
872 memcpy( p, ssl->handshake->randbytes, 32 );
873 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
874 p += 32;
875
876 /*
877 * 38 . 38 session id length
878 * 39 . 39+n session id
879 * 39+n . 39+n DTLS only: cookie length (1 byte)
880 * 40+n . .. DTLS only: cookie
881 * .. . .. ciphersuitelist length (2 bytes)
882 * .. . .. ciphersuitelist
883 * .. . .. compression methods length (1 byte)
884 * .. . .. compression methods
885 * .. . .. extensions length (2 bytes)
886 * .. . .. extensions
887 */
888 n = ssl->session_negotiate->id_len;
889
890 if( n < 16 || n > 32 ||
891 #if defined(MBEDTLS_SSL_RENEGOTIATION)
892 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
893 #endif
894 ssl->handshake->resume == 0 )
895 {
896 n = 0;
897 }
898
899 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
900 /*
901 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
902 * generate and include a Session ID in the TLS ClientHello."
903 */
904 #if defined(MBEDTLS_SSL_RENEGOTIATION)
905 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
906 #endif
907 {
908 if( ssl->session_negotiate->ticket != NULL &&
909 ssl->session_negotiate->ticket_len != 0 )
910 {
911 ret = ssl->conf->f_rng( ssl->conf->p_rng,
912 ssl->session_negotiate->id, 32 );
913
914 if( ret != 0 )
915 return( ret );
916
917 ssl->session_negotiate->id_len = n = 32;
918 }
919 }
920 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
921
922 /*
923 * The first check of the output buffer size above (
924 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
925 * has checked that there is enough space in the output buffer for the
926 * session identifier length byte and the session identifier (n <= 32).
927 */
928 *p++ = (unsigned char) n;
929
930 for( i = 0; i < n; i++ )
931 *p++ = ssl->session_negotiate->id[i];
932
933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
934 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
935
936 /*
937 * With 'n' being the length of the session identifier
938 *
939 * 39+n . 39+n DTLS only: cookie length (1 byte)
940 * 40+n . .. DTLS only: cookie
941 * .. . .. ciphersuitelist length (2 bytes)
942 * .. . .. ciphersuitelist
943 * .. . .. compression methods length (1 byte)
944 * .. . .. compression methods
945 * .. . .. extensions length (2 bytes)
946 * .. . .. extensions
947 */
948
949 /*
950 * DTLS cookie
951 */
952 #if defined(MBEDTLS_SSL_PROTO_DTLS)
953 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
954 {
955 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
956
957 if( ssl->handshake->verify_cookie == NULL )
958 {
959 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
960 *p++ = 0;
961 }
962 else
963 {
964 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
965 ssl->handshake->verify_cookie,
966 ssl->handshake->verify_cookie_len );
967
968 *p++ = ssl->handshake->verify_cookie_len;
969
970 MBEDTLS_SSL_CHK_BUF_PTR( p, end,
971 ssl->handshake->verify_cookie_len );
972 memcpy( p, ssl->handshake->verify_cookie,
973 ssl->handshake->verify_cookie_len );
974 p += ssl->handshake->verify_cookie_len;
975 }
976 }
977 #endif
978
979 /*
980 * Ciphersuite list
981 */
982 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
983
984 /* Skip writing ciphersuite length for now */
985 n = 0;
986 q = p;
987
988 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
989 p += 2;
990
991 for( i = 0; ciphersuites[i] != 0; i++ )
992 {
993 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
994
995 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
996 ssl->conf->min_minor_ver,
997 ssl->conf->max_minor_ver ) != 0 )
998 continue;
999
1000 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
1001 ciphersuites[i] ) );
1002
1003 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1004 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1005 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1006 #endif
1007
1008 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1009
1010 n++;
1011 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1012 *p++ = (unsigned char)( ciphersuites[i] );
1013 }
1014
1015 MBEDTLS_SSL_DEBUG_MSG( 3,
1016 ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
1017
1018 /*
1019 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1020 */
1021 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1022 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1023 #endif
1024 {
1025 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
1026 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1027 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1028 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
1029 n++;
1030 }
1031
1032 /* Some versions of OpenSSL don't handle it correctly if not at end */
1033 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1034 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1035 {
1036 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1037
1038 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1039 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1040 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1041 n++;
1042 }
1043 #endif
1044
1045 *q++ = (unsigned char)( n >> 7 );
1046 *q++ = (unsigned char)( n << 1 );
1047
1048 #if defined(MBEDTLS_ZLIB_SUPPORT)
1049 offer_compress = 1;
1050 #else
1051 offer_compress = 0;
1052 #endif
1053
1054 /*
1055 * We don't support compression with DTLS right now: if many records come
1056 * in the same datagram, uncompressing one could overwrite the next one.
1057 * We don't want to add complexity for handling that case unless there is
1058 * an actual need for it.
1059 */
1060 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1061 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1062 offer_compress = 0;
1063 #endif
1064
1065 if( offer_compress )
1066 {
1067 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1069 MBEDTLS_SSL_COMPRESS_DEFLATE,
1070 MBEDTLS_SSL_COMPRESS_NULL ) );
1071
1072 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
1073 *p++ = 2;
1074 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1075 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1076 }
1077 else
1078 {
1079 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1081 MBEDTLS_SSL_COMPRESS_NULL ) );
1082
1083 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1084 *p++ = 1;
1085 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1086 }
1087
1088 /* First write extensions, then the total length */
1089
1090 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1091
1092 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1093 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
1094 end, &olen ) ) != 0 )
1095 {
1096 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
1097 return( ret );
1098 }
1099 ext_len += olen;
1100 #endif
1101
1102 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1103 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1104 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1105 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
1106 end, &olen ) ) != 0 )
1107 {
1108 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
1109 return( ret );
1110 }
1111 ext_len += olen;
1112 #endif
1113
1114 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1115 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1116 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
1117 end, &olen ) ) != 0 )
1118 {
1119 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
1120 return( ret );
1121 }
1122 ext_len += olen;
1123 #endif
1124
1125 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1126 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1127 if( uses_ec )
1128 {
1129 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
1130 end, &olen ) ) != 0 )
1131 {
1132 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
1133 return( ret );
1134 }
1135 ext_len += olen;
1136
1137 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
1138 end, &olen ) ) != 0 )
1139 {
1140 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
1141 return( ret );
1142 }
1143 ext_len += olen;
1144 }
1145 #endif
1146
1147 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1148 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
1149 end, &olen ) ) != 0 )
1150 {
1151 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
1152 return( ret );
1153 }
1154 ext_len += olen;
1155 #endif
1156
1157 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1158 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
1159 end, &olen ) ) != 0 )
1160 {
1161 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
1162 return( ret );
1163 }
1164 ext_len += olen;
1165 #endif
1166
1167 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1168 if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
1169 end, &olen ) ) != 0 )
1170 {
1171 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
1172 return( ret );
1173 }
1174 ext_len += olen;
1175 #endif
1176
1177 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1178 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
1179 end, &olen ) ) != 0 )
1180 {
1181 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
1182 return( ret );
1183 }
1184 ext_len += olen;
1185 #endif
1186
1187 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1188 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
1189 end, &olen ) ) != 0 )
1190 {
1191 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
1192 return( ret );
1193 }
1194 ext_len += olen;
1195 #endif
1196
1197 #if defined(MBEDTLS_SSL_ALPN)
1198 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
1199 end, &olen ) ) != 0 )
1200 {
1201 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
1202 return( ret );
1203 }
1204 ext_len += olen;
1205 #endif
1206
1207 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1208 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
1209 end, &olen ) ) != 0 )
1210 {
1211 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
1212 return( ret );
1213 }
1214 ext_len += olen;
1215 #endif
1216
1217 /* olen unused if all extensions are disabled */
1218 ((void) olen);
1219
1220 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1221 ext_len ) );
1222
1223 if( ext_len > 0 )
1224 {
1225 /* No need to check for space here, because the extension
1226 * writing functions already took care of that. */
1227 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1228 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1229 p += ext_len;
1230 }
1231
1232 ssl->out_msglen = p - buf;
1233 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1234 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1235
1236 ssl->state++;
1237
1238 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1239 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1240 mbedtls_ssl_send_flight_completed( ssl );
1241 #endif
1242
1243 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
1244 {
1245 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
1246 return( ret );
1247 }
1248
1249 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1250
1251 return( 0 );
1252 }
1253
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1254 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1255 const unsigned char *buf,
1256 size_t len )
1257 {
1258 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1259 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1260 {
1261 /* Check verify-data in constant-time. The length OTOH is no secret */
1262 if( len != 1 + ssl->verify_data_len * 2 ||
1263 buf[0] != ssl->verify_data_len * 2 ||
1264 mbedtls_ssl_safer_memcmp( buf + 1,
1265 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1266 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1267 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1268 {
1269 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1270 mbedtls_ssl_send_alert_message(
1271 ssl,
1272 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1273 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1274 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1275 }
1276 }
1277 else
1278 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1279 {
1280 if( len != 1 || buf[0] != 0x00 )
1281 {
1282 MBEDTLS_SSL_DEBUG_MSG( 1,
1283 ( "non-zero length renegotiation info" ) );
1284 mbedtls_ssl_send_alert_message(
1285 ssl,
1286 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1287 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1288 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1289 }
1290
1291 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1292 }
1293
1294 return( 0 );
1295 }
1296
1297 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1298 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1299 const unsigned char *buf,
1300 size_t len )
1301 {
1302 /*
1303 * server should use the extension only if we did,
1304 * and if so the server's value should match ours (and len is always 1)
1305 */
1306 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1307 len != 1 ||
1308 buf[0] != ssl->conf->mfl_code )
1309 {
1310 MBEDTLS_SSL_DEBUG_MSG( 1,
1311 ( "non-matching max fragment length extension" ) );
1312 mbedtls_ssl_send_alert_message(
1313 ssl,
1314 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1315 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1316 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1317 }
1318
1319 return( 0 );
1320 }
1321 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1322
1323 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_parse_truncated_hmac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1324 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1325 const unsigned char *buf,
1326 size_t len )
1327 {
1328 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1329 len != 0 )
1330 {
1331 MBEDTLS_SSL_DEBUG_MSG( 1,
1332 ( "non-matching truncated HMAC extension" ) );
1333 mbedtls_ssl_send_alert_message(
1334 ssl,
1335 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1336 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1337 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1338 }
1339
1340 ((void) buf);
1341
1342 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1343
1344 return( 0 );
1345 }
1346 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1347
1348 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1349 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1350 const unsigned char *buf,
1351 size_t len )
1352 {
1353 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1354 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1355 len != 0 )
1356 {
1357 MBEDTLS_SSL_DEBUG_MSG( 1,
1358 ( "non-matching encrypt-then-MAC extension" ) );
1359 mbedtls_ssl_send_alert_message(
1360 ssl,
1361 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1362 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1363 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1364 }
1365
1366 ((void) buf);
1367
1368 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1369
1370 return( 0 );
1371 }
1372 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1373
1374 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1375 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1376 const unsigned char *buf,
1377 size_t len )
1378 {
1379 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1380 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1381 len != 0 )
1382 {
1383 MBEDTLS_SSL_DEBUG_MSG( 1,
1384 ( "non-matching extended master secret extension" ) );
1385 mbedtls_ssl_send_alert_message(
1386 ssl,
1387 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1388 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1389 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1390 }
1391
1392 ((void) buf);
1393
1394 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1395
1396 return( 0 );
1397 }
1398 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1399
1400 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1401 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1402 const unsigned char *buf,
1403 size_t len )
1404 {
1405 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1406 len != 0 )
1407 {
1408 MBEDTLS_SSL_DEBUG_MSG( 1,
1409 ( "non-matching session ticket extension" ) );
1410 mbedtls_ssl_send_alert_message(
1411 ssl,
1412 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1413 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1414 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1415 }
1416
1417 ((void) buf);
1418
1419 ssl->handshake->new_session_ticket = 1;
1420
1421 return( 0 );
1422 }
1423 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1424
1425 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1426 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_supported_point_formats_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1427 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1428 const unsigned char *buf,
1429 size_t len )
1430 {
1431 size_t list_size;
1432 const unsigned char *p;
1433
1434 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1435 {
1436 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1437 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1438 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1439 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1440 }
1441 list_size = buf[0];
1442
1443 p = buf + 1;
1444 while( list_size > 0 )
1445 {
1446 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1447 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1448 {
1449 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1450 ssl->handshake->ecdh_ctx.point_format = p[0];
1451 #endif
1452 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1453 ssl->handshake->ecjpake_ctx.point_format = p[0];
1454 #endif
1455 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1456 return( 0 );
1457 }
1458
1459 list_size--;
1460 p++;
1461 }
1462
1463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1464 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1465 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1466 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1467 }
1468 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1469 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1470
1471 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1472 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1473 const unsigned char *buf,
1474 size_t len )
1475 {
1476 int ret;
1477
1478 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1479 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1480 {
1481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1482 return( 0 );
1483 }
1484
1485 /* If we got here, we no longer need our cached extension */
1486 mbedtls_free( ssl->handshake->ecjpake_cache );
1487 ssl->handshake->ecjpake_cache = NULL;
1488 ssl->handshake->ecjpake_cache_len = 0;
1489
1490 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1491 buf, len ) ) != 0 )
1492 {
1493 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1494 mbedtls_ssl_send_alert_message(
1495 ssl,
1496 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1497 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1498 return( ret );
1499 }
1500
1501 return( 0 );
1502 }
1503 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1504
1505 #if defined(MBEDTLS_SSL_ALPN)
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1506 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1507 const unsigned char *buf, size_t len )
1508 {
1509 size_t list_len, name_len;
1510 const char **p;
1511
1512 /* If we didn't send it, the server shouldn't send it */
1513 if( ssl->conf->alpn_list == NULL )
1514 {
1515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1516 mbedtls_ssl_send_alert_message(
1517 ssl,
1518 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1519 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1520 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1521 }
1522
1523 /*
1524 * opaque ProtocolName<1..2^8-1>;
1525 *
1526 * struct {
1527 * ProtocolName protocol_name_list<2..2^16-1>
1528 * } ProtocolNameList;
1529 *
1530 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1531 */
1532
1533 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1534 if( len < 4 )
1535 {
1536 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1537 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1538 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1539 }
1540
1541 list_len = ( buf[0] << 8 ) | buf[1];
1542 if( list_len != len - 2 )
1543 {
1544 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1545 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1546 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1547 }
1548
1549 name_len = buf[2];
1550 if( name_len != list_len - 1 )
1551 {
1552 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1553 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1554 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1555 }
1556
1557 /* Check that the server chosen protocol was in our list and save it */
1558 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1559 {
1560 if( name_len == strlen( *p ) &&
1561 memcmp( buf + 3, *p, name_len ) == 0 )
1562 {
1563 ssl->alpn_chosen = *p;
1564 return( 0 );
1565 }
1566 }
1567
1568 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1569 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1570 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1571 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1572 }
1573 #endif /* MBEDTLS_SSL_ALPN */
1574
1575 /*
1576 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1577 */
1578 #if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_parse_hello_verify_request(mbedtls_ssl_context * ssl)1579 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1580 {
1581 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1582 int major_ver, minor_ver;
1583 unsigned char cookie_len;
1584
1585 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1586
1587 /* Check that there is enough room for:
1588 * - 2 bytes of version
1589 * - 1 byte of cookie_len
1590 */
1591 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1592 {
1593 MBEDTLS_SSL_DEBUG_MSG( 1,
1594 ( "incoming HelloVerifyRequest message is too short" ) );
1595 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1596 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1597 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1598 }
1599
1600 /*
1601 * struct {
1602 * ProtocolVersion server_version;
1603 * opaque cookie<0..2^8-1>;
1604 * } HelloVerifyRequest;
1605 */
1606 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1607 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1608 p += 2;
1609
1610 /*
1611 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1612 * even is lower than our min version.
1613 */
1614 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1615 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1616 major_ver > ssl->conf->max_major_ver ||
1617 minor_ver > ssl->conf->max_minor_ver )
1618 {
1619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1620
1621 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1622 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1623
1624 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1625 }
1626
1627 cookie_len = *p++;
1628 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1629 {
1630 MBEDTLS_SSL_DEBUG_MSG( 1,
1631 ( "cookie length does not match incoming message size" ) );
1632 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1633 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1634 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1635 }
1636 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1637
1638 mbedtls_free( ssl->handshake->verify_cookie );
1639
1640 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1641 if( ssl->handshake->verify_cookie == NULL )
1642 {
1643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1644 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1645 }
1646
1647 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1648 ssl->handshake->verify_cookie_len = cookie_len;
1649
1650 /* Start over at ClientHello */
1651 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1652 mbedtls_ssl_reset_checksum( ssl );
1653
1654 mbedtls_ssl_recv_flight_completed( ssl );
1655
1656 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1657
1658 return( 0 );
1659 }
1660 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1661
ssl_parse_server_hello(mbedtls_ssl_context * ssl)1662 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1663 {
1664 int ret, i;
1665 size_t n;
1666 size_t ext_len;
1667 unsigned char *buf, *ext;
1668 unsigned char comp;
1669 #if defined(MBEDTLS_ZLIB_SUPPORT)
1670 int accept_comp;
1671 #endif
1672 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1673 int renegotiation_info_seen = 0;
1674 #endif
1675 int handshake_failure = 0;
1676 const mbedtls_ssl_ciphersuite_t *suite_info;
1677
1678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1679
1680 buf = ssl->in_msg;
1681
1682 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
1683 {
1684 /* No alert on a read error. */
1685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1686 return( ret );
1687 }
1688
1689 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1690 {
1691 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1692 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1693 {
1694 ssl->renego_records_seen++;
1695
1696 if( ssl->conf->renego_max_records >= 0 &&
1697 ssl->renego_records_seen > ssl->conf->renego_max_records )
1698 {
1699 MBEDTLS_SSL_DEBUG_MSG( 1,
1700 ( "renegotiation requested, but not honored by server" ) );
1701 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1702 }
1703
1704 MBEDTLS_SSL_DEBUG_MSG( 1,
1705 ( "non-handshake message during renegotiation" ) );
1706
1707 ssl->keep_current_message = 1;
1708 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1709 }
1710 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1711
1712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1713 mbedtls_ssl_send_alert_message(
1714 ssl,
1715 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1716 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1717 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1718 }
1719
1720 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1721 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1722 {
1723 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1724 {
1725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1726 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1727 return( ssl_parse_hello_verify_request( ssl ) );
1728 }
1729 else
1730 {
1731 /* We made it through the verification process */
1732 mbedtls_free( ssl->handshake->verify_cookie );
1733 ssl->handshake->verify_cookie = NULL;
1734 ssl->handshake->verify_cookie_len = 0;
1735 }
1736 }
1737 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1738
1739 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1740 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1741 {
1742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1744 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1746 }
1747
1748 /*
1749 * 0 . 1 server_version
1750 * 2 . 33 random (maybe including 4 bytes of Unix time)
1751 * 34 . 34 session_id length = n
1752 * 35 . 34+n session_id
1753 * 35+n . 36+n cipher_suite
1754 * 37+n . 37+n compression_method
1755 *
1756 * 38+n . 39+n extensions length (optional)
1757 * 40+n . .. extensions
1758 */
1759 buf += mbedtls_ssl_hs_hdr_len( ssl );
1760
1761 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1762 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1763 ssl->conf->transport, buf + 0 );
1764
1765 if( ssl->major_ver < ssl->conf->min_major_ver ||
1766 ssl->minor_ver < ssl->conf->min_minor_ver ||
1767 ssl->major_ver > ssl->conf->max_major_ver ||
1768 ssl->minor_ver > ssl->conf->max_minor_ver )
1769 {
1770 MBEDTLS_SSL_DEBUG_MSG( 1,
1771 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1772 ssl->conf->min_major_ver,
1773 ssl->conf->min_minor_ver,
1774 ssl->major_ver, ssl->minor_ver,
1775 ssl->conf->max_major_ver,
1776 ssl->conf->max_minor_ver ) );
1777
1778 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1779 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1780
1781 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1782 }
1783
1784 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1785 ( (uint32_t) buf[2] << 24 ) |
1786 ( (uint32_t) buf[3] << 16 ) |
1787 ( (uint32_t) buf[4] << 8 ) |
1788 ( (uint32_t) buf[5] ) ) );
1789
1790 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1791
1792 n = buf[34];
1793
1794 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1795
1796 if( n > 32 )
1797 {
1798 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1799 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1800 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1801 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1802 }
1803
1804 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1805 {
1806 ext_len = ( ( buf[38 + n] << 8 )
1807 | ( buf[39 + n] ) );
1808
1809 if( ( ext_len > 0 && ext_len < 4 ) ||
1810 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1811 {
1812 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1813 mbedtls_ssl_send_alert_message(
1814 ssl,
1815 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1816 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1817 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1818 }
1819 }
1820 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1821 {
1822 ext_len = 0;
1823 }
1824 else
1825 {
1826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1827 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1828 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1829 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1830 }
1831
1832 /* ciphersuite (used later) */
1833 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1834
1835 /*
1836 * Read and check compression
1837 */
1838 comp = buf[37 + n];
1839
1840 #if defined(MBEDTLS_ZLIB_SUPPORT)
1841 /* See comments in ssl_write_client_hello() */
1842 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1843 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1844 accept_comp = 0;
1845 else
1846 #endif
1847 accept_comp = 1;
1848
1849 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1850 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1851 #else /* MBEDTLS_ZLIB_SUPPORT */
1852 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1853 #endif/* MBEDTLS_ZLIB_SUPPORT */
1854 {
1855 MBEDTLS_SSL_DEBUG_MSG( 1,
1856 ( "server hello, bad compression: %d", comp ) );
1857 mbedtls_ssl_send_alert_message(
1858 ssl,
1859 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1860 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1861 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1862 }
1863
1864 /*
1865 * Initialize update checksum functions
1866 */
1867 ssl->transform_negotiate->ciphersuite_info =
1868 mbedtls_ssl_ciphersuite_from_id( i );
1869
1870 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1871 {
1872 MBEDTLS_SSL_DEBUG_MSG( 1,
1873 ( "ciphersuite info for %04x not found", i ) );
1874 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1875 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1876 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1877 }
1878
1879 mbedtls_ssl_optimize_checksum( ssl,
1880 ssl->transform_negotiate->ciphersuite_info );
1881
1882 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1883 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1884
1885 /*
1886 * Check if the session can be resumed
1887 */
1888 if( ssl->handshake->resume == 0 || n == 0 ||
1889 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1890 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1891 #endif
1892 ssl->session_negotiate->ciphersuite != i ||
1893 ssl->session_negotiate->compression != comp ||
1894 ssl->session_negotiate->id_len != n ||
1895 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1896 {
1897 ssl->state++;
1898 ssl->handshake->resume = 0;
1899 #if defined(MBEDTLS_HAVE_TIME)
1900 ssl->session_negotiate->start = mbedtls_time( NULL );
1901 #endif
1902 ssl->session_negotiate->ciphersuite = i;
1903 ssl->session_negotiate->compression = comp;
1904 ssl->session_negotiate->id_len = n;
1905 memcpy( ssl->session_negotiate->id, buf + 35, n );
1906 }
1907 else
1908 {
1909 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1910
1911 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1912 {
1913 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1914 mbedtls_ssl_send_alert_message(
1915 ssl,
1916 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1917 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1918 return( ret );
1919 }
1920 }
1921
1922 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1923 ssl->handshake->resume ? "a" : "no" ) );
1924
1925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
1927 buf[37 + n] ) );
1928
1929 /*
1930 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1931 */
1932 i = 0;
1933 while( 1 )
1934 {
1935 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1936 {
1937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1938 mbedtls_ssl_send_alert_message(
1939 ssl,
1940 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1941 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1942 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1943 }
1944
1945 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1946 ssl->session_negotiate->ciphersuite )
1947 {
1948 break;
1949 }
1950 }
1951
1952 suite_info = mbedtls_ssl_ciphersuite_from_id(
1953 ssl->session_negotiate->ciphersuite );
1954 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
1955 ssl->minor_ver ) != 0 )
1956 {
1957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1958 mbedtls_ssl_send_alert_message(
1959 ssl,
1960 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1961 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1962 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1963 }
1964
1965 MBEDTLS_SSL_DEBUG_MSG( 3,
1966 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1967
1968 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1969 #if defined(MBEDTLS_ZLIB_SUPPORT)
1970 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1971 #endif
1972 )
1973 {
1974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1975 mbedtls_ssl_send_alert_message(
1976 ssl,
1977 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1978 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1979 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1980 }
1981 ssl->session_negotiate->compression = comp;
1982
1983 ext = buf + 40 + n;
1984
1985 MBEDTLS_SSL_DEBUG_MSG( 2,
1986 ( "server hello, total extension length: %d", ext_len ) );
1987
1988 while( ext_len )
1989 {
1990 unsigned int ext_id = ( ( ext[0] << 8 )
1991 | ( ext[1] ) );
1992 unsigned int ext_size = ( ( ext[2] << 8 )
1993 | ( ext[3] ) );
1994
1995 if( ext_size + 4 > ext_len )
1996 {
1997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1998 mbedtls_ssl_send_alert_message(
1999 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2000 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2001 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2002 }
2003
2004 switch( ext_id )
2005 {
2006 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
2008 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2009 renegotiation_info_seen = 1;
2010 #endif
2011
2012 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
2013 ext_size ) ) != 0 )
2014 return( ret );
2015
2016 break;
2017
2018 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2019 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
2020 MBEDTLS_SSL_DEBUG_MSG( 3,
2021 ( "found max_fragment_length extension" ) );
2022
2023 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
2024 ext + 4, ext_size ) ) != 0 )
2025 {
2026 return( ret );
2027 }
2028
2029 break;
2030 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2031
2032 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2033 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
2035
2036 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2037 ext + 4, ext_size ) ) != 0 )
2038 {
2039 return( ret );
2040 }
2041
2042 break;
2043 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2044
2045 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2046 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2047 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
2048
2049 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2050 ext + 4, ext_size ) ) != 0 )
2051 {
2052 return( ret );
2053 }
2054
2055 break;
2056 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2057
2058 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2059 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2060 MBEDTLS_SSL_DEBUG_MSG( 3,
2061 ( "found extended_master_secret extension" ) );
2062
2063 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2064 ext + 4, ext_size ) ) != 0 )
2065 {
2066 return( ret );
2067 }
2068
2069 break;
2070 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2071
2072 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2073 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2074 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
2075
2076 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2077 ext + 4, ext_size ) ) != 0 )
2078 {
2079 return( ret );
2080 }
2081
2082 break;
2083 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2084
2085 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2086 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2087 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2088 MBEDTLS_SSL_DEBUG_MSG( 3,
2089 ( "found supported_point_formats extension" ) );
2090
2091 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2092 ext + 4, ext_size ) ) != 0 )
2093 {
2094 return( ret );
2095 }
2096
2097 break;
2098 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2099 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2100
2101 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2102 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2103 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2104
2105 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2106 ext + 4, ext_size ) ) != 0 )
2107 {
2108 return( ret );
2109 }
2110
2111 break;
2112 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2113
2114 #if defined(MBEDTLS_SSL_ALPN)
2115 case MBEDTLS_TLS_EXT_ALPN:
2116 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2117
2118 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2119 return( ret );
2120
2121 break;
2122 #endif /* MBEDTLS_SSL_ALPN */
2123
2124 default:
2125 MBEDTLS_SSL_DEBUG_MSG( 3,
2126 ( "unknown extension found: %d (ignoring)", ext_id ) );
2127 }
2128
2129 ext_len -= 4 + ext_size;
2130 ext += 4 + ext_size;
2131
2132 if( ext_len > 0 && ext_len < 4 )
2133 {
2134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2135 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2136 }
2137 }
2138
2139 /*
2140 * Renegotiation security checks
2141 */
2142 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2143 ssl->conf->allow_legacy_renegotiation ==
2144 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2145 {
2146 MBEDTLS_SSL_DEBUG_MSG( 1,
2147 ( "legacy renegotiation, breaking off handshake" ) );
2148 handshake_failure = 1;
2149 }
2150 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2151 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2152 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2153 renegotiation_info_seen == 0 )
2154 {
2155 MBEDTLS_SSL_DEBUG_MSG( 1,
2156 ( "renegotiation_info extension missing (secure)" ) );
2157 handshake_failure = 1;
2158 }
2159 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2160 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2161 ssl->conf->allow_legacy_renegotiation ==
2162 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2163 {
2164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2165 handshake_failure = 1;
2166 }
2167 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2168 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2169 renegotiation_info_seen == 1 )
2170 {
2171 MBEDTLS_SSL_DEBUG_MSG( 1,
2172 ( "renegotiation_info extension present (legacy)" ) );
2173 handshake_failure = 1;
2174 }
2175 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2176
2177 if( handshake_failure == 1 )
2178 {
2179 mbedtls_ssl_send_alert_message(
2180 ssl,
2181 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2182 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2184 }
2185
2186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2187
2188 return( 0 );
2189 }
2190
2191 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2192 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
ssl_parse_server_dh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2193 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2194 unsigned char **p,
2195 unsigned char *end )
2196 {
2197 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2198
2199 /*
2200 * Ephemeral DH parameters:
2201 *
2202 * struct {
2203 * opaque dh_p<1..2^16-1>;
2204 * opaque dh_g<1..2^16-1>;
2205 * opaque dh_Ys<1..2^16-1>;
2206 * } ServerDHParams;
2207 */
2208 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
2209 p, end ) ) != 0 )
2210 {
2211 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2212 return( ret );
2213 }
2214
2215 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
2216 {
2217 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2218 ssl->handshake->dhm_ctx.len * 8,
2219 ssl->conf->dhm_min_bitlen ) );
2220 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2221 }
2222
2223 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2224 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2225 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2226
2227 return( ret );
2228 }
2229 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2230 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2231
2232 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2233 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2234 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2235 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2236 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_check_server_ecdh_params(const mbedtls_ssl_context * ssl)2237 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2238 {
2239 const mbedtls_ecp_curve_info *curve_info;
2240
2241 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
2242 if( curve_info == NULL )
2243 {
2244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2245 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2246 }
2247
2248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2249
2250 #if defined(MBEDTLS_ECP_C)
2251 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
2252 #else
2253 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2254 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2255 #endif
2256 return( -1 );
2257
2258 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
2259
2260 return( 0 );
2261 }
2262 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2263 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2264 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2265 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2266 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2267
2268 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2269 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2270 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2271 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2272 unsigned char **p,
2273 unsigned char *end )
2274 {
2275 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2276
2277 /*
2278 * Ephemeral ECDH parameters:
2279 *
2280 * struct {
2281 * ECParameters curve_params;
2282 * ECPoint public;
2283 * } ServerECDHParams;
2284 */
2285 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2286 (const unsigned char **) p, end ) ) != 0 )
2287 {
2288 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2289 return( ret );
2290 }
2291
2292 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2293 {
2294 MBEDTLS_SSL_DEBUG_MSG( 1,
2295 ( "bad server key exchange message (ECDHE curve)" ) );
2296 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2297 }
2298
2299 return( ret );
2300 }
2301 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2302 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2303 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2304
2305 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
ssl_parse_server_psk_hint(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2306 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2307 unsigned char **p,
2308 unsigned char *end )
2309 {
2310 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2311 size_t len;
2312 ((void) ssl);
2313
2314 /*
2315 * PSK parameters:
2316 *
2317 * opaque psk_identity_hint<0..2^16-1>;
2318 */
2319 if( end - (*p) < 2 )
2320 {
2321 MBEDTLS_SSL_DEBUG_MSG( 1,
2322 ( "bad server key exchange message (psk_identity_hint length)" ) );
2323 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2324 }
2325 len = (*p)[0] << 8 | (*p)[1];
2326 *p += 2;
2327
2328 if( end - (*p) < (int) len )
2329 {
2330 MBEDTLS_SSL_DEBUG_MSG( 1,
2331 ( "bad server key exchange message (psk_identity_hint length)" ) );
2332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2333 }
2334
2335 /*
2336 * Note: we currently ignore the PKS identity hint, as we only allow one
2337 * PSK to be provisionned on the client. This could be changed later if
2338 * someone needs that feature.
2339 */
2340 *p += len;
2341 ret = 0;
2342
2343 return( ret );
2344 }
2345 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2346
2347 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2348 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2349 /*
2350 * Generate a pre-master secret and encrypt it with the server's RSA key
2351 */
ssl_write_encrypted_pms(mbedtls_ssl_context * ssl,size_t offset,size_t * olen,size_t pms_offset)2352 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2353 size_t offset, size_t *olen,
2354 size_t pms_offset )
2355 {
2356 int ret;
2357 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2358 unsigned char *p = ssl->handshake->premaster + pms_offset;
2359
2360 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
2361 {
2362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2363 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2364 }
2365
2366 /*
2367 * Generate (part of) the pre-master as
2368 * struct {
2369 * ProtocolVersion client_version;
2370 * opaque random[46];
2371 * } PreMasterSecret;
2372 */
2373 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
2374 ssl->conf->max_minor_ver,
2375 ssl->conf->transport, p );
2376
2377 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2378 {
2379 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2380 return( ret );
2381 }
2382
2383 ssl->handshake->pmslen = 48;
2384
2385 if( ssl->session_negotiate->peer_cert == NULL )
2386 {
2387 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2388 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2389 }
2390
2391 /*
2392 * Now write it out, encrypted
2393 */
2394 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2395 MBEDTLS_PK_RSA ) )
2396 {
2397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2398 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2399 }
2400
2401 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
2402 p, ssl->handshake->pmslen,
2403 ssl->out_msg + offset + len_bytes, olen,
2404 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
2405 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2406 {
2407 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2408 return( ret );
2409 }
2410
2411 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2412 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2413 if( len_bytes == 2 )
2414 {
2415 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2416 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2417 *olen += 2;
2418 }
2419 #endif
2420
2421 return( 0 );
2422 }
2423 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2424 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2425
2426 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2427 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2428 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2429 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_parse_signature_algorithm(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end,mbedtls_md_type_t * md_alg,mbedtls_pk_type_t * pk_alg)2430 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2431 unsigned char **p,
2432 unsigned char *end,
2433 mbedtls_md_type_t *md_alg,
2434 mbedtls_pk_type_t *pk_alg )
2435 {
2436 ((void) ssl);
2437 *md_alg = MBEDTLS_MD_NONE;
2438 *pk_alg = MBEDTLS_PK_NONE;
2439
2440 /* Only in TLS 1.2 */
2441 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2442 {
2443 return( 0 );
2444 }
2445
2446 if( (*p) + 2 > end )
2447 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2448
2449 /*
2450 * Get hash algorithm
2451 */
2452 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2453 == MBEDTLS_MD_NONE )
2454 {
2455 MBEDTLS_SSL_DEBUG_MSG( 1,
2456 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
2457 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2458 }
2459
2460 /*
2461 * Get signature algorithm
2462 */
2463 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
2464 == MBEDTLS_PK_NONE )
2465 {
2466 MBEDTLS_SSL_DEBUG_MSG( 1,
2467 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
2468 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2469 }
2470
2471 /*
2472 * Check if the hash is acceptable
2473 */
2474 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2475 {
2476 MBEDTLS_SSL_DEBUG_MSG( 1,
2477 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
2478 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2479 }
2480
2481 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
2482 (*p)[1] ) );
2483 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
2484 (*p)[0] ) );
2485 *p += 2;
2486
2487 return( 0 );
2488 }
2489 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2490 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2491 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2492 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2493
2494 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2495 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2496 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2497 {
2498 int ret;
2499 const mbedtls_ecp_keypair *peer_key;
2500
2501 if( ssl->session_negotiate->peer_cert == NULL )
2502 {
2503 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2504 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2505 }
2506
2507 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2508 MBEDTLS_PK_ECKEY ) )
2509 {
2510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2511 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2512 }
2513
2514 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2515
2516 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2517 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2518 {
2519 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2520 return( ret );
2521 }
2522
2523 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2524 {
2525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2526 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2527 }
2528
2529 return( ret );
2530 }
2531 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2532 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2533
ssl_parse_server_key_exchange(mbedtls_ssl_context * ssl)2534 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2535 {
2536 int ret;
2537 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2538 ssl->transform_negotiate->ciphersuite_info;
2539 unsigned char *p = NULL, *end = NULL;
2540
2541 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2542
2543 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2544 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2545 {
2546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2547 ssl->state++;
2548 return( 0 );
2549 }
2550 ((void) p);
2551 ((void) end);
2552 #endif
2553
2554 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2555 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2556 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2557 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2558 {
2559 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2560 {
2561 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2562 mbedtls_ssl_send_alert_message(
2563 ssl,
2564 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2565 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2566 return( ret );
2567 }
2568
2569 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2570 ssl->state++;
2571 return( 0 );
2572 }
2573 ((void) p);
2574 ((void) end);
2575 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2576 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2577
2578 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2579 {
2580 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2581 return( ret );
2582 }
2583
2584 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2585 {
2586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2587 mbedtls_ssl_send_alert_message(
2588 ssl,
2589 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2590 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2591 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2592 }
2593
2594 /*
2595 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2596 * doesn't use a psk_identity_hint
2597 */
2598 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2599 {
2600 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2601 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2602 {
2603 /* Current message is probably either
2604 * CertificateRequest or ServerHelloDone */
2605 ssl->keep_current_message = 1;
2606 goto exit;
2607 }
2608
2609 MBEDTLS_SSL_DEBUG_MSG( 1,
2610 ( "server key exchange message must not be skipped" ) );
2611 mbedtls_ssl_send_alert_message(
2612 ssl,
2613 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2614 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2615
2616 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2617 }
2618
2619 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2620 end = ssl->in_msg + ssl->in_hslen;
2621 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2622
2623 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2624 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2625 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2626 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2627 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2628 {
2629 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2630 {
2631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2632 mbedtls_ssl_send_alert_message(
2633 ssl,
2634 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2635 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2636 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2637 }
2638 } /* FALLTROUGH */
2639 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2640
2641 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2642 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2643 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2644 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2645 ; /* nothing more to do */
2646 else
2647 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2648 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2649 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2650 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2651 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2652 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2653 {
2654 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2655 {
2656 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2657 mbedtls_ssl_send_alert_message(
2658 ssl,
2659 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2660 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2661 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2662 }
2663 }
2664 else
2665 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2666 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2667 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2668 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2669 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2670 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2671 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2672 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2673 {
2674 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2675 {
2676 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2677 mbedtls_ssl_send_alert_message(
2678 ssl,
2679 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2680 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2681 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2682 }
2683 }
2684 else
2685 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2686 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2687 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2688 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2689 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2690 {
2691 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2692 p, end - p );
2693 if( ret != 0 )
2694 {
2695 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2696 mbedtls_ssl_send_alert_message(
2697 ssl,
2698 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2699 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2700 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2701 }
2702 }
2703 else
2704 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2705 {
2706 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2707 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2708 }
2709
2710 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2711 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2712 {
2713 size_t sig_len, hashlen;
2714 unsigned char hash[64];
2715 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2716 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2717 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2718 size_t params_len = p - params;
2719
2720 /*
2721 * Handle the digitally-signed structure
2722 */
2723 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2724 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2725 {
2726 if( ssl_parse_signature_algorithm( ssl, &p, end,
2727 &md_alg, &pk_alg ) != 0 )
2728 {
2729 MBEDTLS_SSL_DEBUG_MSG( 1,
2730 ( "bad server key exchange message" ) );
2731 mbedtls_ssl_send_alert_message(
2732 ssl,
2733 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2734 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2735 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2736 }
2737
2738 if( pk_alg !=
2739 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2740 {
2741 MBEDTLS_SSL_DEBUG_MSG( 1,
2742 ( "bad server key exchange message" ) );
2743 mbedtls_ssl_send_alert_message(
2744 ssl,
2745 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2746 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2747 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2748 }
2749 }
2750 else
2751 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2752 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2753 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2754 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2755 {
2756 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2757
2758 /* Default hash for ECDSA is SHA-1 */
2759 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2760 md_alg = MBEDTLS_MD_SHA1;
2761 }
2762 else
2763 #endif
2764 {
2765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2766 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2767 }
2768
2769 /*
2770 * Read signature
2771 */
2772 if( p > end - 2 )
2773 {
2774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2775 mbedtls_ssl_send_alert_message(
2776 ssl,
2777 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2778 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2779 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2780 }
2781 sig_len = ( p[0] << 8 ) | p[1];
2782 p += 2;
2783
2784 if( p != end - sig_len )
2785 {
2786 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2787 mbedtls_ssl_send_alert_message(
2788 ssl,
2789 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2790 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2791 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2792 }
2793
2794 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2795
2796 /*
2797 * Compute the hash that has been signed
2798 */
2799 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2800 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2801 if( md_alg == MBEDTLS_MD_NONE )
2802 {
2803 hashlen = 36;
2804 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2805 params_len );
2806 if( ret != 0 )
2807 return( ret );
2808 }
2809 else
2810 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2811 MBEDTLS_SSL_PROTO_TLS1_1 */
2812 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2813 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2814 if( md_alg != MBEDTLS_MD_NONE )
2815 {
2816 /* Info from md_alg will be used instead */
2817 hashlen = 0;
2818 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params,
2819 params_len, md_alg );
2820 if( ret != 0 )
2821 return( ret );
2822 }
2823 else
2824 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2825 MBEDTLS_SSL_PROTO_TLS1_2 */
2826 {
2827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2828 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2829 }
2830
2831 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2832 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
2833
2834 if( ssl->session_negotiate->peer_cert == NULL )
2835 {
2836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2837 mbedtls_ssl_send_alert_message(
2838 ssl,
2839 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2840 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2841 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2842 }
2843
2844 /*
2845 * Verify signature
2846 */
2847 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2848 pk_alg ) )
2849 {
2850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2851 mbedtls_ssl_send_alert_message(
2852 ssl,
2853 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2854 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2855 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2856 }
2857
2858 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
2859 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
2860 {
2861 mbedtls_ssl_send_alert_message(
2862 ssl,
2863 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2864 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2865 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2866 return( ret );
2867 }
2868 }
2869 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2870
2871 exit:
2872 ssl->state++;
2873
2874 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2875
2876 return( 0 );
2877 }
2878
2879 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2880 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2881 {
2882 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2883 ssl->transform_negotiate->ciphersuite_info;
2884
2885 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2886
2887 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2888 {
2889 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2890 ssl->state++;
2891 return( 0 );
2892 }
2893
2894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2895 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2896 }
2897 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)2898 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2899 {
2900 int ret;
2901 unsigned char *buf;
2902 size_t n = 0;
2903 size_t cert_type_len = 0, dn_len = 0;
2904 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2905 ssl->transform_negotiate->ciphersuite_info;
2906
2907 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2908
2909 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2910 {
2911 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2912 ssl->state++;
2913 return( 0 );
2914 }
2915
2916 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2917 {
2918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2919 return( ret );
2920 }
2921
2922 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2923 {
2924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2925 mbedtls_ssl_send_alert_message(
2926 ssl,
2927 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2928 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2929 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2930 }
2931
2932 ssl->state++;
2933 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
2934
2935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2936 ssl->client_auth ? "a" : "no" ) );
2937
2938 if( ssl->client_auth == 0 )
2939 {
2940 /* Current message is probably the ServerHelloDone */
2941 ssl->keep_current_message = 1;
2942 goto exit;
2943 }
2944
2945 /*
2946 * struct {
2947 * ClientCertificateType certificate_types<1..2^8-1>;
2948 * SignatureAndHashAlgorithm
2949 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2950 * DistinguishedName certificate_authorities<0..2^16-1>;
2951 * } CertificateRequest;
2952 *
2953 * Since we only support a single certificate on clients, let's just
2954 * ignore all the information that's supposed to help us pick a
2955 * certificate.
2956 *
2957 * We could check that our certificate matches the request, and bail out
2958 * if it doesn't, but it's simpler to just send the certificate anyway,
2959 * and give the server the opportunity to decide if it should terminate
2960 * the connection when it doesn't like our certificate.
2961 *
2962 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2963 * point we only have one hash available (see comments in
2964 * write_certificate_verify), so let's just use what we have.
2965 *
2966 * However, we still minimally parse the message to check it is at least
2967 * superficially sane.
2968 */
2969 buf = ssl->in_msg;
2970
2971 /* certificate_types */
2972 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
2973 {
2974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2975 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2976 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2977 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2978 }
2979 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
2980 n = cert_type_len;
2981
2982 /*
2983 * In the subsequent code there are two paths that read from buf:
2984 * * the length of the signature algorithms field (if minor version of
2985 * SSL is 3),
2986 * * distinguished name length otherwise.
2987 * Both reach at most the index:
2988 * ...hdr_len + 2 + n,
2989 * therefore the buffer length at this point must be greater than that
2990 * regardless of the actual code path.
2991 */
2992 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2993 {
2994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2995 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2996 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2997 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2998 }
2999
3000 /* supported_signature_algorithms */
3001 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3002 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3003 {
3004 size_t sig_alg_len =
3005 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3006 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3007 #if defined(MBEDTLS_DEBUG_C)
3008 unsigned char* sig_alg;
3009 size_t i;
3010 #endif
3011
3012 /*
3013 * The furthest access in buf is in the loop few lines below:
3014 * sig_alg[i + 1],
3015 * where:
3016 * sig_alg = buf + ...hdr_len + 3 + n,
3017 * max(i) = sig_alg_len - 1.
3018 * Therefore the furthest access is:
3019 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3020 * which reduces to:
3021 * buf[...hdr_len + 3 + n + sig_alg_len],
3022 * which is one less than we need the buf to be.
3023 */
3024 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
3025 + 3 + n + sig_alg_len )
3026 {
3027 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3028 mbedtls_ssl_send_alert_message(
3029 ssl,
3030 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3031 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3032 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3033 }
3034
3035 #if defined(MBEDTLS_DEBUG_C)
3036 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
3037 for( i = 0; i < sig_alg_len; i += 2 )
3038 {
3039 MBEDTLS_SSL_DEBUG_MSG( 3,
3040 ( "Supported Signature Algorithm found: %d,%d",
3041 sig_alg[i], sig_alg[i + 1] ) );
3042 }
3043 #endif
3044
3045 n += 2 + sig_alg_len;
3046 }
3047 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3048
3049 /* certificate_authorities */
3050 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3051 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3052
3053 n += dn_len;
3054 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3055 {
3056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3057 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3058 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3059 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3060 }
3061
3062 exit:
3063 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3064
3065 return( 0 );
3066 }
3067 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3068
ssl_parse_server_hello_done(mbedtls_ssl_context * ssl)3069 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3070 {
3071 int ret;
3072
3073 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3074
3075 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
3076 {
3077 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3078 return( ret );
3079 }
3080
3081 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3082 {
3083 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3084 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3085 }
3086
3087 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3088 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
3089 {
3090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3091 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3092 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3093 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
3094 }
3095
3096 ssl->state++;
3097
3098 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3099 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3100 mbedtls_ssl_recv_flight_completed( ssl );
3101 #endif
3102
3103 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3104
3105 return( 0 );
3106 }
3107
ssl_write_client_key_exchange(mbedtls_ssl_context * ssl)3108 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3109 {
3110 int ret;
3111 size_t i, n;
3112 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3113 ssl->transform_negotiate->ciphersuite_info;
3114
3115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3116
3117 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3118 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3119 {
3120 /*
3121 * DHM key exchange -- send G^X mod P
3122 */
3123 n = ssl->handshake->dhm_ctx.len;
3124
3125 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3126 ssl->out_msg[5] = (unsigned char)( n );
3127 i = 6;
3128
3129 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3130 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3131 &ssl->out_msg[i], n,
3132 ssl->conf->f_rng, ssl->conf->p_rng );
3133 if( ret != 0 )
3134 {
3135 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3136 return( ret );
3137 }
3138
3139 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3140 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3141
3142 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3143 ssl->handshake->premaster,
3144 MBEDTLS_PREMASTER_SIZE,
3145 &ssl->handshake->pmslen,
3146 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3147 {
3148 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3149 return( ret );
3150 }
3151
3152 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3153 }
3154 else
3155 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3156 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3157 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3158 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3159 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3160 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3161 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3162 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3163 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3164 {
3165 /*
3166 * ECDH key exchange -- send client public value
3167 */
3168 i = 4;
3169
3170 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3171 &n,
3172 &ssl->out_msg[i], 1000,
3173 ssl->conf->f_rng, ssl->conf->p_rng );
3174 if( ret != 0 )
3175 {
3176 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3177 return( ret );
3178 }
3179
3180 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
3181
3182 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3183 &ssl->handshake->pmslen,
3184 ssl->handshake->premaster,
3185 MBEDTLS_MPI_MAX_SIZE,
3186 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3187 {
3188 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3189 return( ret );
3190 }
3191
3192 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
3193 }
3194 else
3195 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3196 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3197 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3198 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3199 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3200 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3201 {
3202 /*
3203 * opaque psk_identity<0..2^16-1>;
3204 */
3205 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
3206 {
3207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
3208 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3209 }
3210
3211 i = 4;
3212 n = ssl->conf->psk_identity_len;
3213
3214 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
3215 {
3216 MBEDTLS_SSL_DEBUG_MSG( 1,
3217 ( "psk identity too long or SSL buffer too short" ) );
3218 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3219 }
3220
3221 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3222 ssl->out_msg[i++] = (unsigned char)( n );
3223
3224 memcpy( ssl->out_msg + i,
3225 ssl->conf->psk_identity,
3226 ssl->conf->psk_identity_len );
3227 i += ssl->conf->psk_identity_len;
3228
3229 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3230 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3231 {
3232 n = 0;
3233 }
3234 else
3235 #endif
3236 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3237 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3238 {
3239 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3240 return( ret );
3241 }
3242 else
3243 #endif
3244 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3245 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3246 {
3247 /*
3248 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3249 */
3250 n = ssl->handshake->dhm_ctx.len;
3251
3252 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
3253 {
3254 MBEDTLS_SSL_DEBUG_MSG( 1,
3255 ( "psk identity or DHM size too long or SSL buffer too short" ) );
3256 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3257 }
3258
3259 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3260 ssl->out_msg[i++] = (unsigned char)( n );
3261
3262 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3263 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3264 &ssl->out_msg[i], n,
3265 ssl->conf->f_rng, ssl->conf->p_rng );
3266 if( ret != 0 )
3267 {
3268 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3269 return( ret );
3270 }
3271 }
3272 else
3273 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3274 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3275 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3276 {
3277 /*
3278 * ClientECDiffieHellmanPublic public;
3279 */
3280 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
3281 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
3282 ssl->conf->f_rng, ssl->conf->p_rng );
3283 if( ret != 0 )
3284 {
3285 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3286 return( ret );
3287 }
3288
3289 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
3290 }
3291 else
3292 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3293 {
3294 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3295 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3296 }
3297
3298 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3299 ciphersuite_info->key_exchange ) ) != 0 )
3300 {
3301 MBEDTLS_SSL_DEBUG_RET( 1,
3302 "mbedtls_ssl_psk_derive_premaster", ret );
3303 return( ret );
3304 }
3305 }
3306 else
3307 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3308 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3309 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3310 {
3311 i = 4;
3312 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
3313 return( ret );
3314 }
3315 else
3316 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3317 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3318 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3319 {
3320 i = 4;
3321
3322 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3323 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
3324 ssl->conf->f_rng, ssl->conf->p_rng );
3325 if( ret != 0 )
3326 {
3327 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3328 return( ret );
3329 }
3330
3331 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3332 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3333 ssl->conf->f_rng, ssl->conf->p_rng );
3334 if( ret != 0 )
3335 {
3336 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3337 return( ret );
3338 }
3339 }
3340 else
3341 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3342 {
3343 ((void) ciphersuite_info);
3344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3346 }
3347
3348 ssl->out_msglen = i + n;
3349 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3350 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3351
3352 ssl->state++;
3353
3354 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3355 {
3356 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3357 return( ret );
3358 }
3359
3360 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3361
3362 return( 0 );
3363 }
3364
3365 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3366 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3367 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3368 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3369 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3370 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3371 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3372 {
3373 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3374 ssl->transform_negotiate->ciphersuite_info;
3375 int ret;
3376
3377 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3378
3379 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3380 {
3381 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3382 return( ret );
3383 }
3384
3385 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3386 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3387 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3388 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3389 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3390 {
3391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3392 ssl->state++;
3393 return( 0 );
3394 }
3395
3396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3397 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3398 }
3399 #else
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3400 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3401 {
3402 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3403 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3404 ssl->transform_negotiate->ciphersuite_info;
3405 size_t n = 0, offset = 0;
3406 unsigned char hash[48];
3407 unsigned char *hash_start = hash;
3408 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3409 unsigned int hashlen;
3410
3411 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3412
3413 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3414 {
3415 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3416 return( ret );
3417 }
3418
3419 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3420 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3421 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3422 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3423 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3424 {
3425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3426 ssl->state++;
3427 return( 0 );
3428 }
3429
3430 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3431 {
3432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3433 ssl->state++;
3434 return( 0 );
3435 }
3436
3437 if( mbedtls_ssl_own_key( ssl ) == NULL )
3438 {
3439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3440 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3441 }
3442
3443 /*
3444 * Make an RSA signature of the handshake digests
3445 */
3446 ssl->handshake->calc_verify( ssl, hash );
3447
3448 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3449 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3450 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3451 {
3452 /*
3453 * digitally-signed struct {
3454 * opaque md5_hash[16];
3455 * opaque sha_hash[20];
3456 * };
3457 *
3458 * md5_hash
3459 * MD5(handshake_messages);
3460 *
3461 * sha_hash
3462 * SHA(handshake_messages);
3463 */
3464 hashlen = 36;
3465 md_alg = MBEDTLS_MD_NONE;
3466
3467 /*
3468 * For ECDSA, default hash is SHA-1 only
3469 */
3470 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3471 {
3472 hash_start += 16;
3473 hashlen -= 16;
3474 md_alg = MBEDTLS_MD_SHA1;
3475 }
3476 }
3477 else
3478 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3479 MBEDTLS_SSL_PROTO_TLS1_1 */
3480 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3481 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3482 {
3483 /*
3484 * digitally-signed struct {
3485 * opaque handshake_messages[handshake_messages_length];
3486 * };
3487 *
3488 * Taking shortcut here. We assume that the server always allows the
3489 * PRF Hash function and has sent it in the allowed signature
3490 * algorithms list received in the Certificate Request message.
3491 *
3492 * Until we encounter a server that does not, we will take this
3493 * shortcut.
3494 *
3495 * Reason: Otherwise we should have running hashes for SHA512 and
3496 * SHA224 in order to satisfy 'weird' needs from the server
3497 * side.
3498 */
3499 if( ssl->transform_negotiate->ciphersuite_info->mac ==
3500 MBEDTLS_MD_SHA384 )
3501 {
3502 md_alg = MBEDTLS_MD_SHA384;
3503 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3504 }
3505 else
3506 {
3507 md_alg = MBEDTLS_MD_SHA256;
3508 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3509 }
3510 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3511
3512 /* Info from md_alg will be used instead */
3513 hashlen = 0;
3514 offset = 2;
3515 }
3516 else
3517 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3518 {
3519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3520 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3521 }
3522
3523 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
3524 ssl->out_msg + 6 + offset, &n,
3525 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3526 {
3527 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3528 return( ret );
3529 }
3530
3531 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3532 ssl->out_msg[5 + offset] = (unsigned char)( n );
3533
3534 ssl->out_msglen = 6 + n + offset;
3535 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3536 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3537
3538 ssl->state++;
3539
3540 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3541 {
3542 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3543 return( ret );
3544 }
3545
3546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3547
3548 return( ret );
3549 }
3550 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3551 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3552 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3553 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3554 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3555 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3556
3557 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_new_session_ticket(mbedtls_ssl_context * ssl)3558 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3559 {
3560 int ret;
3561 uint32_t lifetime;
3562 size_t ticket_len;
3563 unsigned char *ticket;
3564 const unsigned char *msg;
3565
3566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3567
3568 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
3569 {
3570 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3571 return( ret );
3572 }
3573
3574 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3575 {
3576 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3577 mbedtls_ssl_send_alert_message(
3578 ssl,
3579 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3580 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3581 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3582 }
3583
3584 /*
3585 * struct {
3586 * uint32 ticket_lifetime_hint;
3587 * opaque ticket<0..2^16-1>;
3588 * } NewSessionTicket;
3589 *
3590 * 0 . 3 ticket_lifetime_hint
3591 * 4 . 5 ticket_len (n)
3592 * 6 . 5+n ticket content
3593 */
3594 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3595 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3596 {
3597 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3598 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3599 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3600 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3601 }
3602
3603 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3604
3605 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3606 ( msg[2] << 8 ) | ( msg[3] );
3607
3608 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3609
3610 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3611 {
3612 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3613 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3614 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3615 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3616 }
3617
3618 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3619
3620 /* We're not waiting for a NewSessionTicket message any more */
3621 ssl->handshake->new_session_ticket = 0;
3622 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3623
3624 /*
3625 * Zero-length ticket means the server changed his mind and doesn't want
3626 * to send a ticket after all, so just forget it
3627 */
3628 if( ticket_len == 0 )
3629 return( 0 );
3630
3631 mbedtls_zeroize( ssl->session_negotiate->ticket,
3632 ssl->session_negotiate->ticket_len );
3633 mbedtls_free( ssl->session_negotiate->ticket );
3634 ssl->session_negotiate->ticket = NULL;
3635 ssl->session_negotiate->ticket_len = 0;
3636
3637 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3638 {
3639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3640 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3641 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3642 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3643 }
3644
3645 memcpy( ticket, msg + 6, ticket_len );
3646
3647 ssl->session_negotiate->ticket = ticket;
3648 ssl->session_negotiate->ticket_len = ticket_len;
3649 ssl->session_negotiate->ticket_lifetime = lifetime;
3650
3651 /*
3652 * RFC 5077 section 3.4:
3653 * "If the client receives a session ticket from the server, then it
3654 * discards any Session ID that was sent in the ServerHello."
3655 */
3656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3657 ssl->session_negotiate->id_len = 0;
3658
3659 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3660
3661 return( 0 );
3662 }
3663 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3664
3665 /*
3666 * SSL handshake -- client side -- single step
3667 */
mbedtls_ssl_handshake_client_step(mbedtls_ssl_context * ssl)3668 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3669 {
3670 int ret = 0;
3671
3672 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3673 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3674
3675 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3676
3677 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3678 return( ret );
3679
3680 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3681 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3682 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3683 {
3684 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3685 return( ret );
3686 }
3687 #endif
3688
3689 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3690 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3691 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3692 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3693 ssl->handshake->new_session_ticket != 0 )
3694 {
3695 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3696 }
3697 #endif
3698
3699 switch( ssl->state )
3700 {
3701 case MBEDTLS_SSL_HELLO_REQUEST:
3702 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3703 break;
3704
3705 /*
3706 * ==> ClientHello
3707 */
3708 case MBEDTLS_SSL_CLIENT_HELLO:
3709 ret = ssl_write_client_hello( ssl );
3710 break;
3711
3712 /*
3713 * <== ServerHello
3714 * Certificate
3715 * ( ServerKeyExchange )
3716 * ( CertificateRequest )
3717 * ServerHelloDone
3718 */
3719 case MBEDTLS_SSL_SERVER_HELLO:
3720 ret = ssl_parse_server_hello( ssl );
3721 break;
3722
3723 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3724 ret = mbedtls_ssl_parse_certificate( ssl );
3725 break;
3726
3727 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3728 ret = ssl_parse_server_key_exchange( ssl );
3729 break;
3730
3731 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3732 ret = ssl_parse_certificate_request( ssl );
3733 break;
3734
3735 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3736 ret = ssl_parse_server_hello_done( ssl );
3737 break;
3738
3739 /*
3740 * ==> ( Certificate/Alert )
3741 * ClientKeyExchange
3742 * ( CertificateVerify )
3743 * ChangeCipherSpec
3744 * Finished
3745 */
3746 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3747 ret = mbedtls_ssl_write_certificate( ssl );
3748 break;
3749
3750 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3751 ret = ssl_write_client_key_exchange( ssl );
3752 break;
3753
3754 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3755 ret = ssl_write_certificate_verify( ssl );
3756 break;
3757
3758 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3759 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3760 break;
3761
3762 case MBEDTLS_SSL_CLIENT_FINISHED:
3763 ret = mbedtls_ssl_write_finished( ssl );
3764 break;
3765
3766 /*
3767 * <== ( NewSessionTicket )
3768 * ChangeCipherSpec
3769 * Finished
3770 */
3771 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3772 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
3773 ret = ssl_parse_new_session_ticket( ssl );
3774 break;
3775 #endif
3776
3777 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3778 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3779 break;
3780
3781 case MBEDTLS_SSL_SERVER_FINISHED:
3782 ret = mbedtls_ssl_parse_finished( ssl );
3783 break;
3784
3785 case MBEDTLS_SSL_FLUSH_BUFFERS:
3786 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3787 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3788 break;
3789
3790 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3791 mbedtls_ssl_handshake_wrapup( ssl );
3792 break;
3793
3794 default:
3795 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3796 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3797 }
3798
3799 return( ret );
3800 }
3801 #endif /* MBEDTLS_SSL_CLI_C */
3802