1 /* 2 * SSLv3/TLSv1 client-side functions 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 #if !defined(MBEDTLS_CONFIG_FILE) 25 #include "mbedtls/config.h" 26 #else 27 #include MBEDTLS_CONFIG_FILE 28 #endif 29 30 #if defined(MBEDTLS_SSL_CLI_C) 31 32 #if defined(MBEDTLS_PLATFORM_C) 33 #include "mbedtls/platform.h" 34 #else 35 #include <stdlib.h> 36 #define mbedtls_calloc calloc 37 #define mbedtls_free free 38 #endif 39 40 #include "mbedtls/debug.h" 41 #include "mbedtls/ssl.h" 42 #include "mbedtls/ssl_internal.h" 43 44 #include <string.h> 45 46 #include <stdint.h> 47 48 #if defined(MBEDTLS_HAVE_TIME) 49 #include "mbedtls/platform_time.h" 50 #endif 51 52 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 53 /* Implementation that should never be optimized out by the compiler */ 54 static void mbedtls_zeroize( void *v, size_t n ) { 55 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 56 } 57 #endif 58 59 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 60 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 61 unsigned char *buf, 62 size_t *olen ) 63 { 64 unsigned char *p = buf; 65 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 66 size_t hostname_len; 67 68 *olen = 0; 69 70 if( ssl->hostname == NULL ) 71 return; 72 73 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 74 ssl->hostname ) ); 75 76 hostname_len = strlen( ssl->hostname ); 77 78 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 79 { 80 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 81 return; 82 } 83 84 /* 85 * struct { 86 * NameType name_type; 87 * select (name_type) { 88 * case host_name: HostName; 89 * } name; 90 * } ServerName; 91 * 92 * enum { 93 * host_name(0), (255) 94 * } NameType; 95 * 96 * opaque HostName<1..2^16-1>; 97 * 98 * struct { 99 * ServerName server_name_list<1..2^16-1> 100 * } ServerNameList; 101 */ 102 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 103 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 104 105 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 106 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 107 108 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 109 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 110 111 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 112 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 113 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 114 115 memcpy( p, ssl->hostname, hostname_len ); 116 117 *olen = hostname_len + 9; 118 } 119 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 120 121 #if defined(MBEDTLS_SSL_RENEGOTIATION) 122 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 123 unsigned char *buf, 124 size_t *olen ) 125 { 126 unsigned char *p = buf; 127 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 128 129 *olen = 0; 130 131 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 132 return; 133 134 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 135 136 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 137 { 138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 139 return; 140 } 141 142 /* 143 * Secure renegotiation 144 */ 145 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 146 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 147 148 *p++ = 0x00; 149 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 150 *p++ = ssl->verify_data_len & 0xFF; 151 152 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 153 154 *olen = 5 + ssl->verify_data_len; 155 } 156 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 157 158 /* 159 * Only if we handle at least one key exchange that needs signatures. 160 */ 161 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 162 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 163 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 164 unsigned char *buf, 165 size_t *olen ) 166 { 167 unsigned char *p = buf; 168 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 169 size_t sig_alg_len = 0; 170 const int *md; 171 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 172 unsigned char *sig_alg_list = buf + 6; 173 #endif 174 175 *olen = 0; 176 177 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 178 return; 179 180 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 181 182 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 183 { 184 #if defined(MBEDTLS_ECDSA_C) 185 sig_alg_len += 2; 186 #endif 187 #if defined(MBEDTLS_RSA_C) 188 sig_alg_len += 2; 189 #endif 190 } 191 192 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 193 { 194 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 195 return; 196 } 197 198 /* 199 * Prepare signature_algorithms extension (TLS 1.2) 200 */ 201 sig_alg_len = 0; 202 203 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 204 { 205 #if defined(MBEDTLS_ECDSA_C) 206 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 207 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 208 #endif 209 #if defined(MBEDTLS_RSA_C) 210 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 211 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 212 #endif 213 } 214 215 /* 216 * enum { 217 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 218 * sha512(6), (255) 219 * } HashAlgorithm; 220 * 221 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 222 * SignatureAlgorithm; 223 * 224 * struct { 225 * HashAlgorithm hash; 226 * SignatureAlgorithm signature; 227 * } SignatureAndHashAlgorithm; 228 * 229 * SignatureAndHashAlgorithm 230 * supported_signature_algorithms<2..2^16-2>; 231 */ 232 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 233 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 234 235 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 236 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 237 238 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 239 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 240 241 *olen = 6 + sig_alg_len; 242 } 243 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 244 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 245 246 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 247 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 248 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 249 unsigned char *buf, 250 size_t *olen ) 251 { 252 unsigned char *p = buf; 253 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 254 unsigned char *elliptic_curve_list = p + 6; 255 size_t elliptic_curve_len = 0; 256 const mbedtls_ecp_curve_info *info; 257 #if defined(MBEDTLS_ECP_C) 258 const mbedtls_ecp_group_id *grp_id; 259 #else 260 ((void) ssl); 261 #endif 262 263 *olen = 0; 264 265 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 266 267 #if defined(MBEDTLS_ECP_C) 268 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 269 #else 270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 271 #endif 272 { 273 #if defined(MBEDTLS_ECP_C) 274 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 275 #endif 276 if( info == NULL ) 277 { 278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 279 return; 280 } 281 282 elliptic_curve_len += 2; 283 } 284 285 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 286 { 287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 288 return; 289 } 290 291 elliptic_curve_len = 0; 292 293 #if defined(MBEDTLS_ECP_C) 294 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 295 #else 296 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 297 #endif 298 { 299 #if defined(MBEDTLS_ECP_C) 300 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 301 #endif 302 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 303 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 304 } 305 306 if( elliptic_curve_len == 0 ) 307 return; 308 309 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 310 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 311 312 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 313 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 314 315 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 316 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 317 318 *olen = 6 + elliptic_curve_len; 319 } 320 321 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 322 unsigned char *buf, 323 size_t *olen ) 324 { 325 unsigned char *p = buf; 326 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 327 328 *olen = 0; 329 330 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 331 332 if( end < p || (size_t)( end - p ) < 6 ) 333 { 334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 335 return; 336 } 337 338 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 339 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 340 341 *p++ = 0x00; 342 *p++ = 2; 343 344 *p++ = 1; 345 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 346 347 *olen = 6; 348 } 349 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 350 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 351 352 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 353 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 354 unsigned char *buf, 355 size_t *olen ) 356 { 357 int ret; 358 unsigned char *p = buf; 359 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 360 size_t kkpp_len; 361 362 *olen = 0; 363 364 /* Skip costly extension if we can't use EC J-PAKE anyway */ 365 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 366 return; 367 368 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 369 370 if( end - p < 4 ) 371 { 372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 373 return; 374 } 375 376 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 377 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 378 379 /* 380 * We may need to send ClientHello multiple times for Hello verification. 381 * We don't want to compute fresh values every time (both for performance 382 * and consistency reasons), so cache the extension content. 383 */ 384 if( ssl->handshake->ecjpake_cache == NULL || 385 ssl->handshake->ecjpake_cache_len == 0 ) 386 { 387 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 388 389 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 390 p + 2, end - p - 2, &kkpp_len, 391 ssl->conf->f_rng, ssl->conf->p_rng ); 392 if( ret != 0 ) 393 { 394 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 395 return; 396 } 397 398 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 399 if( ssl->handshake->ecjpake_cache == NULL ) 400 { 401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 402 return; 403 } 404 405 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 406 ssl->handshake->ecjpake_cache_len = kkpp_len; 407 } 408 else 409 { 410 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 411 412 kkpp_len = ssl->handshake->ecjpake_cache_len; 413 414 if( (size_t)( end - p - 2 ) < kkpp_len ) 415 { 416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 417 return; 418 } 419 420 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 421 } 422 423 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 424 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 425 426 *olen = kkpp_len + 4; 427 } 428 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 429 430 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 431 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 432 unsigned char *buf, 433 size_t *olen ) 434 { 435 unsigned char *p = buf; 436 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 437 438 *olen = 0; 439 440 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 441 return; 442 } 443 444 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 445 446 if( end < p || (size_t)( end - p ) < 5 ) 447 { 448 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 449 return; 450 } 451 452 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 453 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 454 455 *p++ = 0x00; 456 *p++ = 1; 457 458 *p++ = ssl->conf->mfl_code; 459 460 *olen = 5; 461 } 462 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 463 464 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 465 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 466 unsigned char *buf, size_t *olen ) 467 { 468 unsigned char *p = buf; 469 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 470 471 *olen = 0; 472 473 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 474 { 475 return; 476 } 477 478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 479 480 if( end < p || (size_t)( end - p ) < 4 ) 481 { 482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 483 return; 484 } 485 486 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 487 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 488 489 *p++ = 0x00; 490 *p++ = 0x00; 491 492 *olen = 4; 493 } 494 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 495 496 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 497 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 498 unsigned char *buf, size_t *olen ) 499 { 500 unsigned char *p = buf; 501 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 502 503 *olen = 0; 504 505 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 506 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 507 { 508 return; 509 } 510 511 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 512 "extension" ) ); 513 514 if( end < p || (size_t)( end - p ) < 4 ) 515 { 516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 517 return; 518 } 519 520 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 521 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 522 523 *p++ = 0x00; 524 *p++ = 0x00; 525 526 *olen = 4; 527 } 528 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 529 530 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 531 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 532 unsigned char *buf, size_t *olen ) 533 { 534 unsigned char *p = buf; 535 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 536 537 *olen = 0; 538 539 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 540 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 541 { 542 return; 543 } 544 545 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 546 "extension" ) ); 547 548 if( end < p || (size_t)( end - p ) < 4 ) 549 { 550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 551 return; 552 } 553 554 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 555 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 556 557 *p++ = 0x00; 558 *p++ = 0x00; 559 560 *olen = 4; 561 } 562 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 563 564 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 565 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 566 unsigned char *buf, size_t *olen ) 567 { 568 unsigned char *p = buf; 569 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 570 size_t tlen = ssl->session_negotiate->ticket_len; 571 572 *olen = 0; 573 574 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 575 { 576 return; 577 } 578 579 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 580 581 if( end < p || (size_t)( end - p ) < 4 + tlen ) 582 { 583 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 584 return; 585 } 586 587 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 588 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 589 590 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 591 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 592 593 *olen = 4; 594 595 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 596 { 597 return; 598 } 599 600 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 601 602 memcpy( p, ssl->session_negotiate->ticket, tlen ); 603 604 *olen += tlen; 605 } 606 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 607 608 #if defined(MBEDTLS_SSL_ALPN) 609 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 610 unsigned char *buf, size_t *olen ) 611 { 612 unsigned char *p = buf; 613 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 614 size_t alpnlen = 0; 615 const char **cur; 616 617 *olen = 0; 618 619 if( ssl->conf->alpn_list == NULL ) 620 { 621 return; 622 } 623 624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 625 626 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 627 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 628 629 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 630 { 631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 632 return; 633 } 634 635 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 636 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 637 638 /* 639 * opaque ProtocolName<1..2^8-1>; 640 * 641 * struct { 642 * ProtocolName protocol_name_list<2..2^16-1> 643 * } ProtocolNameList; 644 */ 645 646 /* Skip writing extension and list length for now */ 647 p += 4; 648 649 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 650 { 651 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 652 memcpy( p + 1, *cur, *p ); 653 p += 1 + *p; 654 } 655 656 *olen = p - buf; 657 658 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 659 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 660 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 661 662 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 663 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 664 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 665 } 666 #endif /* MBEDTLS_SSL_ALPN */ 667 668 /* 669 * Generate random bytes for ClientHello 670 */ 671 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 672 { 673 int ret; 674 unsigned char *p = ssl->handshake->randbytes; 675 #if defined(MBEDTLS_HAVE_TIME) 676 mbedtls_time_t t; 677 #endif 678 679 /* 680 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 681 */ 682 #if defined(MBEDTLS_SSL_PROTO_DTLS) 683 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 684 ssl->handshake->verify_cookie != NULL ) 685 { 686 return( 0 ); 687 } 688 #endif 689 690 #if defined(MBEDTLS_HAVE_TIME) 691 t = mbedtls_time( NULL ); 692 *p++ = (unsigned char)( t >> 24 ); 693 *p++ = (unsigned char)( t >> 16 ); 694 *p++ = (unsigned char)( t >> 8 ); 695 *p++ = (unsigned char)( t ); 696 697 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 698 #else 699 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 700 return( ret ); 701 702 p += 4; 703 #endif /* MBEDTLS_HAVE_TIME */ 704 705 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 706 return( ret ); 707 708 return( 0 ); 709 } 710 711 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 712 { 713 int ret; 714 size_t i, n, olen, ext_len = 0; 715 unsigned char *buf; 716 unsigned char *p, *q; 717 unsigned char offer_compress; 718 const int *ciphersuites; 719 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 720 721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 722 723 if( ssl->conf->f_rng == NULL ) 724 { 725 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 726 return( MBEDTLS_ERR_SSL_NO_RNG ); 727 } 728 729 #if defined(MBEDTLS_SSL_RENEGOTIATION) 730 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 731 #endif 732 { 733 ssl->major_ver = ssl->conf->min_major_ver; 734 ssl->minor_ver = ssl->conf->min_minor_ver; 735 } 736 737 if( ssl->conf->max_major_ver == 0 ) 738 { 739 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 740 "consider using mbedtls_ssl_config_defaults()" ) ); 741 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 742 } 743 744 /* 745 * 0 . 0 handshake type 746 * 1 . 3 handshake length 747 * 4 . 5 highest version supported 748 * 6 . 9 current UNIX time 749 * 10 . 37 random bytes 750 */ 751 buf = ssl->out_msg; 752 p = buf + 4; 753 754 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 755 ssl->conf->transport, p ); 756 p += 2; 757 758 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 759 buf[4], buf[5] ) ); 760 761 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 762 { 763 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 764 return( ret ); 765 } 766 767 memcpy( p, ssl->handshake->randbytes, 32 ); 768 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 769 p += 32; 770 771 /* 772 * 38 . 38 session id length 773 * 39 . 39+n session id 774 * 39+n . 39+n DTLS only: cookie length (1 byte) 775 * 40+n . .. DTSL only: cookie 776 * .. . .. ciphersuitelist length (2 bytes) 777 * .. . .. ciphersuitelist 778 * .. . .. compression methods length (1 byte) 779 * .. . .. compression methods 780 * .. . .. extensions length (2 bytes) 781 * .. . .. extensions 782 */ 783 n = ssl->session_negotiate->id_len; 784 785 if( n < 16 || n > 32 || 786 #if defined(MBEDTLS_SSL_RENEGOTIATION) 787 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 788 #endif 789 ssl->handshake->resume == 0 ) 790 { 791 n = 0; 792 } 793 794 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 795 /* 796 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 797 * generate and include a Session ID in the TLS ClientHello." 798 */ 799 #if defined(MBEDTLS_SSL_RENEGOTIATION) 800 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 801 #endif 802 { 803 if( ssl->session_negotiate->ticket != NULL && 804 ssl->session_negotiate->ticket_len != 0 ) 805 { 806 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 807 808 if( ret != 0 ) 809 return( ret ); 810 811 ssl->session_negotiate->id_len = n = 32; 812 } 813 } 814 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 815 816 *p++ = (unsigned char) n; 817 818 for( i = 0; i < n; i++ ) 819 *p++ = ssl->session_negotiate->id[i]; 820 821 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 822 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 823 824 /* 825 * DTLS cookie 826 */ 827 #if defined(MBEDTLS_SSL_PROTO_DTLS) 828 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 829 { 830 if( ssl->handshake->verify_cookie == NULL ) 831 { 832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 833 *p++ = 0; 834 } 835 else 836 { 837 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 838 ssl->handshake->verify_cookie, 839 ssl->handshake->verify_cookie_len ); 840 841 *p++ = ssl->handshake->verify_cookie_len; 842 memcpy( p, ssl->handshake->verify_cookie, 843 ssl->handshake->verify_cookie_len ); 844 p += ssl->handshake->verify_cookie_len; 845 } 846 } 847 #endif 848 849 /* 850 * Ciphersuite list 851 */ 852 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 853 854 /* Skip writing ciphersuite length for now */ 855 n = 0; 856 q = p; 857 p += 2; 858 859 for( i = 0; ciphersuites[i] != 0; i++ ) 860 { 861 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 862 863 if( ciphersuite_info == NULL ) 864 continue; 865 866 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 867 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 868 continue; 869 870 #if defined(MBEDTLS_SSL_PROTO_DTLS) 871 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 872 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 873 continue; 874 #endif 875 876 #if defined(MBEDTLS_ARC4_C) 877 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 878 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 879 continue; 880 #endif 881 882 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 883 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 884 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 885 continue; 886 #endif 887 888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 889 ciphersuites[i] ) ); 890 891 n++; 892 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 893 *p++ = (unsigned char)( ciphersuites[i] ); 894 } 895 896 /* 897 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 898 */ 899 #if defined(MBEDTLS_SSL_RENEGOTIATION) 900 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 901 #endif 902 { 903 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 904 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 905 n++; 906 } 907 908 /* Some versions of OpenSSL don't handle it correctly if not at end */ 909 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 910 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 911 { 912 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 913 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 914 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 915 n++; 916 } 917 #endif 918 919 *q++ = (unsigned char)( n >> 7 ); 920 *q++ = (unsigned char)( n << 1 ); 921 922 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 923 924 #if defined(MBEDTLS_ZLIB_SUPPORT) 925 offer_compress = 1; 926 #else 927 offer_compress = 0; 928 #endif 929 930 /* 931 * We don't support compression with DTLS right now: is many records come 932 * in the same datagram, uncompressing one could overwrite the next one. 933 * We don't want to add complexity for handling that case unless there is 934 * an actual need for it. 935 */ 936 #if defined(MBEDTLS_SSL_PROTO_DTLS) 937 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 938 offer_compress = 0; 939 #endif 940 941 if( offer_compress ) 942 { 943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 945 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 946 947 *p++ = 2; 948 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 949 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 950 } 951 else 952 { 953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 954 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 955 MBEDTLS_SSL_COMPRESS_NULL ) ); 956 957 *p++ = 1; 958 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 959 } 960 961 // First write extensions, then the total length 962 // 963 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 964 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 965 ext_len += olen; 966 #endif 967 968 #if defined(MBEDTLS_SSL_RENEGOTIATION) 969 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 970 ext_len += olen; 971 #endif 972 973 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 974 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 975 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 976 ext_len += olen; 977 #endif 978 979 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 980 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 981 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 982 ext_len += olen; 983 984 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 985 ext_len += olen; 986 #endif 987 988 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 989 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 990 ext_len += olen; 991 #endif 992 993 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 994 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 995 ext_len += olen; 996 #endif 997 998 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 999 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 1000 ext_len += olen; 1001 #endif 1002 1003 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1004 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 1005 ext_len += olen; 1006 #endif 1007 1008 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1009 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 1010 ext_len += olen; 1011 #endif 1012 1013 #if defined(MBEDTLS_SSL_ALPN) 1014 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 1015 ext_len += olen; 1016 #endif 1017 1018 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1019 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 1020 ext_len += olen; 1021 #endif 1022 1023 /* olen unused if all extensions are disabled */ 1024 ((void) olen); 1025 1026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 1027 ext_len ) ); 1028 1029 if( ext_len > 0 ) 1030 { 1031 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 1032 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 1033 p += ext_len; 1034 } 1035 1036 ssl->out_msglen = p - buf; 1037 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 1038 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 1039 1040 ssl->state++; 1041 1042 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1043 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1044 mbedtls_ssl_send_flight_completed( ssl ); 1045 #endif 1046 1047 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 1048 { 1049 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 1050 return( ret ); 1051 } 1052 1053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 1054 1055 return( 0 ); 1056 } 1057 1058 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 1059 const unsigned char *buf, 1060 size_t len ) 1061 { 1062 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1063 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 1064 { 1065 /* Check verify-data in constant-time. The length OTOH is no secret */ 1066 if( len != 1 + ssl->verify_data_len * 2 || 1067 buf[0] != ssl->verify_data_len * 2 || 1068 mbedtls_ssl_safer_memcmp( buf + 1, 1069 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 1070 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 1071 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 1072 { 1073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 1074 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1075 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1076 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1077 } 1078 } 1079 else 1080 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1081 { 1082 if( len != 1 || buf[0] != 0x00 ) 1083 { 1084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 1085 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1086 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1087 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1088 } 1089 1090 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 1091 } 1092 1093 return( 0 ); 1094 } 1095 1096 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1097 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 1098 const unsigned char *buf, 1099 size_t len ) 1100 { 1101 /* 1102 * server should use the extension only if we did, 1103 * and if so the server's value should match ours (and len is always 1) 1104 */ 1105 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 1106 len != 1 || 1107 buf[0] != ssl->conf->mfl_code ) 1108 { 1109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 1110 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1111 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1112 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1113 } 1114 1115 return( 0 ); 1116 } 1117 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1118 1119 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1120 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 1121 const unsigned char *buf, 1122 size_t len ) 1123 { 1124 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 1125 len != 0 ) 1126 { 1127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 1128 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1129 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1130 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1131 } 1132 1133 ((void) buf); 1134 1135 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 1136 1137 return( 0 ); 1138 } 1139 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 1140 1141 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1142 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 1143 const unsigned char *buf, 1144 size_t len ) 1145 { 1146 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 1147 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1148 len != 0 ) 1149 { 1150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 1151 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1152 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1153 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1154 } 1155 1156 ((void) buf); 1157 1158 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 1159 1160 return( 0 ); 1161 } 1162 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1163 1164 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1165 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 1166 const unsigned char *buf, 1167 size_t len ) 1168 { 1169 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 1170 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1171 len != 0 ) 1172 { 1173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 1174 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1175 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1176 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1177 } 1178 1179 ((void) buf); 1180 1181 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 1182 1183 return( 0 ); 1184 } 1185 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1186 1187 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1188 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 1189 const unsigned char *buf, 1190 size_t len ) 1191 { 1192 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 1193 len != 0 ) 1194 { 1195 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 1196 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1197 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1198 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1199 } 1200 1201 ((void) buf); 1202 1203 ssl->handshake->new_session_ticket = 1; 1204 1205 return( 0 ); 1206 } 1207 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1208 1209 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1210 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1211 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 1212 const unsigned char *buf, 1213 size_t len ) 1214 { 1215 size_t list_size; 1216 const unsigned char *p; 1217 1218 list_size = buf[0]; 1219 if( list_size + 1 != len ) 1220 { 1221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1222 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1223 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1224 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1225 } 1226 1227 p = buf + 1; 1228 while( list_size > 0 ) 1229 { 1230 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 1231 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 1232 { 1233 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 1234 ssl->handshake->ecdh_ctx.point_format = p[0]; 1235 #endif 1236 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1237 ssl->handshake->ecjpake_ctx.point_format = p[0]; 1238 #endif 1239 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 1240 return( 0 ); 1241 } 1242 1243 list_size--; 1244 p++; 1245 } 1246 1247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 1248 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1249 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1250 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1251 } 1252 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1253 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1254 1255 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1256 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 1257 const unsigned char *buf, 1258 size_t len ) 1259 { 1260 int ret; 1261 1262 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 1263 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 1264 { 1265 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 1266 return( 0 ); 1267 } 1268 1269 /* If we got here, we no longer need our cached extension */ 1270 mbedtls_free( ssl->handshake->ecjpake_cache ); 1271 ssl->handshake->ecjpake_cache = NULL; 1272 ssl->handshake->ecjpake_cache_len = 0; 1273 1274 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 1275 buf, len ) ) != 0 ) 1276 { 1277 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 1278 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1279 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1280 return( ret ); 1281 } 1282 1283 return( 0 ); 1284 } 1285 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1286 1287 #if defined(MBEDTLS_SSL_ALPN) 1288 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 1289 const unsigned char *buf, size_t len ) 1290 { 1291 size_t list_len, name_len; 1292 const char **p; 1293 1294 /* If we didn't send it, the server shouldn't send it */ 1295 if( ssl->conf->alpn_list == NULL ) 1296 { 1297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 1298 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1299 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1300 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1301 } 1302 1303 /* 1304 * opaque ProtocolName<1..2^8-1>; 1305 * 1306 * struct { 1307 * ProtocolName protocol_name_list<2..2^16-1> 1308 * } ProtocolNameList; 1309 * 1310 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 1311 */ 1312 1313 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 1314 if( len < 4 ) 1315 { 1316 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1317 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1318 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1319 } 1320 1321 list_len = ( buf[0] << 8 ) | buf[1]; 1322 if( list_len != len - 2 ) 1323 { 1324 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1325 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1326 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1327 } 1328 1329 name_len = buf[2]; 1330 if( name_len != list_len - 1 ) 1331 { 1332 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1333 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1334 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1335 } 1336 1337 /* Check that the server chosen protocol was in our list and save it */ 1338 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 1339 { 1340 if( name_len == strlen( *p ) && 1341 memcmp( buf + 3, *p, name_len ) == 0 ) 1342 { 1343 ssl->alpn_chosen = *p; 1344 return( 0 ); 1345 } 1346 } 1347 1348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 1349 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1350 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1351 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1352 } 1353 #endif /* MBEDTLS_SSL_ALPN */ 1354 1355 /* 1356 * Parse HelloVerifyRequest. Only called after verifying the HS type. 1357 */ 1358 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1359 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 1360 { 1361 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 1362 int major_ver, minor_ver; 1363 unsigned char cookie_len; 1364 1365 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 1366 1367 /* 1368 * struct { 1369 * ProtocolVersion server_version; 1370 * opaque cookie<0..2^8-1>; 1371 * } HelloVerifyRequest; 1372 */ 1373 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 1374 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 1375 p += 2; 1376 1377 /* 1378 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 1379 * even is lower than our min version. 1380 */ 1381 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 1382 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 1383 major_ver > ssl->conf->max_major_ver || 1384 minor_ver > ssl->conf->max_minor_ver ) 1385 { 1386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 1387 1388 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1389 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1390 1391 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1392 } 1393 1394 cookie_len = *p++; 1395 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 1396 1397 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 1398 { 1399 MBEDTLS_SSL_DEBUG_MSG( 1, 1400 ( "cookie length does not match incoming message size" ) ); 1401 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1402 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1403 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1404 } 1405 1406 mbedtls_free( ssl->handshake->verify_cookie ); 1407 1408 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 1409 if( ssl->handshake->verify_cookie == NULL ) 1410 { 1411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 1412 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 1413 } 1414 1415 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 1416 ssl->handshake->verify_cookie_len = cookie_len; 1417 1418 /* Start over at ClientHello */ 1419 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 1420 mbedtls_ssl_reset_checksum( ssl ); 1421 1422 mbedtls_ssl_recv_flight_completed( ssl ); 1423 1424 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 1425 1426 return( 0 ); 1427 } 1428 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1429 1430 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 1431 { 1432 int ret, i; 1433 size_t n; 1434 size_t ext_len; 1435 unsigned char *buf, *ext; 1436 unsigned char comp; 1437 #if defined(MBEDTLS_ZLIB_SUPPORT) 1438 int accept_comp; 1439 #endif 1440 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1441 int renegotiation_info_seen = 0; 1442 #endif 1443 int handshake_failure = 0; 1444 const mbedtls_ssl_ciphersuite_t *suite_info; 1445 #if defined(MBEDTLS_DEBUG_C) 1446 uint32_t t; 1447 #endif 1448 1449 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 1450 1451 buf = ssl->in_msg; 1452 1453 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 1454 { 1455 /* No alert on a read error. */ 1456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 1457 return( ret ); 1458 } 1459 1460 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 1461 { 1462 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1463 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 1464 { 1465 ssl->renego_records_seen++; 1466 1467 if( ssl->conf->renego_max_records >= 0 && 1468 ssl->renego_records_seen > ssl->conf->renego_max_records ) 1469 { 1470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 1471 "but not honored by server" ) ); 1472 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1473 } 1474 1475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 1476 1477 ssl->keep_current_message = 1; 1478 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 1479 } 1480 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1481 1482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1483 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1484 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 1485 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1486 } 1487 1488 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1489 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1490 { 1491 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 1492 { 1493 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 1494 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 1495 return( ssl_parse_hello_verify_request( ssl ) ); 1496 } 1497 else 1498 { 1499 /* We made it through the verification process */ 1500 mbedtls_free( ssl->handshake->verify_cookie ); 1501 ssl->handshake->verify_cookie = NULL; 1502 ssl->handshake->verify_cookie_len = 0; 1503 } 1504 } 1505 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1506 1507 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 1508 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 1509 { 1510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1511 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1512 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1514 } 1515 1516 /* 1517 * 0 . 1 server_version 1518 * 2 . 33 random (maybe including 4 bytes of Unix time) 1519 * 34 . 34 session_id length = n 1520 * 35 . 34+n session_id 1521 * 35+n . 36+n cipher_suite 1522 * 37+n . 37+n compression_method 1523 * 1524 * 38+n . 39+n extensions length (optional) 1525 * 40+n . .. extensions 1526 */ 1527 buf += mbedtls_ssl_hs_hdr_len( ssl ); 1528 1529 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 1530 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 1531 ssl->conf->transport, buf + 0 ); 1532 1533 if( ssl->major_ver < ssl->conf->min_major_ver || 1534 ssl->minor_ver < ssl->conf->min_minor_ver || 1535 ssl->major_ver > ssl->conf->max_major_ver || 1536 ssl->minor_ver > ssl->conf->max_minor_ver ) 1537 { 1538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 1539 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 1540 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 1541 ssl->major_ver, ssl->minor_ver, 1542 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 1543 1544 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1545 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1546 1547 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1548 } 1549 1550 #if defined(MBEDTLS_DEBUG_C) 1551 t = ( (uint32_t) buf[2] << 24 ) 1552 | ( (uint32_t) buf[3] << 16 ) 1553 | ( (uint32_t) buf[4] << 8 ) 1554 | ( (uint32_t) buf[5] ); 1555 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 1556 #endif 1557 1558 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 1559 1560 n = buf[34]; 1561 1562 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 1563 1564 if( n > 32 ) 1565 { 1566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1567 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1568 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1569 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1570 } 1571 1572 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 1573 { 1574 ext_len = ( ( buf[38 + n] << 8 ) 1575 | ( buf[39 + n] ) ); 1576 1577 if( ( ext_len > 0 && ext_len < 4 ) || 1578 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 1579 { 1580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1581 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1582 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1583 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1584 } 1585 } 1586 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 1587 { 1588 ext_len = 0; 1589 } 1590 else 1591 { 1592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1593 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1594 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1595 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1596 } 1597 1598 /* ciphersuite (used later) */ 1599 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 1600 1601 /* 1602 * Read and check compression 1603 */ 1604 comp = buf[37 + n]; 1605 1606 #if defined(MBEDTLS_ZLIB_SUPPORT) 1607 /* See comments in ssl_write_client_hello() */ 1608 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1609 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1610 accept_comp = 0; 1611 else 1612 #endif 1613 accept_comp = 1; 1614 1615 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 1616 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 1617 #else /* MBEDTLS_ZLIB_SUPPORT */ 1618 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 1619 #endif/* MBEDTLS_ZLIB_SUPPORT */ 1620 { 1621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 1622 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1623 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1624 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 1625 } 1626 1627 /* 1628 * Initialize update checksum functions 1629 */ 1630 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 1631 1632 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 1633 { 1634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 1635 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1636 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1637 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 1638 } 1639 1640 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 1641 1642 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 1643 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 1644 1645 /* 1646 * Check if the session can be resumed 1647 */ 1648 if( ssl->handshake->resume == 0 || n == 0 || 1649 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1650 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 1651 #endif 1652 ssl->session_negotiate->ciphersuite != i || 1653 ssl->session_negotiate->compression != comp || 1654 ssl->session_negotiate->id_len != n || 1655 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 1656 { 1657 ssl->state++; 1658 ssl->handshake->resume = 0; 1659 #if defined(MBEDTLS_HAVE_TIME) 1660 ssl->session_negotiate->start = mbedtls_time( NULL ); 1661 #endif 1662 ssl->session_negotiate->ciphersuite = i; 1663 ssl->session_negotiate->compression = comp; 1664 ssl->session_negotiate->id_len = n; 1665 memcpy( ssl->session_negotiate->id, buf + 35, n ); 1666 } 1667 else 1668 { 1669 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 1670 1671 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 1672 { 1673 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 1674 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1675 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1676 return( ret ); 1677 } 1678 } 1679 1680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 1681 ssl->handshake->resume ? "a" : "no" ) ); 1682 1683 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 1684 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 1685 1686 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 1687 if( suite_info == NULL 1688 #if defined(MBEDTLS_ARC4_C) 1689 || ( ssl->conf->arc4_disabled && 1690 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 1691 #endif 1692 ) 1693 { 1694 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1695 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1696 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1697 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1698 } 1699 1700 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 1701 1702 i = 0; 1703 while( 1 ) 1704 { 1705 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 1706 { 1707 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1708 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1709 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1710 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1711 } 1712 1713 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 1714 ssl->session_negotiate->ciphersuite ) 1715 { 1716 break; 1717 } 1718 } 1719 1720 if( comp != MBEDTLS_SSL_COMPRESS_NULL 1721 #if defined(MBEDTLS_ZLIB_SUPPORT) 1722 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 1723 #endif 1724 ) 1725 { 1726 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1727 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1728 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1729 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1730 } 1731 ssl->session_negotiate->compression = comp; 1732 1733 ext = buf + 40 + n; 1734 1735 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 1736 1737 while( ext_len ) 1738 { 1739 unsigned int ext_id = ( ( ext[0] << 8 ) 1740 | ( ext[1] ) ); 1741 unsigned int ext_size = ( ( ext[2] << 8 ) 1742 | ( ext[3] ) ); 1743 1744 if( ext_size + 4 > ext_len ) 1745 { 1746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1747 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1748 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1749 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1750 } 1751 1752 switch( ext_id ) 1753 { 1754 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 1755 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 1756 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1757 renegotiation_info_seen = 1; 1758 #endif 1759 1760 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 1761 ext_size ) ) != 0 ) 1762 return( ret ); 1763 1764 break; 1765 1766 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1767 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 1768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 1769 1770 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 1771 ext + 4, ext_size ) ) != 0 ) 1772 { 1773 return( ret ); 1774 } 1775 1776 break; 1777 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1778 1779 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1780 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 1781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 1782 1783 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 1784 ext + 4, ext_size ) ) != 0 ) 1785 { 1786 return( ret ); 1787 } 1788 1789 break; 1790 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 1791 1792 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1793 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 1794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 1795 1796 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 1797 ext + 4, ext_size ) ) != 0 ) 1798 { 1799 return( ret ); 1800 } 1801 1802 break; 1803 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1804 1805 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1806 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 1807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 1808 1809 if( ( ret = ssl_parse_extended_ms_ext( ssl, 1810 ext + 4, ext_size ) ) != 0 ) 1811 { 1812 return( ret ); 1813 } 1814 1815 break; 1816 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1817 1818 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1819 case MBEDTLS_TLS_EXT_SESSION_TICKET: 1820 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 1821 1822 if( ( ret = ssl_parse_session_ticket_ext( ssl, 1823 ext + 4, ext_size ) ) != 0 ) 1824 { 1825 return( ret ); 1826 } 1827 1828 break; 1829 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1830 1831 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1832 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1833 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 1834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 1835 1836 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 1837 ext + 4, ext_size ) ) != 0 ) 1838 { 1839 return( ret ); 1840 } 1841 1842 break; 1843 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1844 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1845 1846 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1847 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 1848 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 1849 1850 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 1851 ext + 4, ext_size ) ) != 0 ) 1852 { 1853 return( ret ); 1854 } 1855 1856 break; 1857 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1858 1859 #if defined(MBEDTLS_SSL_ALPN) 1860 case MBEDTLS_TLS_EXT_ALPN: 1861 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 1862 1863 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 1864 return( ret ); 1865 1866 break; 1867 #endif /* MBEDTLS_SSL_ALPN */ 1868 1869 default: 1870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 1871 ext_id ) ); 1872 } 1873 1874 ext_len -= 4 + ext_size; 1875 ext += 4 + ext_size; 1876 1877 if( ext_len > 0 && ext_len < 4 ) 1878 { 1879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1880 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1881 } 1882 } 1883 1884 /* 1885 * Renegotiation security checks 1886 */ 1887 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1888 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 1889 { 1890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 1891 handshake_failure = 1; 1892 } 1893 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1894 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1895 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 1896 renegotiation_info_seen == 0 ) 1897 { 1898 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 1899 handshake_failure = 1; 1900 } 1901 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1902 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1903 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 1904 { 1905 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 1906 handshake_failure = 1; 1907 } 1908 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1909 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1910 renegotiation_info_seen == 1 ) 1911 { 1912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 1913 handshake_failure = 1; 1914 } 1915 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1916 1917 if( handshake_failure == 1 ) 1918 { 1919 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1920 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1921 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1922 } 1923 1924 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 1925 1926 return( 0 ); 1927 } 1928 1929 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 1930 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 1931 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 1932 unsigned char *end ) 1933 { 1934 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1935 1936 /* 1937 * Ephemeral DH parameters: 1938 * 1939 * struct { 1940 * opaque dh_p<1..2^16-1>; 1941 * opaque dh_g<1..2^16-1>; 1942 * opaque dh_Ys<1..2^16-1>; 1943 * } ServerDHParams; 1944 */ 1945 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 1946 { 1947 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 1948 return( ret ); 1949 } 1950 1951 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 1952 { 1953 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 1954 ssl->handshake->dhm_ctx.len * 8, 1955 ssl->conf->dhm_min_bitlen ) ); 1956 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 1957 } 1958 1959 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 1960 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 1961 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 1962 1963 return( ret ); 1964 } 1965 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 1966 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 1967 1968 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 1969 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 1970 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 1971 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 1972 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 1973 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 1974 { 1975 const mbedtls_ecp_curve_info *curve_info; 1976 1977 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 1978 if( curve_info == NULL ) 1979 { 1980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1981 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1982 } 1983 1984 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 1985 1986 #if defined(MBEDTLS_ECP_C) 1987 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 1988 #else 1989 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 1990 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 1991 #endif 1992 return( -1 ); 1993 1994 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 1995 1996 return( 0 ); 1997 } 1998 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 1999 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2000 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2001 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2002 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2003 2004 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2005 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2006 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2007 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 2008 unsigned char **p, 2009 unsigned char *end ) 2010 { 2011 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2012 2013 /* 2014 * Ephemeral ECDH parameters: 2015 * 2016 * struct { 2017 * ECParameters curve_params; 2018 * ECPoint public; 2019 * } ServerECDHParams; 2020 */ 2021 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 2022 (const unsigned char **) p, end ) ) != 0 ) 2023 { 2024 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 2025 return( ret ); 2026 } 2027 2028 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2029 { 2030 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 2031 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2032 } 2033 2034 return( ret ); 2035 } 2036 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2037 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2038 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2039 2040 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2041 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 2042 unsigned char **p, 2043 unsigned char *end ) 2044 { 2045 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2046 size_t len; 2047 ((void) ssl); 2048 2049 /* 2050 * PSK parameters: 2051 * 2052 * opaque psk_identity_hint<0..2^16-1>; 2053 */ 2054 len = (*p)[0] << 8 | (*p)[1]; 2055 *p += 2; 2056 2057 if( (*p) + len > end ) 2058 { 2059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 2060 "(psk_identity_hint length)" ) ); 2061 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2062 } 2063 2064 /* 2065 * Note: we currently ignore the PKS identity hint, as we only allow one 2066 * PSK to be provisionned on the client. This could be changed later if 2067 * someone needs that feature. 2068 */ 2069 *p += len; 2070 ret = 0; 2071 2072 return( ret ); 2073 } 2074 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2075 2076 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 2077 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2078 /* 2079 * Generate a pre-master secret and encrypt it with the server's RSA key 2080 */ 2081 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 2082 size_t offset, size_t *olen, 2083 size_t pms_offset ) 2084 { 2085 int ret; 2086 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 2087 unsigned char *p = ssl->handshake->premaster + pms_offset; 2088 2089 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2090 { 2091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 2092 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2093 } 2094 2095 /* 2096 * Generate (part of) the pre-master as 2097 * struct { 2098 * ProtocolVersion client_version; 2099 * opaque random[46]; 2100 * } PreMasterSecret; 2101 */ 2102 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 2103 ssl->conf->transport, p ); 2104 2105 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 2106 { 2107 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 2108 return( ret ); 2109 } 2110 2111 ssl->handshake->pmslen = 48; 2112 2113 if( ssl->session_negotiate->peer_cert == NULL ) 2114 { 2115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2116 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2117 } 2118 2119 /* 2120 * Now write it out, encrypted 2121 */ 2122 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2123 MBEDTLS_PK_RSA ) ) 2124 { 2125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 2126 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2127 } 2128 2129 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 2130 p, ssl->handshake->pmslen, 2131 ssl->out_msg + offset + len_bytes, olen, 2132 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 2133 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2134 { 2135 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 2136 return( ret ); 2137 } 2138 2139 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2140 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2141 if( len_bytes == 2 ) 2142 { 2143 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 2144 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 2145 *olen += 2; 2146 } 2147 #endif 2148 2149 return( 0 ); 2150 } 2151 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 2152 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2153 2154 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2155 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2156 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2157 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2158 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 2159 unsigned char **p, 2160 unsigned char *end, 2161 mbedtls_md_type_t *md_alg, 2162 mbedtls_pk_type_t *pk_alg ) 2163 { 2164 ((void) ssl); 2165 *md_alg = MBEDTLS_MD_NONE; 2166 *pk_alg = MBEDTLS_PK_NONE; 2167 2168 /* Only in TLS 1.2 */ 2169 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 2170 { 2171 return( 0 ); 2172 } 2173 2174 if( (*p) + 2 > end ) 2175 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2176 2177 /* 2178 * Get hash algorithm 2179 */ 2180 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 2181 { 2182 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 2183 "HashAlgorithm %d", *(p)[0] ) ); 2184 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2185 } 2186 2187 /* 2188 * Get signature algorithm 2189 */ 2190 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 2191 { 2192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 2193 "SignatureAlgorithm %d", (*p)[1] ) ); 2194 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2195 } 2196 2197 /* 2198 * Check if the hash is acceptable 2199 */ 2200 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 2201 { 2202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 2203 *(p)[0] ) ); 2204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2205 } 2206 2207 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 2208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 2209 *p += 2; 2210 2211 return( 0 ); 2212 } 2213 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2214 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2215 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2216 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2217 2218 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2219 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2220 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 2221 { 2222 int ret; 2223 const mbedtls_ecp_keypair *peer_key; 2224 2225 if( ssl->session_negotiate->peer_cert == NULL ) 2226 { 2227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2228 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2229 } 2230 2231 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2232 MBEDTLS_PK_ECKEY ) ) 2233 { 2234 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 2235 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2236 } 2237 2238 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 2239 2240 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 2241 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 2242 { 2243 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 2244 return( ret ); 2245 } 2246 2247 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2248 { 2249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 2250 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 2251 } 2252 2253 return( ret ); 2254 } 2255 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2256 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2257 2258 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 2259 { 2260 int ret; 2261 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2262 ssl->transform_negotiate->ciphersuite_info; 2263 unsigned char *p, *end; 2264 2265 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 2266 2267 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 2268 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 2269 { 2270 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2271 ssl->state++; 2272 return( 0 ); 2273 } 2274 ((void) p); 2275 ((void) end); 2276 #endif 2277 2278 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2279 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2280 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2281 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 2282 { 2283 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 2284 { 2285 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 2286 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2287 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2288 return( ret ); 2289 } 2290 2291 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2292 ssl->state++; 2293 return( 0 ); 2294 } 2295 ((void) p); 2296 ((void) end); 2297 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2298 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2299 2300 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2301 { 2302 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2303 return( ret ); 2304 } 2305 2306 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2307 { 2308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2310 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2311 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2312 } 2313 2314 /* 2315 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 2316 * doesn't use a psk_identity_hint 2317 */ 2318 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 2319 { 2320 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2321 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2322 { 2323 /* Current message is probably either 2324 * CertificateRequest or ServerHelloDone */ 2325 ssl->keep_current_message = 1; 2326 goto exit; 2327 } 2328 2329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 2330 "not be skipped" ) ); 2331 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2332 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2333 2334 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2335 } 2336 2337 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2338 end = ssl->in_msg + ssl->in_hslen; 2339 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 2340 2341 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2342 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 2344 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2345 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 2346 { 2347 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 2348 { 2349 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2350 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2351 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2352 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2353 } 2354 } /* FALLTROUGH */ 2355 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2356 2357 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 2358 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2359 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2360 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2361 ; /* nothing more to do */ 2362 else 2363 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 2364 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2365 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2366 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2367 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 2368 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 2369 { 2370 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 2371 { 2372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2373 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2374 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2375 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2376 } 2377 } 2378 else 2379 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2380 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2381 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2382 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2383 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2384 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2385 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 2386 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 2387 { 2388 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 2389 { 2390 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2391 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2392 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2393 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2394 } 2395 } 2396 else 2397 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2398 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2399 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2400 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2401 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 2402 { 2403 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 2404 p, end - p ); 2405 if( ret != 0 ) 2406 { 2407 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 2408 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2409 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2410 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2411 } 2412 } 2413 else 2414 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2415 { 2416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2417 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2418 } 2419 2420 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 2421 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 2422 { 2423 size_t sig_len, hashlen; 2424 unsigned char hash[64]; 2425 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 2426 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 2427 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2428 size_t params_len = p - params; 2429 2430 /* 2431 * Handle the digitally-signed structure 2432 */ 2433 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2434 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 2435 { 2436 if( ssl_parse_signature_algorithm( ssl, &p, end, 2437 &md_alg, &pk_alg ) != 0 ) 2438 { 2439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2440 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2441 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2442 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2443 } 2444 2445 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 2446 { 2447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2448 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2449 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2450 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2451 } 2452 } 2453 else 2454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2455 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2456 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2457 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 2458 { 2459 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 2460 2461 /* Default hash for ECDSA is SHA-1 */ 2462 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 2463 md_alg = MBEDTLS_MD_SHA1; 2464 } 2465 else 2466 #endif 2467 { 2468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2469 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2470 } 2471 2472 /* 2473 * Read signature 2474 */ 2475 sig_len = ( p[0] << 8 ) | p[1]; 2476 p += 2; 2477 2478 if( end != p + sig_len ) 2479 { 2480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2481 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2482 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2483 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2484 } 2485 2486 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 2487 2488 /* 2489 * Compute the hash that has been signed 2490 */ 2491 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2492 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2493 if( md_alg == MBEDTLS_MD_NONE ) 2494 { 2495 mbedtls_md5_context mbedtls_md5; 2496 mbedtls_sha1_context mbedtls_sha1; 2497 2498 mbedtls_md5_init( &mbedtls_md5 ); 2499 mbedtls_sha1_init( &mbedtls_sha1 ); 2500 2501 hashlen = 36; 2502 2503 /* 2504 * digitally-signed struct { 2505 * opaque md5_hash[16]; 2506 * opaque sha_hash[20]; 2507 * }; 2508 * 2509 * md5_hash 2510 * MD5(ClientHello.random + ServerHello.random 2511 * + ServerParams); 2512 * sha_hash 2513 * SHA(ClientHello.random + ServerHello.random 2514 * + ServerParams); 2515 */ 2516 mbedtls_md5_starts( &mbedtls_md5 ); 2517 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 2518 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 2519 mbedtls_md5_finish( &mbedtls_md5, hash ); 2520 2521 mbedtls_sha1_starts( &mbedtls_sha1 ); 2522 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 2523 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 2524 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 2525 2526 mbedtls_md5_free( &mbedtls_md5 ); 2527 mbedtls_sha1_free( &mbedtls_sha1 ); 2528 } 2529 else 2530 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 2531 MBEDTLS_SSL_PROTO_TLS1_1 */ 2532 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2533 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2534 if( md_alg != MBEDTLS_MD_NONE ) 2535 { 2536 mbedtls_md_context_t ctx; 2537 2538 mbedtls_md_init( &ctx ); 2539 2540 /* Info from md_alg will be used instead */ 2541 hashlen = 0; 2542 2543 /* 2544 * digitally-signed struct { 2545 * opaque client_random[32]; 2546 * opaque server_random[32]; 2547 * ServerDHParams params; 2548 * }; 2549 */ 2550 if( ( ret = mbedtls_md_setup( &ctx, 2551 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 2552 { 2553 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 2554 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2555 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 2556 return( ret ); 2557 } 2558 2559 mbedtls_md_starts( &ctx ); 2560 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 2561 mbedtls_md_update( &ctx, params, params_len ); 2562 mbedtls_md_finish( &ctx, hash ); 2563 mbedtls_md_free( &ctx ); 2564 } 2565 else 2566 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 2567 MBEDTLS_SSL_PROTO_TLS1_2 */ 2568 { 2569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2570 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2571 } 2572 2573 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 2574 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 2575 2576 if( ssl->session_negotiate->peer_cert == NULL ) 2577 { 2578 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2579 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2580 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2581 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2582 } 2583 2584 /* 2585 * Verify signature 2586 */ 2587 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 2588 { 2589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2590 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2591 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2592 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2593 } 2594 2595 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 2596 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 2597 { 2598 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2599 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 2600 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 2601 return( ret ); 2602 } 2603 } 2604 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 2605 2606 exit: 2607 ssl->state++; 2608 2609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 2610 2611 return( 0 ); 2612 } 2613 2614 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 2615 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2616 { 2617 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2618 ssl->transform_negotiate->ciphersuite_info; 2619 2620 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2621 2622 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2623 { 2624 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2625 ssl->state++; 2626 return( 0 ); 2627 } 2628 2629 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2630 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2631 } 2632 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 2633 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2634 { 2635 int ret; 2636 unsigned char *buf; 2637 size_t n = 0; 2638 size_t cert_type_len = 0, dn_len = 0; 2639 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2640 ssl->transform_negotiate->ciphersuite_info; 2641 2642 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2643 2644 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2645 { 2646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2647 ssl->state++; 2648 return( 0 ); 2649 } 2650 2651 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2652 { 2653 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2654 return( ret ); 2655 } 2656 2657 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2658 { 2659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2660 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2661 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2662 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2663 } 2664 2665 ssl->state++; 2666 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 2667 2668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 2669 ssl->client_auth ? "a" : "no" ) ); 2670 2671 if( ssl->client_auth == 0 ) 2672 { 2673 /* Current message is probably the ServerHelloDone */ 2674 ssl->keep_current_message = 1; 2675 goto exit; 2676 } 2677 2678 /* 2679 * struct { 2680 * ClientCertificateType certificate_types<1..2^8-1>; 2681 * SignatureAndHashAlgorithm 2682 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 2683 * DistinguishedName certificate_authorities<0..2^16-1>; 2684 * } CertificateRequest; 2685 * 2686 * Since we only support a single certificate on clients, let's just 2687 * ignore all the information that's supposed to help us pick a 2688 * certificate. 2689 * 2690 * We could check that our certificate matches the request, and bail out 2691 * if it doesn't, but it's simpler to just send the certificate anyway, 2692 * and give the server the opportunity to decide if it should terminate 2693 * the connection when it doesn't like our certificate. 2694 * 2695 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 2696 * point we only have one hash available (see comments in 2697 * write_certificate_verify), so let's just use what we have. 2698 * 2699 * However, we still minimally parse the message to check it is at least 2700 * superficially sane. 2701 */ 2702 buf = ssl->in_msg; 2703 2704 /* certificate_types */ 2705 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 2706 n = cert_type_len; 2707 2708 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 2709 { 2710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2711 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2712 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2713 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2714 } 2715 2716 /* supported_signature_algorithms */ 2717 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2718 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 2719 { 2720 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 2721 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 2722 #if defined(MBEDTLS_DEBUG_C) 2723 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 2724 size_t i; 2725 2726 for( i = 0; i < sig_alg_len; i += 2 ) 2727 { 2728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 2729 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 2730 } 2731 #endif 2732 2733 n += 2 + sig_alg_len; 2734 2735 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 2736 { 2737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2738 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2739 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2740 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2741 } 2742 } 2743 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2744 2745 /* certificate_authorities */ 2746 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 2747 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 2748 2749 n += dn_len; 2750 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 2751 { 2752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2753 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2754 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2755 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2756 } 2757 2758 exit: 2759 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 2760 2761 return( 0 ); 2762 } 2763 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 2764 2765 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 2766 { 2767 int ret; 2768 2769 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 2770 2771 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2772 { 2773 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2774 return( ret ); 2775 } 2776 2777 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2778 { 2779 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 2780 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2781 } 2782 2783 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 2784 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 2785 { 2786 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 2787 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2788 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2789 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 2790 } 2791 2792 ssl->state++; 2793 2794 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2795 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2796 mbedtls_ssl_recv_flight_completed( ssl ); 2797 #endif 2798 2799 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 2800 2801 return( 0 ); 2802 } 2803 2804 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 2805 { 2806 int ret; 2807 size_t i, n; 2808 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2809 ssl->transform_negotiate->ciphersuite_info; 2810 2811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 2812 2813 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 2814 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 2815 { 2816 /* 2817 * DHM key exchange -- send G^X mod P 2818 */ 2819 n = ssl->handshake->dhm_ctx.len; 2820 2821 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 2822 ssl->out_msg[5] = (unsigned char)( n ); 2823 i = 6; 2824 2825 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 2826 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 2827 &ssl->out_msg[i], n, 2828 ssl->conf->f_rng, ssl->conf->p_rng ); 2829 if( ret != 0 ) 2830 { 2831 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 2832 return( ret ); 2833 } 2834 2835 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 2836 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 2837 2838 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 2839 ssl->handshake->premaster, 2840 MBEDTLS_PREMASTER_SIZE, 2841 &ssl->handshake->pmslen, 2842 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2843 { 2844 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 2845 return( ret ); 2846 } 2847 2848 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 2849 } 2850 else 2851 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 2852 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2853 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2854 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2855 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2856 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2857 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 2858 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2859 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 2860 { 2861 /* 2862 * ECDH key exchange -- send client public value 2863 */ 2864 i = 4; 2865 2866 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 2867 &n, 2868 &ssl->out_msg[i], 1000, 2869 ssl->conf->f_rng, ssl->conf->p_rng ); 2870 if( ret != 0 ) 2871 { 2872 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 2873 return( ret ); 2874 } 2875 2876 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 2877 2878 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 2879 &ssl->handshake->pmslen, 2880 ssl->handshake->premaster, 2881 MBEDTLS_MPI_MAX_SIZE, 2882 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2883 { 2884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 2885 return( ret ); 2886 } 2887 2888 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 2889 } 2890 else 2891 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2892 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2893 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2894 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2895 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2896 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 2897 { 2898 /* 2899 * opaque psk_identity<0..2^16-1>; 2900 */ 2901 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 2902 { 2903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 2904 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 2905 } 2906 2907 i = 4; 2908 n = ssl->conf->psk_identity_len; 2909 2910 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2911 { 2912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 2913 "SSL buffer too short" ) ); 2914 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2915 } 2916 2917 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 2918 ssl->out_msg[i++] = (unsigned char)( n ); 2919 2920 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 2921 i += ssl->conf->psk_identity_len; 2922 2923 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 2924 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 2925 { 2926 n = 0; 2927 } 2928 else 2929 #endif 2930 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2931 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2932 { 2933 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 2934 return( ret ); 2935 } 2936 else 2937 #endif 2938 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2939 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 2940 { 2941 /* 2942 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 2943 */ 2944 n = ssl->handshake->dhm_ctx.len; 2945 2946 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2947 { 2948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 2949 " or SSL buffer too short" ) ); 2950 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2951 } 2952 2953 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 2954 ssl->out_msg[i++] = (unsigned char)( n ); 2955 2956 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 2957 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 2958 &ssl->out_msg[i], n, 2959 ssl->conf->f_rng, ssl->conf->p_rng ); 2960 if( ret != 0 ) 2961 { 2962 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 2963 return( ret ); 2964 } 2965 } 2966 else 2967 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2968 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2969 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 2970 { 2971 /* 2972 * ClientECDiffieHellmanPublic public; 2973 */ 2974 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 2975 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 2976 ssl->conf->f_rng, ssl->conf->p_rng ); 2977 if( ret != 0 ) 2978 { 2979 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 2980 return( ret ); 2981 } 2982 2983 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 2984 } 2985 else 2986 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2987 { 2988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2989 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2990 } 2991 2992 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 2993 ciphersuite_info->key_exchange ) ) != 0 ) 2994 { 2995 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 2996 return( ret ); 2997 } 2998 } 2999 else 3000 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 3001 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3002 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 3003 { 3004 i = 4; 3005 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 3006 return( ret ); 3007 } 3008 else 3009 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3010 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3011 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3012 { 3013 i = 4; 3014 3015 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 3016 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 3017 ssl->conf->f_rng, ssl->conf->p_rng ); 3018 if( ret != 0 ) 3019 { 3020 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 3021 return( ret ); 3022 } 3023 3024 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 3025 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3026 ssl->conf->f_rng, ssl->conf->p_rng ); 3027 if( ret != 0 ) 3028 { 3029 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 3030 return( ret ); 3031 } 3032 } 3033 else 3034 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3035 { 3036 ((void) ciphersuite_info); 3037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3038 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3039 } 3040 3041 ssl->out_msglen = i + n; 3042 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3043 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 3044 3045 ssl->state++; 3046 3047 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 3048 { 3049 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 3050 return( ret ); 3051 } 3052 3053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 3054 3055 return( 0 ); 3056 } 3057 3058 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 3059 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 3060 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 3061 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 3062 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 3063 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 3064 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3065 { 3066 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3067 ssl->transform_negotiate->ciphersuite_info; 3068 int ret; 3069 3070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3071 3072 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3073 { 3074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3075 return( ret ); 3076 } 3077 3078 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3079 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3080 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3081 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3082 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3083 { 3084 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3085 ssl->state++; 3086 return( 0 ); 3087 } 3088 3089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3090 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3091 } 3092 #else 3093 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3094 { 3095 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3096 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3097 ssl->transform_negotiate->ciphersuite_info; 3098 size_t n = 0, offset = 0; 3099 unsigned char hash[48]; 3100 unsigned char *hash_start = hash; 3101 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 3102 unsigned int hashlen; 3103 3104 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3105 3106 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3107 { 3108 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3109 return( ret ); 3110 } 3111 3112 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3113 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3114 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3115 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3116 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3117 { 3118 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3119 ssl->state++; 3120 return( 0 ); 3121 } 3122 3123 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 3124 { 3125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3126 ssl->state++; 3127 return( 0 ); 3128 } 3129 3130 if( mbedtls_ssl_own_key( ssl ) == NULL ) 3131 { 3132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 3133 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 3134 } 3135 3136 /* 3137 * Make an RSA signature of the handshake digests 3138 */ 3139 ssl->handshake->calc_verify( ssl, hash ); 3140 3141 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 3142 defined(MBEDTLS_SSL_PROTO_TLS1_1) 3143 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 3144 { 3145 /* 3146 * digitally-signed struct { 3147 * opaque md5_hash[16]; 3148 * opaque sha_hash[20]; 3149 * }; 3150 * 3151 * md5_hash 3152 * MD5(handshake_messages); 3153 * 3154 * sha_hash 3155 * SHA(handshake_messages); 3156 */ 3157 hashlen = 36; 3158 md_alg = MBEDTLS_MD_NONE; 3159 3160 /* 3161 * For ECDSA, default hash is SHA-1 only 3162 */ 3163 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 3164 { 3165 hash_start += 16; 3166 hashlen -= 16; 3167 md_alg = MBEDTLS_MD_SHA1; 3168 } 3169 } 3170 else 3171 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 3172 MBEDTLS_SSL_PROTO_TLS1_1 */ 3173 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3174 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 3175 { 3176 /* 3177 * digitally-signed struct { 3178 * opaque handshake_messages[handshake_messages_length]; 3179 * }; 3180 * 3181 * Taking shortcut here. We assume that the server always allows the 3182 * PRF Hash function and has sent it in the allowed signature 3183 * algorithms list received in the Certificate Request message. 3184 * 3185 * Until we encounter a server that does not, we will take this 3186 * shortcut. 3187 * 3188 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 3189 * in order to satisfy 'weird' needs from the server side. 3190 */ 3191 if( ssl->transform_negotiate->ciphersuite_info->mac == 3192 MBEDTLS_MD_SHA384 ) 3193 { 3194 md_alg = MBEDTLS_MD_SHA384; 3195 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 3196 } 3197 else 3198 { 3199 md_alg = MBEDTLS_MD_SHA256; 3200 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 3201 } 3202 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 3203 3204 /* Info from md_alg will be used instead */ 3205 hashlen = 0; 3206 offset = 2; 3207 } 3208 else 3209 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3210 { 3211 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3212 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3213 } 3214 3215 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 3216 ssl->out_msg + 6 + offset, &n, 3217 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 3218 { 3219 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 3220 return( ret ); 3221 } 3222 3223 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 3224 ssl->out_msg[5 + offset] = (unsigned char)( n ); 3225 3226 ssl->out_msglen = 6 + n + offset; 3227 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3228 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 3229 3230 ssl->state++; 3231 3232 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 3233 { 3234 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 3235 return( ret ); 3236 } 3237 3238 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 3239 3240 return( ret ); 3241 } 3242 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 3243 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 3244 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 3245 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 3246 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 3247 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 3248 3249 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3250 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 3251 { 3252 int ret; 3253 uint32_t lifetime; 3254 size_t ticket_len; 3255 unsigned char *ticket; 3256 const unsigned char *msg; 3257 3258 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 3259 3260 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 3261 { 3262 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 3263 return( ret ); 3264 } 3265 3266 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 3267 { 3268 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3269 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3270 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 3271 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 3272 } 3273 3274 /* 3275 * struct { 3276 * uint32 ticket_lifetime_hint; 3277 * opaque ticket<0..2^16-1>; 3278 * } NewSessionTicket; 3279 * 3280 * 0 . 3 ticket_lifetime_hint 3281 * 4 . 5 ticket_len (n) 3282 * 6 . 5+n ticket content 3283 */ 3284 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 3285 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 3286 { 3287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3288 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3289 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3290 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3291 } 3292 3293 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 3294 3295 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 3296 ( msg[2] << 8 ) | ( msg[3] ); 3297 3298 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 3299 3300 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 3301 { 3302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3303 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3304 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3305 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3306 } 3307 3308 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 3309 3310 /* We're not waiting for a NewSessionTicket message any more */ 3311 ssl->handshake->new_session_ticket = 0; 3312 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 3313 3314 /* 3315 * Zero-length ticket means the server changed his mind and doesn't want 3316 * to send a ticket after all, so just forget it 3317 */ 3318 if( ticket_len == 0 ) 3319 return( 0 ); 3320 3321 mbedtls_zeroize( ssl->session_negotiate->ticket, 3322 ssl->session_negotiate->ticket_len ); 3323 mbedtls_free( ssl->session_negotiate->ticket ); 3324 ssl->session_negotiate->ticket = NULL; 3325 ssl->session_negotiate->ticket_len = 0; 3326 3327 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 3328 { 3329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 3330 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3331 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 3332 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 3333 } 3334 3335 memcpy( ticket, msg + 6, ticket_len ); 3336 3337 ssl->session_negotiate->ticket = ticket; 3338 ssl->session_negotiate->ticket_len = ticket_len; 3339 ssl->session_negotiate->ticket_lifetime = lifetime; 3340 3341 /* 3342 * RFC 5077 section 3.4: 3343 * "If the client receives a session ticket from the server, then it 3344 * discards any Session ID that was sent in the ServerHello." 3345 */ 3346 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 3347 ssl->session_negotiate->id_len = 0; 3348 3349 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 3350 3351 return( 0 ); 3352 } 3353 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3354 3355 /* 3356 * SSL handshake -- client side -- single step 3357 */ 3358 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 3359 { 3360 int ret = 0; 3361 3362 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 3363 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3364 3365 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 3366 3367 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 3368 return( ret ); 3369 3370 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3371 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3372 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 3373 { 3374 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 3375 return( ret ); 3376 } 3377 #endif 3378 3379 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 3380 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 3381 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3382 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 3383 ssl->handshake->new_session_ticket != 0 ) 3384 { 3385 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 3386 } 3387 #endif 3388 3389 switch( ssl->state ) 3390 { 3391 case MBEDTLS_SSL_HELLO_REQUEST: 3392 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 3393 break; 3394 3395 /* 3396 * ==> ClientHello 3397 */ 3398 case MBEDTLS_SSL_CLIENT_HELLO: 3399 ret = ssl_write_client_hello( ssl ); 3400 break; 3401 3402 /* 3403 * <== ServerHello 3404 * Certificate 3405 * ( ServerKeyExchange ) 3406 * ( CertificateRequest ) 3407 * ServerHelloDone 3408 */ 3409 case MBEDTLS_SSL_SERVER_HELLO: 3410 ret = ssl_parse_server_hello( ssl ); 3411 break; 3412 3413 case MBEDTLS_SSL_SERVER_CERTIFICATE: 3414 ret = mbedtls_ssl_parse_certificate( ssl ); 3415 break; 3416 3417 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 3418 ret = ssl_parse_server_key_exchange( ssl ); 3419 break; 3420 3421 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 3422 ret = ssl_parse_certificate_request( ssl ); 3423 break; 3424 3425 case MBEDTLS_SSL_SERVER_HELLO_DONE: 3426 ret = ssl_parse_server_hello_done( ssl ); 3427 break; 3428 3429 /* 3430 * ==> ( Certificate/Alert ) 3431 * ClientKeyExchange 3432 * ( CertificateVerify ) 3433 * ChangeCipherSpec 3434 * Finished 3435 */ 3436 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 3437 ret = mbedtls_ssl_write_certificate( ssl ); 3438 break; 3439 3440 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 3441 ret = ssl_write_client_key_exchange( ssl ); 3442 break; 3443 3444 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 3445 ret = ssl_write_certificate_verify( ssl ); 3446 break; 3447 3448 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 3449 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 3450 break; 3451 3452 case MBEDTLS_SSL_CLIENT_FINISHED: 3453 ret = mbedtls_ssl_write_finished( ssl ); 3454 break; 3455 3456 /* 3457 * <== ( NewSessionTicket ) 3458 * ChangeCipherSpec 3459 * Finished 3460 */ 3461 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3462 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 3463 ret = ssl_parse_new_session_ticket( ssl ); 3464 break; 3465 #endif 3466 3467 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 3468 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 3469 break; 3470 3471 case MBEDTLS_SSL_SERVER_FINISHED: 3472 ret = mbedtls_ssl_parse_finished( ssl ); 3473 break; 3474 3475 case MBEDTLS_SSL_FLUSH_BUFFERS: 3476 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 3477 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 3478 break; 3479 3480 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 3481 mbedtls_ssl_handshake_wrapup( ssl ); 3482 break; 3483 3484 default: 3485 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 3486 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3487 } 3488 3489 return( ret ); 3490 } 3491 #endif /* MBEDTLS_SSL_CLI_C */ 3492