1 /* 2 * SSLv3/TLSv1 client-side functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 */ 46 47 #if !defined(MBEDTLS_CONFIG_FILE) 48 #include "mbedtls/config.h" 49 #else 50 #include MBEDTLS_CONFIG_FILE 51 #endif 52 53 #if defined(MBEDTLS_SSL_CLI_C) 54 55 #if defined(MBEDTLS_PLATFORM_C) 56 #include "mbedtls/platform.h" 57 #else 58 #include <stdlib.h> 59 #define mbedtls_calloc calloc 60 #define mbedtls_free free 61 #endif 62 63 #include "mbedtls/debug.h" 64 #include "mbedtls/ssl.h" 65 #include "mbedtls/ssl_internal.h" 66 67 #include <string.h> 68 69 #include <stdint.h> 70 71 #if defined(MBEDTLS_HAVE_TIME) 72 #include "mbedtls/platform_time.h" 73 #endif 74 75 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 76 #include "mbedtls/platform_util.h" 77 #endif 78 79 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 80 static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 81 unsigned char *buf, 82 const unsigned char *end, 83 size_t *olen ) 84 { 85 unsigned char *p = buf; 86 size_t hostname_len; 87 88 *olen = 0; 89 90 if( ssl->hostname == NULL ) 91 return( 0 ); 92 93 MBEDTLS_SSL_DEBUG_MSG( 3, 94 ( "client hello, adding server name extension: %s", 95 ssl->hostname ) ); 96 97 hostname_len = strlen( ssl->hostname ); 98 99 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 ); 100 101 /* 102 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 103 * 104 * In order to provide any of the server names, clients MAY include an 105 * extension of type "server_name" in the (extended) client hello. The 106 * "extension_data" field of this extension SHALL contain 107 * "ServerNameList" where: 108 * 109 * struct { 110 * NameType name_type; 111 * select (name_type) { 112 * case host_name: HostName; 113 * } name; 114 * } ServerName; 115 * 116 * enum { 117 * host_name(0), (255) 118 * } NameType; 119 * 120 * opaque HostName<1..2^16-1>; 121 * 122 * struct { 123 * ServerName server_name_list<1..2^16-1> 124 * } ServerNameList; 125 * 126 */ 127 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 128 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 129 130 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 131 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 132 133 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 134 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 135 136 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 137 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 138 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 139 140 memcpy( p, ssl->hostname, hostname_len ); 141 142 *olen = hostname_len + 9; 143 144 return( 0 ); 145 } 146 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 147 148 #if defined(MBEDTLS_SSL_RENEGOTIATION) 149 static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 150 unsigned char *buf, 151 const unsigned char *end, 152 size_t *olen ) 153 { 154 unsigned char *p = buf; 155 156 *olen = 0; 157 158 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 159 * initial ClientHello, in which case also adding the renegotiation 160 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 161 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 162 return( 0 ); 163 164 MBEDTLS_SSL_DEBUG_MSG( 3, 165 ( "client hello, adding renegotiation extension" ) ); 166 167 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len ); 168 169 /* 170 * Secure renegotiation 171 */ 172 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) 173 & 0xFF ); 174 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) 175 & 0xFF ); 176 177 *p++ = 0x00; 178 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 179 *p++ = ssl->verify_data_len & 0xFF; 180 181 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 182 183 *olen = 5 + ssl->verify_data_len; 184 185 return( 0 ); 186 } 187 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 188 189 /* 190 * Only if we handle at least one key exchange that needs signatures. 191 */ 192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 193 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 194 static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 195 unsigned char *buf, 196 const unsigned char *end, 197 size_t *olen ) 198 { 199 unsigned char *p = buf; 200 size_t sig_alg_len = 0; 201 const int *md; 202 203 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 204 unsigned char *sig_alg_list = buf + 6; 205 #endif 206 207 *olen = 0; 208 209 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 210 return( 0 ); 211 212 MBEDTLS_SSL_DEBUG_MSG( 3, 213 ( "client hello, adding signature_algorithms extension" ) ); 214 215 if( ssl->conf->sig_hashes == NULL ) 216 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 217 218 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 219 { 220 #if defined(MBEDTLS_ECDSA_C) 221 sig_alg_len += 2; 222 #endif 223 #if defined(MBEDTLS_RSA_C) 224 sig_alg_len += 2; 225 #endif 226 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN ) 227 { 228 MBEDTLS_SSL_DEBUG_MSG( 3, 229 ( "length in bytes of sig-hash-alg extension too big" ) ); 230 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 231 } 232 } 233 234 /* Empty signature algorithms list, this is a configuration error. */ 235 if( sig_alg_len == 0 ) 236 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 237 238 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 ); 239 240 /* 241 * Prepare signature_algorithms extension (TLS 1.2) 242 */ 243 sig_alg_len = 0; 244 245 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 246 { 247 #if defined(MBEDTLS_ECDSA_C) 248 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 249 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 250 #endif 251 #if defined(MBEDTLS_RSA_C) 252 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 253 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 254 #endif 255 } 256 257 /* 258 * enum { 259 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 260 * sha512(6), (255) 261 * } HashAlgorithm; 262 * 263 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 264 * SignatureAlgorithm; 265 * 266 * struct { 267 * HashAlgorithm hash; 268 * SignatureAlgorithm signature; 269 * } SignatureAndHashAlgorithm; 270 * 271 * SignatureAndHashAlgorithm 272 * supported_signature_algorithms<2..2^16-2>; 273 */ 274 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 275 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 276 277 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 278 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 279 280 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 281 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 282 283 *olen = 6 + sig_alg_len; 284 285 return( 0 ); 286 } 287 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 288 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 289 290 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 291 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 292 static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 293 unsigned char *buf, 294 const unsigned char *end, 295 size_t *olen ) 296 { 297 unsigned char *p = buf; 298 unsigned char *elliptic_curve_list = p + 6; 299 size_t elliptic_curve_len = 0; 300 const mbedtls_ecp_curve_info *info; 301 const mbedtls_ecp_group_id *grp_id; 302 303 *olen = 0; 304 305 MBEDTLS_SSL_DEBUG_MSG( 3, 306 ( "client hello, adding supported_elliptic_curves extension" ) ); 307 308 if( ssl->conf->curve_list == NULL ) 309 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 310 311 for( grp_id = ssl->conf->curve_list; 312 *grp_id != MBEDTLS_ECP_DP_NONE; 313 grp_id++ ) 314 { 315 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 316 if( info == NULL ) 317 { 318 MBEDTLS_SSL_DEBUG_MSG( 1, 319 ( "invalid curve in ssl configuration" ) ); 320 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 321 } 322 elliptic_curve_len += 2; 323 324 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN ) 325 { 326 MBEDTLS_SSL_DEBUG_MSG( 3, 327 ( "malformed supported_elliptic_curves extension in config" ) ); 328 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 329 } 330 } 331 332 /* Empty elliptic curve list, this is a configuration error. */ 333 if( elliptic_curve_len == 0 ) 334 return( MBEDTLS_ERR_SSL_BAD_CONFIG ); 335 336 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len ); 337 338 elliptic_curve_len = 0; 339 340 for( grp_id = ssl->conf->curve_list; 341 *grp_id != MBEDTLS_ECP_DP_NONE; 342 grp_id++ ) 343 { 344 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 345 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 346 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 347 } 348 349 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) 350 & 0xFF ); 351 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) 352 & 0xFF ); 353 354 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 355 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 356 357 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 358 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 359 360 *olen = 6 + elliptic_curve_len; 361 362 return( 0 ); 363 } 364 365 static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 366 unsigned char *buf, 367 const unsigned char *end, 368 size_t *olen ) 369 { 370 unsigned char *p = buf; 371 (void) ssl; /* ssl used for debugging only */ 372 373 *olen = 0; 374 375 MBEDTLS_SSL_DEBUG_MSG( 3, 376 ( "client hello, adding supported_point_formats extension" ) ); 377 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); 378 379 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) 380 & 0xFF ); 381 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) 382 & 0xFF ); 383 384 *p++ = 0x00; 385 *p++ = 2; 386 387 *p++ = 1; 388 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 389 390 *olen = 6; 391 392 return( 0 ); 393 } 394 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 395 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 396 397 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 398 static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 399 unsigned char *buf, 400 const unsigned char *end, 401 size_t *olen ) 402 { 403 int ret; 404 unsigned char *p = buf; 405 size_t kkpp_len; 406 407 *olen = 0; 408 409 /* Skip costly extension if we can't use EC J-PAKE anyway */ 410 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 411 return( 0 ); 412 413 MBEDTLS_SSL_DEBUG_MSG( 3, 414 ( "client hello, adding ecjpake_kkpp extension" ) ); 415 416 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); 417 418 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 419 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 420 421 /* 422 * We may need to send ClientHello multiple times for Hello verification. 423 * We don't want to compute fresh values every time (both for performance 424 * and consistency reasons), so cache the extension content. 425 */ 426 if( ssl->handshake->ecjpake_cache == NULL || 427 ssl->handshake->ecjpake_cache_len == 0 ) 428 { 429 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 430 431 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 432 p + 2, end - p - 2, &kkpp_len, 433 ssl->conf->f_rng, ssl->conf->p_rng ); 434 if( ret != 0 ) 435 { 436 MBEDTLS_SSL_DEBUG_RET( 1 , 437 "mbedtls_ecjpake_write_round_one", ret ); 438 return( ret ); 439 } 440 441 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 442 if( ssl->handshake->ecjpake_cache == NULL ) 443 { 444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 445 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 446 } 447 448 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 449 ssl->handshake->ecjpake_cache_len = kkpp_len; 450 } 451 else 452 { 453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 454 455 kkpp_len = ssl->handshake->ecjpake_cache_len; 456 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len ); 457 458 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 459 } 460 461 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 462 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 463 464 *olen = kkpp_len + 4; 465 466 return( 0 ); 467 } 468 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 469 470 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 471 static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 472 unsigned char *buf, 473 const unsigned char *end, 474 size_t *olen ) 475 { 476 unsigned char *p = buf; 477 478 *olen = 0; 479 480 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 481 return( 0 ); 482 483 MBEDTLS_SSL_DEBUG_MSG( 3, 484 ( "client hello, adding max_fragment_length extension" ) ); 485 486 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 ); 487 488 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) 489 & 0xFF ); 490 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) 491 & 0xFF ); 492 493 *p++ = 0x00; 494 *p++ = 1; 495 496 *p++ = ssl->conf->mfl_code; 497 498 *olen = 5; 499 500 return( 0 ); 501 } 502 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 503 504 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 505 static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 506 unsigned char *buf, 507 const unsigned char *end, 508 size_t *olen ) 509 { 510 unsigned char *p = buf; 511 512 *olen = 0; 513 514 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 515 return( 0 ); 516 517 MBEDTLS_SSL_DEBUG_MSG( 3, 518 ( "client hello, adding truncated_hmac extension" ) ); 519 520 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); 521 522 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 523 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 524 525 *p++ = 0x00; 526 *p++ = 0x00; 527 528 *olen = 4; 529 530 return( 0 ); 531 } 532 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 533 534 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 535 static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 536 unsigned char *buf, 537 const unsigned char *end, 538 size_t *olen ) 539 { 540 unsigned char *p = buf; 541 542 *olen = 0; 543 544 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 545 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 546 return( 0 ); 547 548 MBEDTLS_SSL_DEBUG_MSG( 3, 549 ( "client hello, adding encrypt_then_mac extension" ) ); 550 551 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); 552 553 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 554 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 555 556 *p++ = 0x00; 557 *p++ = 0x00; 558 559 *olen = 4; 560 561 return( 0 ); 562 } 563 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 564 565 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 566 static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 567 unsigned char *buf, 568 const unsigned char *end, 569 size_t *olen ) 570 { 571 unsigned char *p = buf; 572 573 *olen = 0; 574 575 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 576 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 577 return( 0 ); 578 579 MBEDTLS_SSL_DEBUG_MSG( 3, 580 ( "client hello, adding extended_master_secret extension" ) ); 581 582 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 ); 583 584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) 585 & 0xFF ); 586 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) 587 & 0xFF ); 588 589 *p++ = 0x00; 590 *p++ = 0x00; 591 592 *olen = 4; 593 594 return( 0 ); 595 } 596 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 597 598 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 599 static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 600 unsigned char *buf, 601 const unsigned char *end, 602 size_t *olen ) 603 { 604 unsigned char *p = buf; 605 size_t tlen = ssl->session_negotiate->ticket_len; 606 607 *olen = 0; 608 609 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 610 return( 0 ); 611 612 MBEDTLS_SSL_DEBUG_MSG( 3, 613 ( "client hello, adding session ticket extension" ) ); 614 615 /* The addition is safe here since the ticket length is 16 bit. */ 616 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen ); 617 618 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 619 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 620 621 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 622 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 623 624 *olen = 4; 625 626 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 627 return( 0 ); 628 629 MBEDTLS_SSL_DEBUG_MSG( 3, 630 ( "sending session ticket of length %d", tlen ) ); 631 632 memcpy( p, ssl->session_negotiate->ticket, tlen ); 633 634 *olen += tlen; 635 636 return( 0 ); 637 } 638 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 639 640 #if defined(MBEDTLS_SSL_ALPN) 641 static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 642 unsigned char *buf, 643 const unsigned char *end, 644 size_t *olen ) 645 { 646 unsigned char *p = buf; 647 size_t alpnlen = 0; 648 const char **cur; 649 650 *olen = 0; 651 652 if( ssl->conf->alpn_list == NULL ) 653 return( 0 ); 654 655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 656 657 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 658 alpnlen += strlen( *cur ) + 1; 659 660 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen ); 661 662 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 663 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 664 665 /* 666 * opaque ProtocolName<1..2^8-1>; 667 * 668 * struct { 669 * ProtocolName protocol_name_list<2..2^16-1> 670 * } ProtocolNameList; 671 */ 672 673 /* Skip writing extension and list length for now */ 674 p += 4; 675 676 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 677 { 678 /* 679 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of 680 * protocol names is less than 255. 681 */ 682 *p = (unsigned char)strlen( *cur ); 683 memcpy( p + 1, *cur, *p ); 684 p += 1 + *p; 685 } 686 687 *olen = p - buf; 688 689 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 690 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 691 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 692 693 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 694 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 695 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 696 697 return( 0 ); 698 } 699 #endif /* MBEDTLS_SSL_ALPN */ 700 701 /* 702 * Generate random bytes for ClientHello 703 */ 704 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 705 { 706 int ret; 707 unsigned char *p = ssl->handshake->randbytes; 708 #if defined(MBEDTLS_HAVE_TIME) 709 mbedtls_time_t t; 710 #endif 711 712 /* 713 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 714 */ 715 #if defined(MBEDTLS_SSL_PROTO_DTLS) 716 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 717 ssl->handshake->verify_cookie != NULL ) 718 { 719 return( 0 ); 720 } 721 #endif 722 723 #if defined(MBEDTLS_HAVE_TIME) 724 t = mbedtls_time( NULL ); 725 *p++ = (unsigned char)( t >> 24 ); 726 *p++ = (unsigned char)( t >> 16 ); 727 *p++ = (unsigned char)( t >> 8 ); 728 *p++ = (unsigned char)( t ); 729 730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 731 #else 732 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 733 return( ret ); 734 735 p += 4; 736 #endif /* MBEDTLS_HAVE_TIME */ 737 738 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 739 return( ret ); 740 741 return( 0 ); 742 } 743 744 /** 745 * \brief Validate cipher suite against config in SSL context. 746 * 747 * \param suite_info cipher suite to validate 748 * \param ssl SSL context 749 * \param min_minor_ver Minimal minor version to accept a cipher suite 750 * \param max_minor_ver Maximal minor version to accept a cipher suite 751 * 752 * \return 0 if valid, else 1 753 */ 754 static int ssl_validate_ciphersuite( 755 const mbedtls_ssl_ciphersuite_t * suite_info, 756 const mbedtls_ssl_context * ssl, 757 int min_minor_ver, int max_minor_ver ) 758 { 759 (void) ssl; 760 if( suite_info == NULL ) 761 return( 1 ); 762 763 if( suite_info->min_minor_ver > max_minor_ver || 764 suite_info->max_minor_ver < min_minor_ver ) 765 return( 1 ); 766 767 #if defined(MBEDTLS_SSL_PROTO_DTLS) 768 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 769 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 770 return( 1 ); 771 #endif 772 773 #if defined(MBEDTLS_ARC4_C) 774 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 775 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 776 return( 1 ); 777 #endif 778 779 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 780 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 781 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 782 return( 1 ); 783 #endif 784 785 return( 0 ); 786 } 787 788 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 789 { 790 int ret; 791 size_t i, n, olen, ext_len = 0; 792 793 unsigned char *buf; 794 unsigned char *p, *q; 795 const unsigned char *end; 796 797 unsigned char offer_compress; 798 const int *ciphersuites; 799 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 800 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 801 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 802 int uses_ec = 0; 803 #endif 804 805 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 806 807 if( ssl->conf->f_rng == NULL ) 808 { 809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 810 return( MBEDTLS_ERR_SSL_NO_RNG ); 811 } 812 813 #if defined(MBEDTLS_SSL_RENEGOTIATION) 814 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 815 #endif 816 { 817 ssl->major_ver = ssl->conf->min_major_ver; 818 ssl->minor_ver = ssl->conf->min_minor_ver; 819 } 820 821 if( ssl->conf->max_major_ver == 0 ) 822 { 823 MBEDTLS_SSL_DEBUG_MSG( 1, 824 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) ); 825 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 826 } 827 828 buf = ssl->out_msg; 829 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN; 830 831 /* 832 * Check if there's enough space for the first part of the ClientHello 833 * consisting of the 38 bytes described below, the session identifier (at 834 * most 32 bytes) and its length (1 byte). 835 * 836 * Use static upper bounds instead of the actual values 837 * to allow the compiler to optimize this away. 838 */ 839 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 ); 840 841 /* 842 * The 38 first bytes of the ClientHello: 843 * 0 . 0 handshake type (written later) 844 * 1 . 3 handshake length (written later) 845 * 4 . 5 highest version supported 846 * 6 . 9 current UNIX time 847 * 10 . 37 random bytes 848 * 849 * The current UNIX time (4 bytes) and following 28 random bytes are written 850 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then 851 * copied from there into the output buffer. 852 */ 853 854 p = buf + 4; 855 mbedtls_ssl_write_version( ssl->conf->max_major_ver, 856 ssl->conf->max_minor_ver, 857 ssl->conf->transport, p ); 858 p += 2; 859 860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 861 buf[4], buf[5] ) ); 862 863 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 864 { 865 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 866 return( ret ); 867 } 868 869 memcpy( p, ssl->handshake->randbytes, 32 ); 870 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 871 p += 32; 872 873 /* 874 * 38 . 38 session id length 875 * 39 . 39+n session id 876 * 39+n . 39+n DTLS only: cookie length (1 byte) 877 * 40+n . .. DTLS only: cookie 878 * .. . .. ciphersuitelist length (2 bytes) 879 * .. . .. ciphersuitelist 880 * .. . .. compression methods length (1 byte) 881 * .. . .. compression methods 882 * .. . .. extensions length (2 bytes) 883 * .. . .. extensions 884 */ 885 n = ssl->session_negotiate->id_len; 886 887 if( n < 16 || n > 32 || 888 #if defined(MBEDTLS_SSL_RENEGOTIATION) 889 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 890 #endif 891 ssl->handshake->resume == 0 ) 892 { 893 n = 0; 894 } 895 896 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 897 /* 898 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 899 * generate and include a Session ID in the TLS ClientHello." 900 */ 901 #if defined(MBEDTLS_SSL_RENEGOTIATION) 902 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 903 #endif 904 { 905 if( ssl->session_negotiate->ticket != NULL && 906 ssl->session_negotiate->ticket_len != 0 ) 907 { 908 ret = ssl->conf->f_rng( ssl->conf->p_rng, 909 ssl->session_negotiate->id, 32 ); 910 911 if( ret != 0 ) 912 return( ret ); 913 914 ssl->session_negotiate->id_len = n = 32; 915 } 916 } 917 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 918 919 /* 920 * The first check of the output buffer size above ( 921 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );) 922 * has checked that there is enough space in the output buffer for the 923 * session identifier length byte and the session identifier (n <= 32). 924 */ 925 *p++ = (unsigned char) n; 926 927 for( i = 0; i < n; i++ ) 928 *p++ = ssl->session_negotiate->id[i]; 929 930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 931 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 932 933 /* 934 * With 'n' being the length of the session identifier 935 * 936 * 39+n . 39+n DTLS only: cookie length (1 byte) 937 * 40+n . .. DTLS only: cookie 938 * .. . .. ciphersuitelist length (2 bytes) 939 * .. . .. ciphersuitelist 940 * .. . .. compression methods length (1 byte) 941 * .. . .. compression methods 942 * .. . .. extensions length (2 bytes) 943 * .. . .. extensions 944 */ 945 946 /* 947 * DTLS cookie 948 */ 949 #if defined(MBEDTLS_SSL_PROTO_DTLS) 950 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 951 { 952 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); 953 954 if( ssl->handshake->verify_cookie == NULL ) 955 { 956 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 957 *p++ = 0; 958 } 959 else 960 { 961 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 962 ssl->handshake->verify_cookie, 963 ssl->handshake->verify_cookie_len ); 964 965 *p++ = ssl->handshake->verify_cookie_len; 966 967 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 968 ssl->handshake->verify_cookie_len ); 969 memcpy( p, ssl->handshake->verify_cookie, 970 ssl->handshake->verify_cookie_len ); 971 p += ssl->handshake->verify_cookie_len; 972 } 973 } 974 #endif 975 976 /* 977 * Ciphersuite list 978 */ 979 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 980 981 /* Skip writing ciphersuite length for now */ 982 n = 0; 983 q = p; 984 985 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 986 p += 2; 987 988 for( i = 0; ciphersuites[i] != 0; i++ ) 989 { 990 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 991 992 if( ssl_validate_ciphersuite( ciphersuite_info, ssl, 993 ssl->conf->min_minor_ver, 994 ssl->conf->max_minor_ver ) != 0 ) 995 continue; 996 997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 998 ciphersuites[i] ) ); 999 1000 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1001 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1002 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info ); 1003 #endif 1004 1005 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 1006 1007 n++; 1008 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 1009 *p++ = (unsigned char)( ciphersuites[i] ); 1010 } 1011 1012 MBEDTLS_SSL_DEBUG_MSG( 3, 1013 ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); 1014 1015 /* 1016 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 1017 */ 1018 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1019 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 1020 #endif 1021 { 1022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); 1023 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 1024 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 1025 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 1026 n++; 1027 } 1028 1029 /* Some versions of OpenSSL don't handle it correctly if not at end */ 1030 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 1031 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 1032 { 1033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 1034 1035 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 1036 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 1037 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 1038 n++; 1039 } 1040 #endif 1041 1042 *q++ = (unsigned char)( n >> 7 ); 1043 *q++ = (unsigned char)( n << 1 ); 1044 1045 #if defined(MBEDTLS_ZLIB_SUPPORT) 1046 offer_compress = 1; 1047 #else 1048 offer_compress = 0; 1049 #endif 1050 1051 /* 1052 * We don't support compression with DTLS right now: if many records come 1053 * in the same datagram, uncompressing one could overwrite the next one. 1054 * We don't want to add complexity for handling that case unless there is 1055 * an actual need for it. 1056 */ 1057 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1058 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1059 offer_compress = 0; 1060 #endif 1061 1062 if( offer_compress ) 1063 { 1064 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 1065 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 1066 MBEDTLS_SSL_COMPRESS_DEFLATE, 1067 MBEDTLS_SSL_COMPRESS_NULL ) ); 1068 1069 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 ); 1070 *p++ = 2; 1071 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 1072 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 1073 } 1074 else 1075 { 1076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 1077 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 1078 MBEDTLS_SSL_COMPRESS_NULL ) ); 1079 1080 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 1081 *p++ = 1; 1082 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 1083 } 1084 1085 /* First write extensions, then the total length */ 1086 1087 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); 1088 1089 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1090 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len, 1091 end, &olen ) ) != 0 ) 1092 { 1093 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret ); 1094 return( ret ); 1095 } 1096 ext_len += olen; 1097 #endif 1098 1099 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 1100 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 1101 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1102 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, 1103 end, &olen ) ) != 0 ) 1104 { 1105 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret ); 1106 return( ret ); 1107 } 1108 ext_len += olen; 1109 #endif 1110 1111 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1112 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 1113 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, 1114 end, &olen ) ) != 0 ) 1115 { 1116 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret ); 1117 return( ret ); 1118 } 1119 ext_len += olen; 1120 #endif 1121 1122 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1123 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1124 if( uses_ec ) 1125 { 1126 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, 1127 end, &olen ) ) != 0 ) 1128 { 1129 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret ); 1130 return( ret ); 1131 } 1132 ext_len += olen; 1133 1134 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, 1135 end, &olen ) ) != 0 ) 1136 { 1137 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret ); 1138 return( ret ); 1139 } 1140 ext_len += olen; 1141 } 1142 #endif 1143 1144 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1145 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, 1146 end, &olen ) ) != 0 ) 1147 { 1148 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret ); 1149 return( ret ); 1150 } 1151 ext_len += olen; 1152 #endif 1153 1154 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1155 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, 1156 end, &olen ) ) != 0 ) 1157 { 1158 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret ); 1159 return( ret ); 1160 } 1161 ext_len += olen; 1162 #endif 1163 1164 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1165 if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, 1166 end, &olen ) ) != 0 ) 1167 { 1168 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret ); 1169 return( ret ); 1170 } 1171 ext_len += olen; 1172 #endif 1173 1174 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1175 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, 1176 end, &olen ) ) != 0 ) 1177 { 1178 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret ); 1179 return( ret ); 1180 } 1181 ext_len += olen; 1182 #endif 1183 1184 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1185 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, 1186 end, &olen ) ) != 0 ) 1187 { 1188 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret ); 1189 return( ret ); 1190 } 1191 ext_len += olen; 1192 #endif 1193 1194 #if defined(MBEDTLS_SSL_ALPN) 1195 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len, 1196 end, &olen ) ) != 0 ) 1197 { 1198 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret ); 1199 return( ret ); 1200 } 1201 ext_len += olen; 1202 #endif 1203 1204 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1205 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, 1206 end, &olen ) ) != 0 ) 1207 { 1208 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret ); 1209 return( ret ); 1210 } 1211 ext_len += olen; 1212 #endif 1213 1214 /* olen unused if all extensions are disabled */ 1215 ((void) olen); 1216 1217 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 1218 ext_len ) ); 1219 1220 if( ext_len > 0 ) 1221 { 1222 /* No need to check for space here, because the extension 1223 * writing functions already took care of that. */ 1224 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 1225 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 1226 p += ext_len; 1227 } 1228 1229 ssl->out_msglen = p - buf; 1230 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 1231 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 1232 1233 ssl->state++; 1234 1235 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1236 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1237 mbedtls_ssl_send_flight_completed( ssl ); 1238 #endif 1239 1240 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 1241 { 1242 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 1243 return( ret ); 1244 } 1245 1246 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1247 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 1248 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 1249 { 1250 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); 1251 return( ret ); 1252 } 1253 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1254 1255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 1256 1257 return( 0 ); 1258 } 1259 1260 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 1261 const unsigned char *buf, 1262 size_t len ) 1263 { 1264 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1265 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 1266 { 1267 /* Check verify-data in constant-time. The length OTOH is no secret */ 1268 if( len != 1 + ssl->verify_data_len * 2 || 1269 buf[0] != ssl->verify_data_len * 2 || 1270 mbedtls_ssl_safer_memcmp( buf + 1, 1271 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 1272 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 1273 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 1274 { 1275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 1276 mbedtls_ssl_send_alert_message( 1277 ssl, 1278 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1279 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1280 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1281 } 1282 } 1283 else 1284 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1285 { 1286 if( len != 1 || buf[0] != 0x00 ) 1287 { 1288 MBEDTLS_SSL_DEBUG_MSG( 1, 1289 ( "non-zero length renegotiation info" ) ); 1290 mbedtls_ssl_send_alert_message( 1291 ssl, 1292 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1293 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1295 } 1296 1297 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 1298 } 1299 1300 return( 0 ); 1301 } 1302 1303 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1304 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 1305 const unsigned char *buf, 1306 size_t len ) 1307 { 1308 /* 1309 * server should use the extension only if we did, 1310 * and if so the server's value should match ours (and len is always 1) 1311 */ 1312 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 1313 len != 1 || 1314 buf[0] != ssl->conf->mfl_code ) 1315 { 1316 MBEDTLS_SSL_DEBUG_MSG( 1, 1317 ( "non-matching max fragment length extension" ) ); 1318 mbedtls_ssl_send_alert_message( 1319 ssl, 1320 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1321 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1322 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1323 } 1324 1325 return( 0 ); 1326 } 1327 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1328 1329 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1330 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 1331 const unsigned char *buf, 1332 size_t len ) 1333 { 1334 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 1335 len != 0 ) 1336 { 1337 MBEDTLS_SSL_DEBUG_MSG( 1, 1338 ( "non-matching truncated HMAC extension" ) ); 1339 mbedtls_ssl_send_alert_message( 1340 ssl, 1341 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1342 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1343 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1344 } 1345 1346 ((void) buf); 1347 1348 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 1349 1350 return( 0 ); 1351 } 1352 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 1353 1354 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1355 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 1356 const unsigned char *buf, 1357 size_t len ) 1358 { 1359 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 1360 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1361 len != 0 ) 1362 { 1363 MBEDTLS_SSL_DEBUG_MSG( 1, 1364 ( "non-matching encrypt-then-MAC extension" ) ); 1365 mbedtls_ssl_send_alert_message( 1366 ssl, 1367 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1368 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); 1369 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1370 } 1371 1372 ((void) buf); 1373 1374 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 1375 1376 return( 0 ); 1377 } 1378 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1379 1380 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1381 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 1382 const unsigned char *buf, 1383 size_t len ) 1384 { 1385 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 1386 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1387 len != 0 ) 1388 { 1389 MBEDTLS_SSL_DEBUG_MSG( 1, 1390 ( "non-matching extended master secret extension" ) ); 1391 mbedtls_ssl_send_alert_message( 1392 ssl, 1393 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1394 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); 1395 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1396 } 1397 1398 ((void) buf); 1399 1400 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 1401 1402 return( 0 ); 1403 } 1404 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1405 1406 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1407 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 1408 const unsigned char *buf, 1409 size_t len ) 1410 { 1411 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 1412 len != 0 ) 1413 { 1414 MBEDTLS_SSL_DEBUG_MSG( 1, 1415 ( "non-matching session ticket extension" ) ); 1416 mbedtls_ssl_send_alert_message( 1417 ssl, 1418 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1419 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); 1420 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1421 } 1422 1423 ((void) buf); 1424 1425 ssl->handshake->new_session_ticket = 1; 1426 1427 return( 0 ); 1428 } 1429 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1430 1431 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1432 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1433 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 1434 const unsigned char *buf, 1435 size_t len ) 1436 { 1437 size_t list_size; 1438 const unsigned char *p; 1439 1440 if( len == 0 || (size_t)( buf[0] + 1 ) != len ) 1441 { 1442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1443 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1444 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1445 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1446 } 1447 list_size = buf[0]; 1448 1449 p = buf + 1; 1450 while( list_size > 0 ) 1451 { 1452 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 1453 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 1454 { 1455 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 1456 ssl->handshake->ecdh_ctx.point_format = p[0]; 1457 #endif 1458 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1459 ssl->handshake->ecjpake_ctx.point_format = p[0]; 1460 #endif 1461 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 1462 return( 0 ); 1463 } 1464 1465 list_size--; 1466 p++; 1467 } 1468 1469 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 1470 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1471 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1472 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1473 } 1474 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1475 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1476 1477 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1478 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 1479 const unsigned char *buf, 1480 size_t len ) 1481 { 1482 int ret; 1483 1484 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 1485 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 1486 { 1487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 1488 return( 0 ); 1489 } 1490 1491 /* If we got here, we no longer need our cached extension */ 1492 mbedtls_free( ssl->handshake->ecjpake_cache ); 1493 ssl->handshake->ecjpake_cache = NULL; 1494 ssl->handshake->ecjpake_cache_len = 0; 1495 1496 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 1497 buf, len ) ) != 0 ) 1498 { 1499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 1500 mbedtls_ssl_send_alert_message( 1501 ssl, 1502 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1503 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1504 return( ret ); 1505 } 1506 1507 return( 0 ); 1508 } 1509 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1510 1511 #if defined(MBEDTLS_SSL_ALPN) 1512 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 1513 const unsigned char *buf, size_t len ) 1514 { 1515 size_t list_len, name_len; 1516 const char **p; 1517 1518 /* If we didn't send it, the server shouldn't send it */ 1519 if( ssl->conf->alpn_list == NULL ) 1520 { 1521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 1522 mbedtls_ssl_send_alert_message( 1523 ssl, 1524 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1525 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT ); 1526 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1527 } 1528 1529 /* 1530 * opaque ProtocolName<1..2^8-1>; 1531 * 1532 * struct { 1533 * ProtocolName protocol_name_list<2..2^16-1> 1534 * } ProtocolNameList; 1535 * 1536 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 1537 */ 1538 1539 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 1540 if( len < 4 ) 1541 { 1542 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1543 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1544 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1545 } 1546 1547 list_len = ( buf[0] << 8 ) | buf[1]; 1548 if( list_len != len - 2 ) 1549 { 1550 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1551 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1552 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1553 } 1554 1555 name_len = buf[2]; 1556 if( name_len != list_len - 1 ) 1557 { 1558 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1559 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1560 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1561 } 1562 1563 /* Check that the server chosen protocol was in our list and save it */ 1564 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 1565 { 1566 if( name_len == strlen( *p ) && 1567 memcmp( buf + 3, *p, name_len ) == 0 ) 1568 { 1569 ssl->alpn_chosen = *p; 1570 return( 0 ); 1571 } 1572 } 1573 1574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 1575 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1576 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1577 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1578 } 1579 #endif /* MBEDTLS_SSL_ALPN */ 1580 1581 /* 1582 * Parse HelloVerifyRequest. Only called after verifying the HS type. 1583 */ 1584 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1585 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 1586 { 1587 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 1588 int major_ver, minor_ver; 1589 unsigned char cookie_len; 1590 1591 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 1592 1593 /* Check that there is enough room for: 1594 * - 2 bytes of version 1595 * - 1 byte of cookie_len 1596 */ 1597 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen ) 1598 { 1599 MBEDTLS_SSL_DEBUG_MSG( 1, 1600 ( "incoming HelloVerifyRequest message is too short" ) ); 1601 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1602 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1603 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1604 } 1605 1606 /* 1607 * struct { 1608 * ProtocolVersion server_version; 1609 * opaque cookie<0..2^8-1>; 1610 * } HelloVerifyRequest; 1611 */ 1612 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 1613 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 1614 p += 2; 1615 1616 /* 1617 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 1618 * even is lower than our min version. 1619 */ 1620 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 1621 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 1622 major_ver > ssl->conf->max_major_ver || 1623 minor_ver > ssl->conf->max_minor_ver ) 1624 { 1625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 1626 1627 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1628 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1629 1630 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1631 } 1632 1633 cookie_len = *p++; 1634 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 1635 { 1636 MBEDTLS_SSL_DEBUG_MSG( 1, 1637 ( "cookie length does not match incoming message size" ) ); 1638 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1639 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1640 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1641 } 1642 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 1643 1644 mbedtls_free( ssl->handshake->verify_cookie ); 1645 1646 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 1647 if( ssl->handshake->verify_cookie == NULL ) 1648 { 1649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 1650 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 1651 } 1652 1653 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 1654 ssl->handshake->verify_cookie_len = cookie_len; 1655 1656 /* Start over at ClientHello */ 1657 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 1658 mbedtls_ssl_reset_checksum( ssl ); 1659 1660 mbedtls_ssl_recv_flight_completed( ssl ); 1661 1662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 1663 1664 return( 0 ); 1665 } 1666 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1667 1668 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 1669 { 1670 int ret, i; 1671 size_t n; 1672 size_t ext_len; 1673 unsigned char *buf, *ext; 1674 unsigned char comp; 1675 #if defined(MBEDTLS_ZLIB_SUPPORT) 1676 int accept_comp; 1677 #endif 1678 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1679 int renegotiation_info_seen = 0; 1680 #endif 1681 int handshake_failure = 0; 1682 const mbedtls_ssl_ciphersuite_t *suite_info; 1683 1684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 1685 1686 buf = ssl->in_msg; 1687 1688 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 1689 { 1690 /* No alert on a read error. */ 1691 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 1692 return( ret ); 1693 } 1694 1695 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 1696 { 1697 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1698 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 1699 { 1700 ssl->renego_records_seen++; 1701 1702 if( ssl->conf->renego_max_records >= 0 && 1703 ssl->renego_records_seen > ssl->conf->renego_max_records ) 1704 { 1705 MBEDTLS_SSL_DEBUG_MSG( 1, 1706 ( "renegotiation requested, but not honored by server" ) ); 1707 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1708 } 1709 1710 MBEDTLS_SSL_DEBUG_MSG( 1, 1711 ( "non-handshake message during renegotiation" ) ); 1712 1713 ssl->keep_current_message = 1; 1714 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 1715 } 1716 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1717 1718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1719 mbedtls_ssl_send_alert_message( 1720 ssl, 1721 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1722 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 1723 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1724 } 1725 1726 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1727 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1728 { 1729 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 1730 { 1731 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 1732 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 1733 return( ssl_parse_hello_verify_request( ssl ) ); 1734 } 1735 else 1736 { 1737 /* We made it through the verification process */ 1738 mbedtls_free( ssl->handshake->verify_cookie ); 1739 ssl->handshake->verify_cookie = NULL; 1740 ssl->handshake->verify_cookie_len = 0; 1741 } 1742 } 1743 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1744 1745 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 1746 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 1747 { 1748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1749 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1750 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1751 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1752 } 1753 1754 /* 1755 * 0 . 1 server_version 1756 * 2 . 33 random (maybe including 4 bytes of Unix time) 1757 * 34 . 34 session_id length = n 1758 * 35 . 34+n session_id 1759 * 35+n . 36+n cipher_suite 1760 * 37+n . 37+n compression_method 1761 * 1762 * 38+n . 39+n extensions length (optional) 1763 * 40+n . .. extensions 1764 */ 1765 buf += mbedtls_ssl_hs_hdr_len( ssl ); 1766 1767 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 1768 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 1769 ssl->conf->transport, buf + 0 ); 1770 1771 if( ssl->major_ver < ssl->conf->min_major_ver || 1772 ssl->minor_ver < ssl->conf->min_minor_ver || 1773 ssl->major_ver > ssl->conf->max_major_ver || 1774 ssl->minor_ver > ssl->conf->max_minor_ver ) 1775 { 1776 MBEDTLS_SSL_DEBUG_MSG( 1, 1777 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]", 1778 ssl->conf->min_major_ver, 1779 ssl->conf->min_minor_ver, 1780 ssl->major_ver, ssl->minor_ver, 1781 ssl->conf->max_major_ver, 1782 ssl->conf->max_minor_ver ) ); 1783 1784 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1785 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1786 1787 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1788 } 1789 1790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 1791 ( (uint32_t) buf[2] << 24 ) | 1792 ( (uint32_t) buf[3] << 16 ) | 1793 ( (uint32_t) buf[4] << 8 ) | 1794 ( (uint32_t) buf[5] ) ) ); 1795 1796 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 1797 1798 n = buf[34]; 1799 1800 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 1801 1802 if( n > 32 ) 1803 { 1804 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1805 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1806 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1807 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1808 } 1809 1810 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 1811 { 1812 ext_len = ( ( buf[38 + n] << 8 ) 1813 | ( buf[39 + n] ) ); 1814 1815 if( ( ext_len > 0 && ext_len < 4 ) || 1816 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 1817 { 1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1819 mbedtls_ssl_send_alert_message( 1820 ssl, 1821 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1822 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1823 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1824 } 1825 } 1826 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 1827 { 1828 ext_len = 0; 1829 } 1830 else 1831 { 1832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1833 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1834 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1835 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1836 } 1837 1838 /* ciphersuite (used later) */ 1839 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 1840 1841 /* 1842 * Read and check compression 1843 */ 1844 comp = buf[37 + n]; 1845 1846 #if defined(MBEDTLS_ZLIB_SUPPORT) 1847 /* See comments in ssl_write_client_hello() */ 1848 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1849 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1850 accept_comp = 0; 1851 else 1852 #endif 1853 accept_comp = 1; 1854 1855 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 1856 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 1857 #else /* MBEDTLS_ZLIB_SUPPORT */ 1858 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 1859 #endif/* MBEDTLS_ZLIB_SUPPORT */ 1860 { 1861 MBEDTLS_SSL_DEBUG_MSG( 1, 1862 ( "server hello, bad compression: %d", comp ) ); 1863 mbedtls_ssl_send_alert_message( 1864 ssl, 1865 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1866 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1867 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 1868 } 1869 1870 /* 1871 * Initialize update checksum functions 1872 */ 1873 ssl->transform_negotiate->ciphersuite_info = 1874 mbedtls_ssl_ciphersuite_from_id( i ); 1875 1876 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 1877 { 1878 MBEDTLS_SSL_DEBUG_MSG( 1, 1879 ( "ciphersuite info for %04x not found", i ) ); 1880 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1881 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1882 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 1883 } 1884 1885 mbedtls_ssl_optimize_checksum( ssl, 1886 ssl->transform_negotiate->ciphersuite_info ); 1887 1888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 1889 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 1890 1891 /* 1892 * Check if the session can be resumed 1893 */ 1894 if( ssl->handshake->resume == 0 || n == 0 || 1895 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1896 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 1897 #endif 1898 ssl->session_negotiate->ciphersuite != i || 1899 ssl->session_negotiate->compression != comp || 1900 ssl->session_negotiate->id_len != n || 1901 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 1902 { 1903 ssl->state++; 1904 ssl->handshake->resume = 0; 1905 #if defined(MBEDTLS_HAVE_TIME) 1906 ssl->session_negotiate->start = mbedtls_time( NULL ); 1907 #endif 1908 ssl->session_negotiate->ciphersuite = i; 1909 ssl->session_negotiate->compression = comp; 1910 ssl->session_negotiate->id_len = n; 1911 memcpy( ssl->session_negotiate->id, buf + 35, n ); 1912 } 1913 else 1914 { 1915 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 1916 1917 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 1918 { 1919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 1920 mbedtls_ssl_send_alert_message( 1921 ssl, 1922 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1923 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1924 return( ret ); 1925 } 1926 } 1927 1928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 1929 ssl->handshake->resume ? "a" : "no" ) ); 1930 1931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 1932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", 1933 buf[37 + n] ) ); 1934 1935 /* 1936 * Perform cipher suite validation in same way as in ssl_write_client_hello. 1937 */ 1938 i = 0; 1939 while( 1 ) 1940 { 1941 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 1942 { 1943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1944 mbedtls_ssl_send_alert_message( 1945 ssl, 1946 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1947 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1948 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1949 } 1950 1951 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 1952 ssl->session_negotiate->ciphersuite ) 1953 { 1954 break; 1955 } 1956 } 1957 1958 suite_info = mbedtls_ssl_ciphersuite_from_id( 1959 ssl->session_negotiate->ciphersuite ); 1960 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, 1961 ssl->minor_ver ) != 0 ) 1962 { 1963 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1964 mbedtls_ssl_send_alert_message( 1965 ssl, 1966 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1967 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1968 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1969 } 1970 1971 MBEDTLS_SSL_DEBUG_MSG( 3, 1972 ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 1973 1974 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 1975 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && 1976 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 1977 { 1978 ssl->handshake->ecrs_enabled = 1; 1979 } 1980 #endif 1981 1982 if( comp != MBEDTLS_SSL_COMPRESS_NULL 1983 #if defined(MBEDTLS_ZLIB_SUPPORT) 1984 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 1985 #endif 1986 ) 1987 { 1988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1989 mbedtls_ssl_send_alert_message( 1990 ssl, 1991 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1992 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1993 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1994 } 1995 ssl->session_negotiate->compression = comp; 1996 1997 ext = buf + 40 + n; 1998 1999 MBEDTLS_SSL_DEBUG_MSG( 2, 2000 ( "server hello, total extension length: %d", ext_len ) ); 2001 2002 while( ext_len ) 2003 { 2004 unsigned int ext_id = ( ( ext[0] << 8 ) 2005 | ( ext[1] ) ); 2006 unsigned int ext_size = ( ( ext[2] << 8 ) 2007 | ( ext[3] ) ); 2008 2009 if( ext_size + 4 > ext_len ) 2010 { 2011 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 2012 mbedtls_ssl_send_alert_message( 2013 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2014 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2015 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 2016 } 2017 2018 switch( ext_id ) 2019 { 2020 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 2021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 2022 #if defined(MBEDTLS_SSL_RENEGOTIATION) 2023 renegotiation_info_seen = 1; 2024 #endif 2025 2026 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 2027 ext_size ) ) != 0 ) 2028 return( ret ); 2029 2030 break; 2031 2032 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2033 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 2034 MBEDTLS_SSL_DEBUG_MSG( 3, 2035 ( "found max_fragment_length extension" ) ); 2036 2037 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 2038 ext + 4, ext_size ) ) != 0 ) 2039 { 2040 return( ret ); 2041 } 2042 2043 break; 2044 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 2045 2046 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 2047 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 2048 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 2049 2050 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 2051 ext + 4, ext_size ) ) != 0 ) 2052 { 2053 return( ret ); 2054 } 2055 2056 break; 2057 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 2058 2059 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2060 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 2061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 2062 2063 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 2064 ext + 4, ext_size ) ) != 0 ) 2065 { 2066 return( ret ); 2067 } 2068 2069 break; 2070 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 2071 2072 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 2073 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 2074 MBEDTLS_SSL_DEBUG_MSG( 3, 2075 ( "found extended_master_secret extension" ) ); 2076 2077 if( ( ret = ssl_parse_extended_ms_ext( ssl, 2078 ext + 4, ext_size ) ) != 0 ) 2079 { 2080 return( ret ); 2081 } 2082 2083 break; 2084 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 2085 2086 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2087 case MBEDTLS_TLS_EXT_SESSION_TICKET: 2088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 2089 2090 if( ( ret = ssl_parse_session_ticket_ext( ssl, 2091 ext + 4, ext_size ) ) != 0 ) 2092 { 2093 return( ret ); 2094 } 2095 2096 break; 2097 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2098 2099 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 2100 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2101 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 2102 MBEDTLS_SSL_DEBUG_MSG( 3, 2103 ( "found supported_point_formats extension" ) ); 2104 2105 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 2106 ext + 4, ext_size ) ) != 0 ) 2107 { 2108 return( ret ); 2109 } 2110 2111 break; 2112 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 2113 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2114 2115 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2116 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 2117 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 2118 2119 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 2120 ext + 4, ext_size ) ) != 0 ) 2121 { 2122 return( ret ); 2123 } 2124 2125 break; 2126 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2127 2128 #if defined(MBEDTLS_SSL_ALPN) 2129 case MBEDTLS_TLS_EXT_ALPN: 2130 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 2131 2132 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 2133 return( ret ); 2134 2135 break; 2136 #endif /* MBEDTLS_SSL_ALPN */ 2137 2138 default: 2139 MBEDTLS_SSL_DEBUG_MSG( 3, 2140 ( "unknown extension found: %d (ignoring)", ext_id ) ); 2141 } 2142 2143 ext_len -= 4 + ext_size; 2144 ext += 4 + ext_size; 2145 2146 if( ext_len > 0 && ext_len < 4 ) 2147 { 2148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 2149 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 2150 } 2151 } 2152 2153 /* 2154 * Renegotiation security checks 2155 */ 2156 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 2157 ssl->conf->allow_legacy_renegotiation == 2158 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 2159 { 2160 MBEDTLS_SSL_DEBUG_MSG( 1, 2161 ( "legacy renegotiation, breaking off handshake" ) ); 2162 handshake_failure = 1; 2163 } 2164 #if defined(MBEDTLS_SSL_RENEGOTIATION) 2165 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 2166 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 2167 renegotiation_info_seen == 0 ) 2168 { 2169 MBEDTLS_SSL_DEBUG_MSG( 1, 2170 ( "renegotiation_info extension missing (secure)" ) ); 2171 handshake_failure = 1; 2172 } 2173 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 2174 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 2175 ssl->conf->allow_legacy_renegotiation == 2176 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 2177 { 2178 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 2179 handshake_failure = 1; 2180 } 2181 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 2182 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 2183 renegotiation_info_seen == 1 ) 2184 { 2185 MBEDTLS_SSL_DEBUG_MSG( 1, 2186 ( "renegotiation_info extension present (legacy)" ) ); 2187 handshake_failure = 1; 2188 } 2189 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 2190 2191 if( handshake_failure == 1 ) 2192 { 2193 mbedtls_ssl_send_alert_message( 2194 ssl, 2195 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2196 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2197 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 2198 } 2199 2200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 2201 2202 return( 0 ); 2203 } 2204 2205 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2206 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2207 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, 2208 unsigned char **p, 2209 unsigned char *end ) 2210 { 2211 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2212 size_t dhm_actual_bitlen; 2213 2214 /* 2215 * Ephemeral DH parameters: 2216 * 2217 * struct { 2218 * opaque dh_p<1..2^16-1>; 2219 * opaque dh_g<1..2^16-1>; 2220 * opaque dh_Ys<1..2^16-1>; 2221 * } ServerDHParams; 2222 */ 2223 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, 2224 p, end ) ) != 0 ) 2225 { 2226 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 2227 return( ret ); 2228 } 2229 2230 dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P ); 2231 if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen ) 2232 { 2233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u", 2234 (unsigned) dhm_actual_bitlen, 2235 ssl->conf->dhm_min_bitlen ) ); 2236 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2237 } 2238 2239 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 2240 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 2241 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 2242 2243 return( ret ); 2244 } 2245 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2246 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2247 2248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2249 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2250 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2251 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2252 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2253 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 2254 { 2255 const mbedtls_ecp_curve_info *curve_info; 2256 mbedtls_ecp_group_id grp_id; 2257 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) 2258 grp_id = ssl->handshake->ecdh_ctx.grp.id; 2259 #else 2260 grp_id = ssl->handshake->ecdh_ctx.grp_id; 2261 #endif 2262 2263 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id ); 2264 if( curve_info == NULL ) 2265 { 2266 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2267 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2268 } 2269 2270 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 2271 2272 #if defined(MBEDTLS_ECP_C) 2273 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 ) 2274 #else 2275 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 2276 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 2277 #endif 2278 return( -1 ); 2279 2280 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 2281 MBEDTLS_DEBUG_ECDH_QP ); 2282 2283 return( 0 ); 2284 } 2285 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2286 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2287 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2288 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2289 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2290 2291 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2292 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2293 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2294 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 2295 unsigned char **p, 2296 unsigned char *end ) 2297 { 2298 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2299 2300 /* 2301 * Ephemeral ECDH parameters: 2302 * 2303 * struct { 2304 * ECParameters curve_params; 2305 * ECPoint public; 2306 * } ServerECDHParams; 2307 */ 2308 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 2309 (const unsigned char **) p, end ) ) != 0 ) 2310 { 2311 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 2312 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2313 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 2314 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 2315 #endif 2316 return( ret ); 2317 } 2318 2319 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2320 { 2321 MBEDTLS_SSL_DEBUG_MSG( 1, 2322 ( "bad server key exchange message (ECDHE curve)" ) ); 2323 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2324 } 2325 2326 return( ret ); 2327 } 2328 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2329 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2330 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2331 2332 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2333 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 2334 unsigned char **p, 2335 unsigned char *end ) 2336 { 2337 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2338 size_t len; 2339 ((void) ssl); 2340 2341 /* 2342 * PSK parameters: 2343 * 2344 * opaque psk_identity_hint<0..2^16-1>; 2345 */ 2346 if( end - (*p) < 2 ) 2347 { 2348 MBEDTLS_SSL_DEBUG_MSG( 1, 2349 ( "bad server key exchange message (psk_identity_hint length)" ) ); 2350 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2351 } 2352 len = (*p)[0] << 8 | (*p)[1]; 2353 *p += 2; 2354 2355 if( end - (*p) < (int) len ) 2356 { 2357 MBEDTLS_SSL_DEBUG_MSG( 1, 2358 ( "bad server key exchange message (psk_identity_hint length)" ) ); 2359 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2360 } 2361 2362 /* 2363 * Note: we currently ignore the PKS identity hint, as we only allow one 2364 * PSK to be provisionned on the client. This could be changed later if 2365 * someone needs that feature. 2366 */ 2367 *p += len; 2368 ret = 0; 2369 2370 return( ret ); 2371 } 2372 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2373 2374 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 2375 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2376 /* 2377 * Generate a pre-master secret and encrypt it with the server's RSA key 2378 */ 2379 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 2380 size_t offset, size_t *olen, 2381 size_t pms_offset ) 2382 { 2383 int ret; 2384 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 2385 unsigned char *p = ssl->handshake->premaster + pms_offset; 2386 2387 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) 2388 { 2389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 2390 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2391 } 2392 2393 /* 2394 * Generate (part of) the pre-master as 2395 * struct { 2396 * ProtocolVersion client_version; 2397 * opaque random[46]; 2398 * } PreMasterSecret; 2399 */ 2400 mbedtls_ssl_write_version( ssl->conf->max_major_ver, 2401 ssl->conf->max_minor_ver, 2402 ssl->conf->transport, p ); 2403 2404 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 2405 { 2406 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 2407 return( ret ); 2408 } 2409 2410 ssl->handshake->pmslen = 48; 2411 2412 if( ssl->session_negotiate->peer_cert == NULL ) 2413 { 2414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2415 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2416 } 2417 2418 /* 2419 * Now write it out, encrypted 2420 */ 2421 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2422 MBEDTLS_PK_RSA ) ) 2423 { 2424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 2425 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2426 } 2427 2428 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 2429 p, ssl->handshake->pmslen, 2430 ssl->out_msg + offset + len_bytes, olen, 2431 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, 2432 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2433 { 2434 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 2435 return( ret ); 2436 } 2437 2438 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2439 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2440 if( len_bytes == 2 ) 2441 { 2442 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 2443 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 2444 *olen += 2; 2445 } 2446 #endif 2447 2448 return( 0 ); 2449 } 2450 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 2451 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2452 2453 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2454 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2455 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2456 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2457 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 2458 unsigned char **p, 2459 unsigned char *end, 2460 mbedtls_md_type_t *md_alg, 2461 mbedtls_pk_type_t *pk_alg ) 2462 { 2463 ((void) ssl); 2464 *md_alg = MBEDTLS_MD_NONE; 2465 *pk_alg = MBEDTLS_PK_NONE; 2466 2467 /* Only in TLS 1.2 */ 2468 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 2469 { 2470 return( 0 ); 2471 } 2472 2473 if( (*p) + 2 > end ) 2474 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2475 2476 /* 2477 * Get hash algorithm 2478 */ 2479 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) 2480 == MBEDTLS_MD_NONE ) 2481 { 2482 MBEDTLS_SSL_DEBUG_MSG( 1, 2483 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) ); 2484 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2485 } 2486 2487 /* 2488 * Get signature algorithm 2489 */ 2490 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) 2491 == MBEDTLS_PK_NONE ) 2492 { 2493 MBEDTLS_SSL_DEBUG_MSG( 1, 2494 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) ); 2495 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2496 } 2497 2498 /* 2499 * Check if the hash is acceptable 2500 */ 2501 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 2502 { 2503 MBEDTLS_SSL_DEBUG_MSG( 1, 2504 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) ); 2505 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2506 } 2507 2508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", 2509 (*p)[1] ) ); 2510 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", 2511 (*p)[0] ) ); 2512 *p += 2; 2513 2514 return( 0 ); 2515 } 2516 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2517 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2518 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2519 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2520 2521 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2522 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2523 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 2524 { 2525 int ret; 2526 const mbedtls_ecp_keypair *peer_key; 2527 2528 if( ssl->session_negotiate->peer_cert == NULL ) 2529 { 2530 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2531 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2532 } 2533 2534 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2535 MBEDTLS_PK_ECKEY ) ) 2536 { 2537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 2538 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2539 } 2540 2541 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 2542 2543 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 2544 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 2545 { 2546 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 2547 return( ret ); 2548 } 2549 2550 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2551 { 2552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 2553 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 2554 } 2555 2556 return( ret ); 2557 } 2558 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2559 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2560 2561 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 2562 { 2563 int ret; 2564 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2565 ssl->transform_negotiate->ciphersuite_info; 2566 unsigned char *p = NULL, *end = NULL; 2567 2568 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 2569 2570 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 2571 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 2572 { 2573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2574 ssl->state++; 2575 return( 0 ); 2576 } 2577 ((void) p); 2578 ((void) end); 2579 #endif 2580 2581 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2582 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2583 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2584 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 2585 { 2586 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 2587 { 2588 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 2589 mbedtls_ssl_send_alert_message( 2590 ssl, 2591 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2592 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2593 return( ret ); 2594 } 2595 2596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2597 ssl->state++; 2598 return( 0 ); 2599 } 2600 ((void) p); 2601 ((void) end); 2602 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2603 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2604 2605 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2606 if( ssl->handshake->ecrs_enabled && 2607 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing ) 2608 { 2609 goto start_processing; 2610 } 2611 #endif 2612 2613 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 2614 { 2615 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2616 return( ret ); 2617 } 2618 2619 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2620 { 2621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2622 mbedtls_ssl_send_alert_message( 2623 ssl, 2624 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2625 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2626 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2627 } 2628 2629 /* 2630 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 2631 * doesn't use a psk_identity_hint 2632 */ 2633 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 2634 { 2635 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2636 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2637 { 2638 /* Current message is probably either 2639 * CertificateRequest or ServerHelloDone */ 2640 ssl->keep_current_message = 1; 2641 goto exit; 2642 } 2643 2644 MBEDTLS_SSL_DEBUG_MSG( 1, 2645 ( "server key exchange message must not be skipped" ) ); 2646 mbedtls_ssl_send_alert_message( 2647 ssl, 2648 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2649 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2650 2651 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2652 } 2653 2654 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2655 if( ssl->handshake->ecrs_enabled ) 2656 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing; 2657 2658 start_processing: 2659 #endif 2660 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2661 end = ssl->in_msg + ssl->in_hslen; 2662 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 2663 2664 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2665 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2666 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 2667 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2668 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 2669 { 2670 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 2671 { 2672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2673 mbedtls_ssl_send_alert_message( 2674 ssl, 2675 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2676 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2677 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2678 } 2679 } /* FALLTROUGH */ 2680 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2681 2682 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 2683 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2684 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2685 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2686 ; /* nothing more to do */ 2687 else 2688 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 2689 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2690 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2691 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2692 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 2693 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 2694 { 2695 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 2696 { 2697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2698 mbedtls_ssl_send_alert_message( 2699 ssl, 2700 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2701 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2702 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2703 } 2704 } 2705 else 2706 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2707 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2708 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2710 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2711 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2712 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 2713 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 2714 { 2715 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 2716 { 2717 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2718 mbedtls_ssl_send_alert_message( 2719 ssl, 2720 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2721 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2722 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2723 } 2724 } 2725 else 2726 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2727 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2728 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2729 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2730 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 2731 { 2732 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 2733 p, end - p ); 2734 if( ret != 0 ) 2735 { 2736 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 2737 mbedtls_ssl_send_alert_message( 2738 ssl, 2739 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2740 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2741 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2742 } 2743 } 2744 else 2745 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2746 { 2747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2749 } 2750 2751 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 2752 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 2753 { 2754 size_t sig_len, hashlen; 2755 unsigned char hash[64]; 2756 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 2757 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 2758 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2759 size_t params_len = p - params; 2760 void *rs_ctx = NULL; 2761 2762 /* 2763 * Handle the digitally-signed structure 2764 */ 2765 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2766 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 2767 { 2768 if( ssl_parse_signature_algorithm( ssl, &p, end, 2769 &md_alg, &pk_alg ) != 0 ) 2770 { 2771 MBEDTLS_SSL_DEBUG_MSG( 1, 2772 ( "bad server key exchange message" ) ); 2773 mbedtls_ssl_send_alert_message( 2774 ssl, 2775 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2776 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2777 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2778 } 2779 2780 if( pk_alg != 2781 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 2782 { 2783 MBEDTLS_SSL_DEBUG_MSG( 1, 2784 ( "bad server key exchange message" ) ); 2785 mbedtls_ssl_send_alert_message( 2786 ssl, 2787 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2788 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2789 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2790 } 2791 } 2792 else 2793 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2794 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2795 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2796 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 2797 { 2798 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 2799 2800 /* Default hash for ECDSA is SHA-1 */ 2801 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 2802 md_alg = MBEDTLS_MD_SHA1; 2803 } 2804 else 2805 #endif 2806 { 2807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2808 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2809 } 2810 2811 /* 2812 * Read signature 2813 */ 2814 2815 if( p > end - 2 ) 2816 { 2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2818 mbedtls_ssl_send_alert_message( 2819 ssl, 2820 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2821 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2822 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2823 } 2824 sig_len = ( p[0] << 8 ) | p[1]; 2825 p += 2; 2826 2827 if( p != end - sig_len ) 2828 { 2829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2830 mbedtls_ssl_send_alert_message( 2831 ssl, 2832 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2833 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2834 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2835 } 2836 2837 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 2838 2839 /* 2840 * Compute the hash that has been signed 2841 */ 2842 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2843 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2844 if( md_alg == MBEDTLS_MD_NONE ) 2845 { 2846 hashlen = 36; 2847 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 2848 params_len ); 2849 if( ret != 0 ) 2850 return( ret ); 2851 } 2852 else 2853 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 2854 MBEDTLS_SSL_PROTO_TLS1_1 */ 2855 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2856 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2857 if( md_alg != MBEDTLS_MD_NONE ) 2858 { 2859 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, 2860 params, params_len, 2861 md_alg ); 2862 if( ret != 0 ) 2863 return( ret ); 2864 } 2865 else 2866 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 2867 MBEDTLS_SSL_PROTO_TLS1_2 */ 2868 { 2869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2870 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2871 } 2872 2873 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); 2874 2875 if( ssl->session_negotiate->peer_cert == NULL ) 2876 { 2877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2878 mbedtls_ssl_send_alert_message( 2879 ssl, 2880 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2881 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2882 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2883 } 2884 2885 /* 2886 * Verify signature 2887 */ 2888 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2889 pk_alg ) ) 2890 { 2891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2892 mbedtls_ssl_send_alert_message( 2893 ssl, 2894 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2895 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2896 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2897 } 2898 2899 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2900 if( ssl->handshake->ecrs_enabled ) 2901 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 2902 #endif 2903 2904 if( ( ret = mbedtls_pk_verify_restartable( 2905 &ssl->session_negotiate->peer_cert->pk, 2906 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) 2907 { 2908 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2909 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) 2910 #endif 2911 mbedtls_ssl_send_alert_message( 2912 ssl, 2913 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2914 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 2915 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 2916 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 2917 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 2918 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 2919 #endif 2920 return( ret ); 2921 } 2922 } 2923 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 2924 2925 exit: 2926 ssl->state++; 2927 2928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 2929 2930 return( 0 ); 2931 } 2932 2933 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 2934 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2935 { 2936 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2937 ssl->transform_negotiate->ciphersuite_info; 2938 2939 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2940 2941 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2942 { 2943 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2944 ssl->state++; 2945 return( 0 ); 2946 } 2947 2948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2949 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2950 } 2951 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 2952 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2953 { 2954 int ret; 2955 unsigned char *buf; 2956 size_t n = 0; 2957 size_t cert_type_len = 0, dn_len = 0; 2958 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2959 ssl->transform_negotiate->ciphersuite_info; 2960 2961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2962 2963 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2964 { 2965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2966 ssl->state++; 2967 return( 0 ); 2968 } 2969 2970 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 2971 { 2972 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2973 return( ret ); 2974 } 2975 2976 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2977 { 2978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2979 mbedtls_ssl_send_alert_message( 2980 ssl, 2981 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2982 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2983 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2984 } 2985 2986 ssl->state++; 2987 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 2988 2989 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 2990 ssl->client_auth ? "a" : "no" ) ); 2991 2992 if( ssl->client_auth == 0 ) 2993 { 2994 /* Current message is probably the ServerHelloDone */ 2995 ssl->keep_current_message = 1; 2996 goto exit; 2997 } 2998 2999 /* 3000 * struct { 3001 * ClientCertificateType certificate_types<1..2^8-1>; 3002 * SignatureAndHashAlgorithm 3003 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 3004 * DistinguishedName certificate_authorities<0..2^16-1>; 3005 * } CertificateRequest; 3006 * 3007 * Since we only support a single certificate on clients, let's just 3008 * ignore all the information that's supposed to help us pick a 3009 * certificate. 3010 * 3011 * We could check that our certificate matches the request, and bail out 3012 * if it doesn't, but it's simpler to just send the certificate anyway, 3013 * and give the server the opportunity to decide if it should terminate 3014 * the connection when it doesn't like our certificate. 3015 * 3016 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 3017 * point we only have one hash available (see comments in 3018 * write_certificate_verify), so let's just use what we have. 3019 * 3020 * However, we still minimally parse the message to check it is at least 3021 * superficially sane. 3022 */ 3023 buf = ssl->in_msg; 3024 3025 /* certificate_types */ 3026 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) 3027 { 3028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 3029 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3030 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3031 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 3032 } 3033 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 3034 n = cert_type_len; 3035 3036 /* 3037 * In the subsequent code there are two paths that read from buf: 3038 * * the length of the signature algorithms field (if minor version of 3039 * SSL is 3), 3040 * * distinguished name length otherwise. 3041 * Both reach at most the index: 3042 * ...hdr_len + 2 + n, 3043 * therefore the buffer length at this point must be greater than that 3044 * regardless of the actual code path. 3045 */ 3046 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 3047 { 3048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 3049 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3050 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3051 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 3052 } 3053 3054 /* supported_signature_algorithms */ 3055 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3056 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 3057 { 3058 size_t sig_alg_len = 3059 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 3060 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 3061 #if defined(MBEDTLS_DEBUG_C) 3062 unsigned char* sig_alg; 3063 size_t i; 3064 #endif 3065 3066 /* 3067 * The furthest access in buf is in the loop few lines below: 3068 * sig_alg[i + 1], 3069 * where: 3070 * sig_alg = buf + ...hdr_len + 3 + n, 3071 * max(i) = sig_alg_len - 1. 3072 * Therefore the furthest access is: 3073 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 3074 * which reduces to: 3075 * buf[...hdr_len + 3 + n + sig_alg_len], 3076 * which is one less than we need the buf to be. 3077 */ 3078 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) 3079 + 3 + n + sig_alg_len ) 3080 { 3081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 3082 mbedtls_ssl_send_alert_message( 3083 ssl, 3084 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3085 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3086 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 3087 } 3088 3089 #if defined(MBEDTLS_DEBUG_C) 3090 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 3091 for( i = 0; i < sig_alg_len; i += 2 ) 3092 { 3093 MBEDTLS_SSL_DEBUG_MSG( 3, 3094 ( "Supported Signature Algorithm found: %d,%d", 3095 sig_alg[i], sig_alg[i + 1] ) ); 3096 } 3097 #endif 3098 3099 n += 2 + sig_alg_len; 3100 } 3101 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3102 3103 /* certificate_authorities */ 3104 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 3105 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 3106 3107 n += dn_len; 3108 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 3109 { 3110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 3111 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3112 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3113 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 3114 } 3115 3116 exit: 3117 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 3118 3119 return( 0 ); 3120 } 3121 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 3122 3123 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 3124 { 3125 int ret; 3126 3127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 3128 3129 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 3130 { 3131 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 3132 return( ret ); 3133 } 3134 3135 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 3136 { 3137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 3138 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 3139 } 3140 3141 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 3142 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 3143 { 3144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 3145 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3146 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3147 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 3148 } 3149 3150 ssl->state++; 3151 3152 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3153 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3154 mbedtls_ssl_recv_flight_completed( ssl ); 3155 #endif 3156 3157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 3158 3159 return( 0 ); 3160 } 3161 3162 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 3163 { 3164 int ret; 3165 size_t i, n; 3166 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3167 ssl->transform_negotiate->ciphersuite_info; 3168 3169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 3170 3171 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 3172 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 3173 { 3174 /* 3175 * DHM key exchange -- send G^X mod P 3176 */ 3177 n = ssl->handshake->dhm_ctx.len; 3178 3179 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 3180 ssl->out_msg[5] = (unsigned char)( n ); 3181 i = 6; 3182 3183 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 3184 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 3185 &ssl->out_msg[i], n, 3186 ssl->conf->f_rng, ssl->conf->p_rng ); 3187 if( ret != 0 ) 3188 { 3189 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 3190 return( ret ); 3191 } 3192 3193 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 3194 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 3195 3196 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 3197 ssl->handshake->premaster, 3198 MBEDTLS_PREMASTER_SIZE, 3199 &ssl->handshake->pmslen, 3200 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 3201 { 3202 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 3203 return( ret ); 3204 } 3205 3206 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 3207 } 3208 else 3209 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 3210 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 3211 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 3212 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 3213 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 3214 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 3215 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 3216 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 3217 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 3218 { 3219 /* 3220 * ECDH key exchange -- send client public value 3221 */ 3222 i = 4; 3223 3224 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3225 if( ssl->handshake->ecrs_enabled ) 3226 { 3227 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret ) 3228 goto ecdh_calc_secret; 3229 3230 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx ); 3231 } 3232 #endif 3233 3234 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 3235 &n, 3236 &ssl->out_msg[i], 1000, 3237 ssl->conf->f_rng, ssl->conf->p_rng ); 3238 if( ret != 0 ) 3239 { 3240 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 3241 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3242 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 3243 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 3244 #endif 3245 return( ret ); 3246 } 3247 3248 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 3249 MBEDTLS_DEBUG_ECDH_Q ); 3250 3251 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3252 if( ssl->handshake->ecrs_enabled ) 3253 { 3254 ssl->handshake->ecrs_n = n; 3255 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; 3256 } 3257 3258 ecdh_calc_secret: 3259 if( ssl->handshake->ecrs_enabled ) 3260 n = ssl->handshake->ecrs_n; 3261 #endif 3262 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 3263 &ssl->handshake->pmslen, 3264 ssl->handshake->premaster, 3265 MBEDTLS_MPI_MAX_SIZE, 3266 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 3267 { 3268 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 3269 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3270 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 3271 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 3272 #endif 3273 return( ret ); 3274 } 3275 3276 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 3277 MBEDTLS_DEBUG_ECDH_Z ); 3278 } 3279 else 3280 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 3281 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 3282 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 3283 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 3284 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 3285 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 3286 { 3287 /* 3288 * opaque psk_identity<0..2^16-1>; 3289 */ 3290 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 3291 { 3292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 3293 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 3294 } 3295 3296 i = 4; 3297 n = ssl->conf->psk_identity_len; 3298 3299 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) 3300 { 3301 MBEDTLS_SSL_DEBUG_MSG( 1, 3302 ( "psk identity too long or SSL buffer too short" ) ); 3303 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 3304 } 3305 3306 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 3307 ssl->out_msg[i++] = (unsigned char)( n ); 3308 3309 memcpy( ssl->out_msg + i, 3310 ssl->conf->psk_identity, 3311 ssl->conf->psk_identity_len ); 3312 i += ssl->conf->psk_identity_len; 3313 3314 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 3315 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 3316 { 3317 n = 0; 3318 } 3319 else 3320 #endif 3321 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 3322 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 3323 { 3324 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 3325 return( ret ); 3326 } 3327 else 3328 #endif 3329 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 3330 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 3331 { 3332 /* 3333 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 3334 */ 3335 n = ssl->handshake->dhm_ctx.len; 3336 3337 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) 3338 { 3339 MBEDTLS_SSL_DEBUG_MSG( 1, 3340 ( "psk identity or DHM size too long or SSL buffer too short" ) ); 3341 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 3342 } 3343 3344 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 3345 ssl->out_msg[i++] = (unsigned char)( n ); 3346 3347 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 3348 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 3349 &ssl->out_msg[i], n, 3350 ssl->conf->f_rng, ssl->conf->p_rng ); 3351 if( ret != 0 ) 3352 { 3353 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 3354 return( ret ); 3355 } 3356 } 3357 else 3358 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3359 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 3360 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 3361 { 3362 /* 3363 * ClientECDiffieHellmanPublic public; 3364 */ 3365 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 3366 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i, 3367 ssl->conf->f_rng, ssl->conf->p_rng ); 3368 if( ret != 0 ) 3369 { 3370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 3371 return( ret ); 3372 } 3373 3374 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, 3375 MBEDTLS_DEBUG_ECDH_Q ); 3376 } 3377 else 3378 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3379 { 3380 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3381 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3382 } 3383 3384 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 3385 ciphersuite_info->key_exchange ) ) != 0 ) 3386 { 3387 MBEDTLS_SSL_DEBUG_RET( 1, 3388 "mbedtls_ssl_psk_derive_premaster", ret ); 3389 return( ret ); 3390 } 3391 } 3392 else 3393 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 3394 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3395 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 3396 { 3397 i = 4; 3398 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 3399 return( ret ); 3400 } 3401 else 3402 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3403 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3404 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3405 { 3406 i = 4; 3407 3408 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 3409 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n, 3410 ssl->conf->f_rng, ssl->conf->p_rng ); 3411 if( ret != 0 ) 3412 { 3413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 3414 return( ret ); 3415 } 3416 3417 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 3418 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3419 ssl->conf->f_rng, ssl->conf->p_rng ); 3420 if( ret != 0 ) 3421 { 3422 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 3423 return( ret ); 3424 } 3425 } 3426 else 3427 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3428 { 3429 ((void) ciphersuite_info); 3430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3431 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3432 } 3433 3434 ssl->out_msglen = i + n; 3435 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3436 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 3437 3438 ssl->state++; 3439 3440 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 3441 { 3442 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 3443 return( ret ); 3444 } 3445 3446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 3447 3448 return( 0 ); 3449 } 3450 3451 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 3452 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 3453 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 3454 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 3455 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 3456 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 3457 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3458 { 3459 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3460 ssl->transform_negotiate->ciphersuite_info; 3461 int ret; 3462 3463 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3464 3465 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3466 { 3467 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3468 return( ret ); 3469 } 3470 3471 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3472 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3473 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3474 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3475 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3476 { 3477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3478 ssl->state++; 3479 return( 0 ); 3480 } 3481 3482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3484 } 3485 #else 3486 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3487 { 3488 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3489 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3490 ssl->transform_negotiate->ciphersuite_info; 3491 size_t n = 0, offset = 0; 3492 unsigned char hash[48]; 3493 unsigned char *hash_start = hash; 3494 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 3495 unsigned int hashlen; 3496 void *rs_ctx = NULL; 3497 3498 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3499 3500 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3501 if( ssl->handshake->ecrs_enabled && 3502 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign ) 3503 { 3504 goto sign; 3505 } 3506 #endif 3507 3508 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3509 { 3510 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3511 return( ret ); 3512 } 3513 3514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3519 { 3520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3521 ssl->state++; 3522 return( 0 ); 3523 } 3524 3525 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 3526 { 3527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3528 ssl->state++; 3529 return( 0 ); 3530 } 3531 3532 if( mbedtls_ssl_own_key( ssl ) == NULL ) 3533 { 3534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 3535 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 3536 } 3537 3538 /* 3539 * Make a signature of the handshake digests 3540 */ 3541 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3542 if( ssl->handshake->ecrs_enabled ) 3543 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign; 3544 3545 sign: 3546 #endif 3547 3548 ssl->handshake->calc_verify( ssl, hash ); 3549 3550 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 3551 defined(MBEDTLS_SSL_PROTO_TLS1_1) 3552 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 3553 { 3554 /* 3555 * digitally-signed struct { 3556 * opaque md5_hash[16]; 3557 * opaque sha_hash[20]; 3558 * }; 3559 * 3560 * md5_hash 3561 * MD5(handshake_messages); 3562 * 3563 * sha_hash 3564 * SHA(handshake_messages); 3565 */ 3566 hashlen = 36; 3567 md_alg = MBEDTLS_MD_NONE; 3568 3569 /* 3570 * For ECDSA, default hash is SHA-1 only 3571 */ 3572 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 3573 { 3574 hash_start += 16; 3575 hashlen -= 16; 3576 md_alg = MBEDTLS_MD_SHA1; 3577 } 3578 } 3579 else 3580 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 3581 MBEDTLS_SSL_PROTO_TLS1_1 */ 3582 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3583 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 3584 { 3585 /* 3586 * digitally-signed struct { 3587 * opaque handshake_messages[handshake_messages_length]; 3588 * }; 3589 * 3590 * Taking shortcut here. We assume that the server always allows the 3591 * PRF Hash function and has sent it in the allowed signature 3592 * algorithms list received in the Certificate Request message. 3593 * 3594 * Until we encounter a server that does not, we will take this 3595 * shortcut. 3596 * 3597 * Reason: Otherwise we should have running hashes for SHA512 and 3598 * SHA224 in order to satisfy 'weird' needs from the server 3599 * side. 3600 */ 3601 if( ssl->transform_negotiate->ciphersuite_info->mac == 3602 MBEDTLS_MD_SHA384 ) 3603 { 3604 md_alg = MBEDTLS_MD_SHA384; 3605 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 3606 } 3607 else 3608 { 3609 md_alg = MBEDTLS_MD_SHA256; 3610 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 3611 } 3612 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 3613 3614 /* Info from md_alg will be used instead */ 3615 hashlen = 0; 3616 offset = 2; 3617 } 3618 else 3619 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3620 { 3621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3622 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3623 } 3624 3625 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3626 if( ssl->handshake->ecrs_enabled ) 3627 rs_ctx = &ssl->handshake->ecrs_ctx.pk; 3628 #endif 3629 3630 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ), 3631 md_alg, hash_start, hashlen, 3632 ssl->out_msg + 6 + offset, &n, 3633 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 ) 3634 { 3635 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 3636 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) 3637 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) 3638 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 3639 #endif 3640 return( ret ); 3641 } 3642 3643 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 3644 ssl->out_msg[5 + offset] = (unsigned char)( n ); 3645 3646 ssl->out_msglen = 6 + n + offset; 3647 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3648 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 3649 3650 ssl->state++; 3651 3652 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 3653 { 3654 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 3655 return( ret ); 3656 } 3657 3658 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 3659 3660 return( ret ); 3661 } 3662 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 3663 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 3664 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 3665 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 3666 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 3667 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 3668 3669 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3670 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 3671 { 3672 int ret; 3673 uint32_t lifetime; 3674 size_t ticket_len; 3675 unsigned char *ticket; 3676 const unsigned char *msg; 3677 3678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 3679 3680 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 3681 { 3682 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 3683 return( ret ); 3684 } 3685 3686 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 3687 { 3688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3689 mbedtls_ssl_send_alert_message( 3690 ssl, 3691 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3692 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 3693 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 3694 } 3695 3696 /* 3697 * struct { 3698 * uint32 ticket_lifetime_hint; 3699 * opaque ticket<0..2^16-1>; 3700 * } NewSessionTicket; 3701 * 3702 * 0 . 3 ticket_lifetime_hint 3703 * 4 . 5 ticket_len (n) 3704 * 6 . 5+n ticket content 3705 */ 3706 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 3707 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 3708 { 3709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3710 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3711 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3712 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3713 } 3714 3715 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 3716 3717 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | 3718 ( msg[2] << 8 ) | ( msg[3] ); 3719 3720 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 3721 3722 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 3723 { 3724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3725 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3726 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3727 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3728 } 3729 3730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 3731 3732 /* We're not waiting for a NewSessionTicket message any more */ 3733 ssl->handshake->new_session_ticket = 0; 3734 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 3735 3736 /* 3737 * Zero-length ticket means the server changed his mind and doesn't want 3738 * to send a ticket after all, so just forget it 3739 */ 3740 if( ticket_len == 0 ) 3741 return( 0 ); 3742 3743 mbedtls_platform_zeroize( ssl->session_negotiate->ticket, 3744 ssl->session_negotiate->ticket_len ); 3745 mbedtls_free( ssl->session_negotiate->ticket ); 3746 ssl->session_negotiate->ticket = NULL; 3747 ssl->session_negotiate->ticket_len = 0; 3748 3749 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 3750 { 3751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 3752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3753 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 3754 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 3755 } 3756 3757 memcpy( ticket, msg + 6, ticket_len ); 3758 3759 ssl->session_negotiate->ticket = ticket; 3760 ssl->session_negotiate->ticket_len = ticket_len; 3761 ssl->session_negotiate->ticket_lifetime = lifetime; 3762 3763 /* 3764 * RFC 5077 section 3.4: 3765 * "If the client receives a session ticket from the server, then it 3766 * discards any Session ID that was sent in the ServerHello." 3767 */ 3768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 3769 ssl->session_negotiate->id_len = 0; 3770 3771 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 3772 3773 return( 0 ); 3774 } 3775 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3776 3777 /* 3778 * SSL handshake -- client side -- single step 3779 */ 3780 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 3781 { 3782 int ret = 0; 3783 3784 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 3785 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3786 3787 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 3788 3789 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 3790 return( ret ); 3791 3792 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3793 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3794 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 3795 { 3796 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 3797 return( ret ); 3798 } 3799 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3800 3801 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 3802 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 3803 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3804 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 3805 ssl->handshake->new_session_ticket != 0 ) 3806 { 3807 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 3808 } 3809 #endif 3810 3811 switch( ssl->state ) 3812 { 3813 case MBEDTLS_SSL_HELLO_REQUEST: 3814 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 3815 break; 3816 3817 /* 3818 * ==> ClientHello 3819 */ 3820 case MBEDTLS_SSL_CLIENT_HELLO: 3821 ret = ssl_write_client_hello( ssl ); 3822 break; 3823 3824 /* 3825 * <== ServerHello 3826 * Certificate 3827 * ( ServerKeyExchange ) 3828 * ( CertificateRequest ) 3829 * ServerHelloDone 3830 */ 3831 case MBEDTLS_SSL_SERVER_HELLO: 3832 ret = ssl_parse_server_hello( ssl ); 3833 break; 3834 3835 case MBEDTLS_SSL_SERVER_CERTIFICATE: 3836 ret = mbedtls_ssl_parse_certificate( ssl ); 3837 break; 3838 3839 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 3840 ret = ssl_parse_server_key_exchange( ssl ); 3841 break; 3842 3843 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 3844 ret = ssl_parse_certificate_request( ssl ); 3845 break; 3846 3847 case MBEDTLS_SSL_SERVER_HELLO_DONE: 3848 ret = ssl_parse_server_hello_done( ssl ); 3849 break; 3850 3851 /* 3852 * ==> ( Certificate/Alert ) 3853 * ClientKeyExchange 3854 * ( CertificateVerify ) 3855 * ChangeCipherSpec 3856 * Finished 3857 */ 3858 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 3859 ret = mbedtls_ssl_write_certificate( ssl ); 3860 break; 3861 3862 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 3863 ret = ssl_write_client_key_exchange( ssl ); 3864 break; 3865 3866 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 3867 ret = ssl_write_certificate_verify( ssl ); 3868 break; 3869 3870 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 3871 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 3872 break; 3873 3874 case MBEDTLS_SSL_CLIENT_FINISHED: 3875 ret = mbedtls_ssl_write_finished( ssl ); 3876 break; 3877 3878 /* 3879 * <== ( NewSessionTicket ) 3880 * ChangeCipherSpec 3881 * Finished 3882 */ 3883 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3884 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 3885 ret = ssl_parse_new_session_ticket( ssl ); 3886 break; 3887 #endif 3888 3889 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 3890 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 3891 break; 3892 3893 case MBEDTLS_SSL_SERVER_FINISHED: 3894 ret = mbedtls_ssl_parse_finished( ssl ); 3895 break; 3896 3897 case MBEDTLS_SSL_FLUSH_BUFFERS: 3898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 3899 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 3900 break; 3901 3902 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 3903 mbedtls_ssl_handshake_wrapup( ssl ); 3904 break; 3905 3906 default: 3907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 3908 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3909 } 3910 3911 return( ret ); 3912 } 3913 #endif /* MBEDTLS_SSL_CLI_C */ 3914