1 /*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52
53 #if defined(MBEDTLS_SSL_CLI_C)
54
55 #if defined(MBEDTLS_PLATFORM_C)
56 #include "mbedtls/platform.h"
57 #else
58 #include <stdlib.h>
59 #define mbedtls_calloc calloc
60 #define mbedtls_free free
61 #endif
62
63 #include "mbedtls/debug.h"
64 #include "mbedtls/ssl.h"
65 #include "mbedtls/ssl_internal.h"
66
67 #include <string.h>
68
69 #include <stdint.h>
70
71 #if defined(MBEDTLS_HAVE_TIME)
72 #include "mbedtls/platform_time.h"
73 #endif
74
75 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
76 #include "mbedtls/platform_util.h"
77 #endif
78
79 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl_write_hostname_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)80 static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
81 unsigned char *buf,
82 const unsigned char *end,
83 size_t *olen )
84 {
85 unsigned char *p = buf;
86 size_t hostname_len;
87
88 *olen = 0;
89
90 if( ssl->hostname == NULL )
91 return( 0 );
92
93 MBEDTLS_SSL_DEBUG_MSG( 3,
94 ( "client hello, adding server name extension: %s",
95 ssl->hostname ) );
96
97 hostname_len = strlen( ssl->hostname );
98
99 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
100
101 /*
102 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
103 *
104 * In order to provide any of the server names, clients MAY include an
105 * extension of type "server_name" in the (extended) client hello. The
106 * "extension_data" field of this extension SHALL contain
107 * "ServerNameList" where:
108 *
109 * struct {
110 * NameType name_type;
111 * select (name_type) {
112 * case host_name: HostName;
113 * } name;
114 * } ServerName;
115 *
116 * enum {
117 * host_name(0), (255)
118 * } NameType;
119 *
120 * opaque HostName<1..2^16-1>;
121 *
122 * struct {
123 * ServerName server_name_list<1..2^16-1>
124 * } ServerNameList;
125 *
126 */
127 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
128 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
129
130 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
131 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
132
133 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
134 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
135
136 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
137 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
138 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
139
140 memcpy( p, ssl->hostname, hostname_len );
141
142 *olen = hostname_len + 9;
143
144 return( 0 );
145 }
146 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
147
148 #if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)149 static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
150 unsigned char *buf,
151 const unsigned char *end,
152 size_t *olen )
153 {
154 unsigned char *p = buf;
155
156 *olen = 0;
157
158 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
159 * initial ClientHello, in which case also adding the renegotiation
160 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
161 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
162 return( 0 );
163
164 MBEDTLS_SSL_DEBUG_MSG( 3,
165 ( "client hello, adding renegotiation extension" ) );
166
167 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
168
169 /*
170 * Secure renegotiation
171 */
172 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
173 & 0xFF );
174 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
175 & 0xFF );
176
177 *p++ = 0x00;
178 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
179 *p++ = ssl->verify_data_len & 0xFF;
180
181 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
182
183 *olen = 5 + ssl->verify_data_len;
184
185 return( 0 );
186 }
187 #endif /* MBEDTLS_SSL_RENEGOTIATION */
188
189 /*
190 * Only if we handle at least one key exchange that needs signatures.
191 */
192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
193 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
ssl_write_signature_algorithms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)194 static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
195 unsigned char *buf,
196 const unsigned char *end,
197 size_t *olen )
198 {
199 unsigned char *p = buf;
200 size_t sig_alg_len = 0;
201 const int *md;
202
203 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
204 unsigned char *sig_alg_list = buf + 6;
205 #endif
206
207 *olen = 0;
208
209 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
210 return( 0 );
211
212 MBEDTLS_SSL_DEBUG_MSG( 3,
213 ( "client hello, adding signature_algorithms extension" ) );
214
215 if( ssl->conf->sig_hashes == NULL )
216 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
217
218 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
219 {
220 #if defined(MBEDTLS_ECDSA_C)
221 sig_alg_len += 2;
222 #endif
223 #if defined(MBEDTLS_RSA_C)
224 sig_alg_len += 2;
225 #endif
226 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
227 {
228 MBEDTLS_SSL_DEBUG_MSG( 3,
229 ( "length in bytes of sig-hash-alg extension too big" ) );
230 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
231 }
232 }
233
234 /* Empty signature algorithms list, this is a configuration error. */
235 if( sig_alg_len == 0 )
236 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
237
238 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
239
240 /*
241 * Prepare signature_algorithms extension (TLS 1.2)
242 */
243 sig_alg_len = 0;
244
245 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
246 {
247 #if defined(MBEDTLS_ECDSA_C)
248 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
249 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
250 #endif
251 #if defined(MBEDTLS_RSA_C)
252 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
253 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
254 #endif
255 }
256
257 /*
258 * enum {
259 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
260 * sha512(6), (255)
261 * } HashAlgorithm;
262 *
263 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
264 * SignatureAlgorithm;
265 *
266 * struct {
267 * HashAlgorithm hash;
268 * SignatureAlgorithm signature;
269 * } SignatureAndHashAlgorithm;
270 *
271 * SignatureAndHashAlgorithm
272 * supported_signature_algorithms<2..2^16-2>;
273 */
274 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
275 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
276
277 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
278 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
279
280 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
282
283 *olen = 6 + sig_alg_len;
284
285 return( 0 );
286 }
287 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
288 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
289
290 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
291 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)292 static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
293 unsigned char *buf,
294 const unsigned char *end,
295 size_t *olen )
296 {
297 unsigned char *p = buf;
298 unsigned char *elliptic_curve_list = p + 6;
299 size_t elliptic_curve_len = 0;
300 const mbedtls_ecp_curve_info *info;
301 const mbedtls_ecp_group_id *grp_id;
302
303 *olen = 0;
304
305 MBEDTLS_SSL_DEBUG_MSG( 3,
306 ( "client hello, adding supported_elliptic_curves extension" ) );
307
308 if( ssl->conf->curve_list == NULL )
309 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
310
311 for( grp_id = ssl->conf->curve_list;
312 *grp_id != MBEDTLS_ECP_DP_NONE;
313 grp_id++ )
314 {
315 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
316 if( info == NULL )
317 {
318 MBEDTLS_SSL_DEBUG_MSG( 1,
319 ( "invalid curve in ssl configuration" ) );
320 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
321 }
322 elliptic_curve_len += 2;
323
324 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
325 {
326 MBEDTLS_SSL_DEBUG_MSG( 3,
327 ( "malformed supported_elliptic_curves extension in config" ) );
328 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
329 }
330 }
331
332 /* Empty elliptic curve list, this is a configuration error. */
333 if( elliptic_curve_len == 0 )
334 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
335
336 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
337
338 elliptic_curve_len = 0;
339
340 for( grp_id = ssl->conf->curve_list;
341 *grp_id != MBEDTLS_ECP_DP_NONE;
342 grp_id++ )
343 {
344 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
345 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
346 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
347 }
348
349 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
350 & 0xFF );
351 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
352 & 0xFF );
353
354 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
355 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
356
357 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
358 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
359
360 *olen = 6 + elliptic_curve_len;
361
362 return( 0 );
363 }
364
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)365 static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
366 unsigned char *buf,
367 const unsigned char *end,
368 size_t *olen )
369 {
370 unsigned char *p = buf;
371 (void) ssl; /* ssl used for debugging only */
372
373 *olen = 0;
374
375 MBEDTLS_SSL_DEBUG_MSG( 3,
376 ( "client hello, adding supported_point_formats extension" ) );
377 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
378
379 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
380 & 0xFF );
381 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
382 & 0xFF );
383
384 *p++ = 0x00;
385 *p++ = 2;
386
387 *p++ = 1;
388 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
389
390 *olen = 6;
391
392 return( 0 );
393 }
394 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
395 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
396
397 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)398 static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
399 unsigned char *buf,
400 const unsigned char *end,
401 size_t *olen )
402 {
403 int ret;
404 unsigned char *p = buf;
405 size_t kkpp_len;
406
407 *olen = 0;
408
409 /* Skip costly extension if we can't use EC J-PAKE anyway */
410 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
411 return( 0 );
412
413 MBEDTLS_SSL_DEBUG_MSG( 3,
414 ( "client hello, adding ecjpake_kkpp extension" ) );
415
416 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
417
418 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
419 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
420
421 /*
422 * We may need to send ClientHello multiple times for Hello verification.
423 * We don't want to compute fresh values every time (both for performance
424 * and consistency reasons), so cache the extension content.
425 */
426 if( ssl->handshake->ecjpake_cache == NULL ||
427 ssl->handshake->ecjpake_cache_len == 0 )
428 {
429 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
430
431 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
432 p + 2, end - p - 2, &kkpp_len,
433 ssl->conf->f_rng, ssl->conf->p_rng );
434 if( ret != 0 )
435 {
436 MBEDTLS_SSL_DEBUG_RET( 1 ,
437 "mbedtls_ecjpake_write_round_one", ret );
438 return( ret );
439 }
440
441 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
442 if( ssl->handshake->ecjpake_cache == NULL )
443 {
444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
445 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
446 }
447
448 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
449 ssl->handshake->ecjpake_cache_len = kkpp_len;
450 }
451 else
452 {
453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
454
455 kkpp_len = ssl->handshake->ecjpake_cache_len;
456 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
457
458 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
459 }
460
461 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
462 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
463
464 *olen = kkpp_len + 4;
465
466 return( 0 );
467 }
468 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
469
470 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)471 static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
472 unsigned char *buf,
473 const unsigned char *end,
474 size_t *olen )
475 {
476 unsigned char *p = buf;
477
478 *olen = 0;
479
480 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
481 return( 0 );
482
483 MBEDTLS_SSL_DEBUG_MSG( 3,
484 ( "client hello, adding max_fragment_length extension" ) );
485
486 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
487
488 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
489 & 0xFF );
490 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
491 & 0xFF );
492
493 *p++ = 0x00;
494 *p++ = 1;
495
496 *p++ = ssl->conf->mfl_code;
497
498 *olen = 5;
499
500 return( 0 );
501 }
502 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
503
504 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_write_truncated_hmac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)505 static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
506 unsigned char *buf,
507 const unsigned char *end,
508 size_t *olen )
509 {
510 unsigned char *p = buf;
511
512 *olen = 0;
513
514 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
515 return( 0 );
516
517 MBEDTLS_SSL_DEBUG_MSG( 3,
518 ( "client hello, adding truncated_hmac extension" ) );
519
520 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
521
522 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
523 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
524
525 *p++ = 0x00;
526 *p++ = 0x00;
527
528 *olen = 4;
529
530 return( 0 );
531 }
532 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
533
534 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)535 static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
536 unsigned char *buf,
537 const unsigned char *end,
538 size_t *olen )
539 {
540 unsigned char *p = buf;
541
542 *olen = 0;
543
544 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
545 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
546 return( 0 );
547
548 MBEDTLS_SSL_DEBUG_MSG( 3,
549 ( "client hello, adding encrypt_then_mac extension" ) );
550
551 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
552
553 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
554 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
555
556 *p++ = 0x00;
557 *p++ = 0x00;
558
559 *olen = 4;
560
561 return( 0 );
562 }
563 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
564
565 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)566 static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
567 unsigned char *buf,
568 const unsigned char *end,
569 size_t *olen )
570 {
571 unsigned char *p = buf;
572
573 *olen = 0;
574
575 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
576 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
577 return( 0 );
578
579 MBEDTLS_SSL_DEBUG_MSG( 3,
580 ( "client hello, adding extended_master_secret extension" ) );
581
582 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
583
584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
585 & 0xFF );
586 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
587 & 0xFF );
588
589 *p++ = 0x00;
590 *p++ = 0x00;
591
592 *olen = 4;
593
594 return( 0 );
595 }
596 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
597
598 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)599 static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
600 unsigned char *buf,
601 const unsigned char *end,
602 size_t *olen )
603 {
604 unsigned char *p = buf;
605 size_t tlen = ssl->session_negotiate->ticket_len;
606
607 *olen = 0;
608
609 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
610 return( 0 );
611
612 MBEDTLS_SSL_DEBUG_MSG( 3,
613 ( "client hello, adding session ticket extension" ) );
614
615 /* The addition is safe here since the ticket length is 16 bit. */
616 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
617
618 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
619 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
620
621 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
622 *p++ = (unsigned char)( ( tlen ) & 0xFF );
623
624 *olen = 4;
625
626 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
627 return( 0 );
628
629 MBEDTLS_SSL_DEBUG_MSG( 3,
630 ( "sending session ticket of length %d", tlen ) );
631
632 memcpy( p, ssl->session_negotiate->ticket, tlen );
633
634 *olen += tlen;
635
636 return( 0 );
637 }
638 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
639
640 #if defined(MBEDTLS_SSL_ALPN)
ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * olen)641 static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
642 unsigned char *buf,
643 const unsigned char *end,
644 size_t *olen )
645 {
646 unsigned char *p = buf;
647 size_t alpnlen = 0;
648 const char **cur;
649
650 *olen = 0;
651
652 if( ssl->conf->alpn_list == NULL )
653 return( 0 );
654
655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
656
657 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
658 alpnlen += strlen( *cur ) + 1;
659
660 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
661
662 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
663 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
664
665 /*
666 * opaque ProtocolName<1..2^8-1>;
667 *
668 * struct {
669 * ProtocolName protocol_name_list<2..2^16-1>
670 * } ProtocolNameList;
671 */
672
673 /* Skip writing extension and list length for now */
674 p += 4;
675
676 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
677 {
678 /*
679 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
680 * protocol names is less than 255.
681 */
682 *p = (unsigned char)strlen( *cur );
683 memcpy( p + 1, *cur, *p );
684 p += 1 + *p;
685 }
686
687 *olen = p - buf;
688
689 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
690 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
691 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
692
693 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
694 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
695 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
696
697 return( 0 );
698 }
699 #endif /* MBEDTLS_SSL_ALPN */
700
701 #if defined (MBEDTLS_SSL_DTLS_SRTP)
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)702 static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
703 unsigned char *buf, size_t *olen )
704 {
705 unsigned char *p = buf;
706 size_t protection_profiles_index = 0;
707
708 *olen = 0;
709
710 if( (ssl->conf->dtls_srtp_profiles_list == NULL) || (ssl->conf->dtls_srtp_profiles_list_len == 0) )
711 {
712 return;
713 }
714
715 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) );
716
717 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
718 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
719
720 /* RFC5764 section 4.1.1
721 * uint8 SRTPProtectionProfile[2];
722 *
723 * struct {
724 * SRTPProtectionProfiles SRTPProtectionProfiles;
725 * opaque srtp_mki<0..255>;
726 * } UseSRTPData;
727
728 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
729 *
730 * Note: srtp_mki is not supported
731 */
732
733 /* Extension length = 2bytes for profiles lenght, ssl->conf->dtls_srtp_profiles_list_len*2 (each profile is 2 bytes length ) + 1 byte for the non implemented srtp_mki vector length (always 0) */
734 *p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1 ) >> 8 ) & 0xFF );
735 *p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1 ) ) & 0xFF );
736
737
738 /* protection profile length: 2*(ssl->conf->dtls_srtp_profiles_list_len) */
739 *p++ = (unsigned char)( ( ( 2*(ssl->conf->dtls_srtp_profiles_list_len) ) >> 8 ) & 0xFF );
740 *p++ = (unsigned char)( ( 2*(ssl->conf->dtls_srtp_profiles_list_len) ) & 0xFF );
741
742 for( protection_profiles_index=0; protection_profiles_index < ssl->conf->dtls_srtp_profiles_list_len; protection_profiles_index++ )
743 {
744 switch (ssl->conf->dtls_srtp_profiles_list[protection_profiles_index]) {
745 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
746 *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF);
747 *p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) & 0xFF);
748 break;
749 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
750 *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF);
751 *p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) & 0xFF);
752 break;
753 case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
754 *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF);
755 *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF);
756 break;
757 case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
758 *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF);
759 *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF);
760 break;
761 default:
762 /* Note: we shall never arrive here as protection profiles is checked by ssl_set_dtls_srtp_protection_profiles function */
763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello, ignore illegal DTLS-SRTP protection profile %d", ssl->conf->dtls_srtp_profiles_list[protection_profiles_index]) );
764 break;
765 }
766 }
767
768 *p++ = 0x00; /* non implemented srtp_mki vector length is always 0 */
769 /* total extension length: extension type (2 bytes) + extension length (2 bytes) + protection profile length (2 bytes) + 2*nb protection profiles + srtp_mki vector length(1 byte)*/
770 *olen = 2 + 2 + 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1;
771 }
772 #endif /* MBEDTLS_SSL_DTLS_SRTP */
773
774 /*
775 * Generate random bytes for ClientHello
776 */
ssl_generate_random(mbedtls_ssl_context * ssl)777 static int ssl_generate_random( mbedtls_ssl_context *ssl )
778 {
779 int ret;
780 unsigned char *p = ssl->handshake->randbytes;
781 #if defined(MBEDTLS_HAVE_TIME)
782 mbedtls_time_t t;
783 #endif
784
785 /*
786 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
787 */
788 #if defined(MBEDTLS_SSL_PROTO_DTLS)
789 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
790 ssl->handshake->verify_cookie != NULL )
791 {
792 return( 0 );
793 }
794 #endif
795
796 #if defined(MBEDTLS_HAVE_TIME)
797 t = mbedtls_time( NULL );
798 *p++ = (unsigned char)( t >> 24 );
799 *p++ = (unsigned char)( t >> 16 );
800 *p++ = (unsigned char)( t >> 8 );
801 *p++ = (unsigned char)( t );
802
803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
804 #else
805 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
806 return( ret );
807
808 p += 4;
809 #endif /* MBEDTLS_HAVE_TIME */
810
811 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
812 return( ret );
813
814 return( 0 );
815 }
816
817 /**
818 * \brief Validate cipher suite against config in SSL context.
819 *
820 * \param suite_info cipher suite to validate
821 * \param ssl SSL context
822 * \param min_minor_ver Minimal minor version to accept a cipher suite
823 * \param max_minor_ver Maximal minor version to accept a cipher suite
824 *
825 * \return 0 if valid, else 1
826 */
ssl_validate_ciphersuite(const mbedtls_ssl_ciphersuite_t * suite_info,const mbedtls_ssl_context * ssl,int min_minor_ver,int max_minor_ver)827 static int ssl_validate_ciphersuite(
828 const mbedtls_ssl_ciphersuite_t * suite_info,
829 const mbedtls_ssl_context * ssl,
830 int min_minor_ver, int max_minor_ver )
831 {
832 (void) ssl;
833 if( suite_info == NULL )
834 return( 1 );
835
836 if( suite_info->min_minor_ver > max_minor_ver ||
837 suite_info->max_minor_ver < min_minor_ver )
838 return( 1 );
839
840 #if defined(MBEDTLS_SSL_PROTO_DTLS)
841 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
842 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
843 return( 1 );
844 #endif
845
846 #if defined(MBEDTLS_ARC4_C)
847 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
848 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
849 return( 1 );
850 #endif
851
852 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
853 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
854 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
855 return( 1 );
856 #endif
857
858 return( 0 );
859 }
860
ssl_write_client_hello(mbedtls_ssl_context * ssl)861 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
862 {
863 int ret;
864 size_t i, n, olen, ext_len = 0;
865
866 unsigned char *buf;
867 unsigned char *p, *q;
868 const unsigned char *end;
869
870 unsigned char offer_compress;
871 const int *ciphersuites;
872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
873 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
874 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
875 int uses_ec = 0;
876 #endif
877
878 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
879
880 if( ssl->conf->f_rng == NULL )
881 {
882 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
883 return( MBEDTLS_ERR_SSL_NO_RNG );
884 }
885
886 #if defined(MBEDTLS_SSL_RENEGOTIATION)
887 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
888 #endif
889 {
890 ssl->major_ver = ssl->conf->min_major_ver;
891 ssl->minor_ver = ssl->conf->min_minor_ver;
892 }
893
894 if( ssl->conf->max_major_ver == 0 )
895 {
896 MBEDTLS_SSL_DEBUG_MSG( 1,
897 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
898 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
899 }
900
901 buf = ssl->out_msg;
902 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
903
904 /*
905 * Check if there's enough space for the first part of the ClientHello
906 * consisting of the 38 bytes described below, the session identifier (at
907 * most 32 bytes) and its length (1 byte).
908 *
909 * Use static upper bounds instead of the actual values
910 * to allow the compiler to optimize this away.
911 */
912 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
913
914 /*
915 * The 38 first bytes of the ClientHello:
916 * 0 . 0 handshake type (written later)
917 * 1 . 3 handshake length (written later)
918 * 4 . 5 highest version supported
919 * 6 . 9 current UNIX time
920 * 10 . 37 random bytes
921 *
922 * The current UNIX time (4 bytes) and following 28 random bytes are written
923 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
924 * copied from there into the output buffer.
925 */
926
927 p = buf + 4;
928 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
929 ssl->conf->max_minor_ver,
930 ssl->conf->transport, p );
931 p += 2;
932
933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
934 buf[4], buf[5] ) );
935
936 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
937 {
938 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
939 return( ret );
940 }
941
942 memcpy( p, ssl->handshake->randbytes, 32 );
943 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
944 p += 32;
945
946 /*
947 * 38 . 38 session id length
948 * 39 . 39+n session id
949 * 39+n . 39+n DTLS only: cookie length (1 byte)
950 * 40+n . .. DTLS only: cookie
951 * .. . .. ciphersuitelist length (2 bytes)
952 * .. . .. ciphersuitelist
953 * .. . .. compression methods length (1 byte)
954 * .. . .. compression methods
955 * .. . .. extensions length (2 bytes)
956 * .. . .. extensions
957 */
958 n = ssl->session_negotiate->id_len;
959
960 if( n < 16 || n > 32 ||
961 #if defined(MBEDTLS_SSL_RENEGOTIATION)
962 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
963 #endif
964 ssl->handshake->resume == 0 )
965 {
966 n = 0;
967 }
968
969 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
970 /*
971 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
972 * generate and include a Session ID in the TLS ClientHello."
973 */
974 #if defined(MBEDTLS_SSL_RENEGOTIATION)
975 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
976 #endif
977 {
978 if( ssl->session_negotiate->ticket != NULL &&
979 ssl->session_negotiate->ticket_len != 0 )
980 {
981 ret = ssl->conf->f_rng( ssl->conf->p_rng,
982 ssl->session_negotiate->id, 32 );
983
984 if( ret != 0 )
985 return( ret );
986
987 ssl->session_negotiate->id_len = n = 32;
988 }
989 }
990 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
991
992 /*
993 * The first check of the output buffer size above (
994 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
995 * has checked that there is enough space in the output buffer for the
996 * session identifier length byte and the session identifier (n <= 32).
997 */
998 *p++ = (unsigned char) n;
999
1000 for( i = 0; i < n; i++ )
1001 *p++ = ssl->session_negotiate->id[i];
1002
1003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
1004 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
1005
1006 /*
1007 * With 'n' being the length of the session identifier
1008 *
1009 * 39+n . 39+n DTLS only: cookie length (1 byte)
1010 * 40+n . .. DTLS only: cookie
1011 * .. . .. ciphersuitelist length (2 bytes)
1012 * .. . .. ciphersuitelist
1013 * .. . .. compression methods length (1 byte)
1014 * .. . .. compression methods
1015 * .. . .. extensions length (2 bytes)
1016 * .. . .. extensions
1017 */
1018
1019 /*
1020 * DTLS cookie
1021 */
1022 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1023 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1024 {
1025 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
1026
1027 if( ssl->handshake->verify_cookie == NULL )
1028 {
1029 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
1030 *p++ = 0;
1031 }
1032 else
1033 {
1034 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1035 ssl->handshake->verify_cookie,
1036 ssl->handshake->verify_cookie_len );
1037
1038 *p++ = ssl->handshake->verify_cookie_len;
1039
1040 MBEDTLS_SSL_CHK_BUF_PTR( p, end,
1041 ssl->handshake->verify_cookie_len );
1042 memcpy( p, ssl->handshake->verify_cookie,
1043 ssl->handshake->verify_cookie_len );
1044 p += ssl->handshake->verify_cookie_len;
1045 }
1046 }
1047 #endif
1048
1049 /*
1050 * Ciphersuite list
1051 */
1052 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1053
1054 /* Skip writing ciphersuite length for now */
1055 n = 0;
1056 q = p;
1057
1058 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1059 p += 2;
1060
1061 for( i = 0; ciphersuites[i] != 0; i++ )
1062 {
1063 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
1064
1065 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1066 ssl->conf->min_minor_ver,
1067 ssl->conf->max_minor_ver ) != 0 )
1068 continue;
1069
1070 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
1071 ciphersuites[i] ) );
1072
1073 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1074 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1075 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1076 #endif
1077
1078 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1079
1080 n++;
1081 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1082 *p++ = (unsigned char)( ciphersuites[i] );
1083 }
1084
1085 MBEDTLS_SSL_DEBUG_MSG( 3,
1086 ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
1087
1088 /*
1089 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1090 */
1091 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1092 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1093 #endif
1094 {
1095 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
1096 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1097 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1098 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
1099 n++;
1100 }
1101
1102 /* Some versions of OpenSSL don't handle it correctly if not at end */
1103 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1104 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1105 {
1106 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1107
1108 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1109 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1110 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1111 n++;
1112 }
1113 #endif
1114
1115 *q++ = (unsigned char)( n >> 7 );
1116 *q++ = (unsigned char)( n << 1 );
1117
1118 #if defined(MBEDTLS_ZLIB_SUPPORT)
1119 offer_compress = 1;
1120 #else
1121 offer_compress = 0;
1122 #endif
1123
1124 /*
1125 * We don't support compression with DTLS right now: if many records come
1126 * in the same datagram, uncompressing one could overwrite the next one.
1127 * We don't want to add complexity for handling that case unless there is
1128 * an actual need for it.
1129 */
1130 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1131 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1132 offer_compress = 0;
1133 #endif
1134
1135 if( offer_compress )
1136 {
1137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1139 MBEDTLS_SSL_COMPRESS_DEFLATE,
1140 MBEDTLS_SSL_COMPRESS_NULL ) );
1141
1142 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
1143 *p++ = 2;
1144 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1145 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1146 }
1147 else
1148 {
1149 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1150 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1151 MBEDTLS_SSL_COMPRESS_NULL ) );
1152
1153 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1154 *p++ = 1;
1155 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1156 }
1157
1158 /* First write extensions, then the total length */
1159
1160 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
1161
1162 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1163 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
1164 end, &olen ) ) != 0 )
1165 {
1166 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
1167 return( ret );
1168 }
1169 ext_len += olen;
1170 #endif
1171
1172 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1173 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1174 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1175 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
1176 end, &olen ) ) != 0 )
1177 {
1178 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
1179 return( ret );
1180 }
1181 ext_len += olen;
1182 #endif
1183
1184 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1185 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1186 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
1187 end, &olen ) ) != 0 )
1188 {
1189 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
1190 return( ret );
1191 }
1192 ext_len += olen;
1193 #endif
1194
1195 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1196 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1197 if( uses_ec )
1198 {
1199 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
1200 end, &olen ) ) != 0 )
1201 {
1202 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
1203 return( ret );
1204 }
1205 ext_len += olen;
1206
1207 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
1208 end, &olen ) ) != 0 )
1209 {
1210 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
1211 return( ret );
1212 }
1213 ext_len += olen;
1214 }
1215 #endif
1216
1217 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1218 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
1219 end, &olen ) ) != 0 )
1220 {
1221 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
1222 return( ret );
1223 }
1224 ext_len += olen;
1225 #endif
1226
1227 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1228 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
1229 end, &olen ) ) != 0 )
1230 {
1231 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
1232 return( ret );
1233 }
1234 ext_len += olen;
1235 #endif
1236
1237 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1238 if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
1239 end, &olen ) ) != 0 )
1240 {
1241 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
1242 return( ret );
1243 }
1244 ext_len += olen;
1245 #endif
1246
1247 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1248 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
1249 end, &olen ) ) != 0 )
1250 {
1251 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
1252 return( ret );
1253 }
1254 ext_len += olen;
1255 #endif
1256
1257 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1258 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
1259 end, &olen ) ) != 0 )
1260 {
1261 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
1262 return( ret );
1263 }
1264 ext_len += olen;
1265 #endif
1266
1267 #if defined(MBEDTLS_SSL_ALPN)
1268 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
1269 end, &olen ) ) != 0 )
1270 {
1271 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
1272 return( ret );
1273 }
1274 ext_len += olen;
1275 #endif
1276
1277 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1278 ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen );
1279 ext_len += olen;
1280 #endif
1281
1282 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1283 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
1284 end, &olen ) ) != 0 )
1285 {
1286 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
1287 return( ret );
1288 }
1289 ext_len += olen;
1290 #endif
1291
1292 /* olen unused if all extensions are disabled */
1293 ((void) olen);
1294
1295 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1296 ext_len ) );
1297
1298 if( ext_len > 0 )
1299 {
1300 /* No need to check for space here, because the extension
1301 * writing functions already took care of that. */
1302 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1303 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1304 p += ext_len;
1305 }
1306
1307 ssl->out_msglen = p - buf;
1308 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1309 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1310
1311 ssl->state++;
1312
1313 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1314 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1315 mbedtls_ssl_send_flight_completed( ssl );
1316 #endif
1317
1318 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1319 {
1320 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1321 return( ret );
1322 }
1323
1324 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1325 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1326 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1327 {
1328 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1329 return( ret );
1330 }
1331 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1332
1333 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1334
1335 return( 0 );
1336 }
1337
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1338 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1339 const unsigned char *buf,
1340 size_t len )
1341 {
1342 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1343 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1344 {
1345 /* Check verify-data in constant-time. The length OTOH is no secret */
1346 if( len != 1 + ssl->verify_data_len * 2 ||
1347 buf[0] != ssl->verify_data_len * 2 ||
1348 mbedtls_ssl_safer_memcmp( buf + 1,
1349 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1350 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1351 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1352 {
1353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1354 mbedtls_ssl_send_alert_message(
1355 ssl,
1356 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1357 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1358 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1359 }
1360 }
1361 else
1362 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1363 {
1364 if( len != 1 || buf[0] != 0x00 )
1365 {
1366 MBEDTLS_SSL_DEBUG_MSG( 1,
1367 ( "non-zero length renegotiation info" ) );
1368 mbedtls_ssl_send_alert_message(
1369 ssl,
1370 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1371 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1372 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1373 }
1374
1375 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1376 }
1377
1378 return( 0 );
1379 }
1380
1381 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1382 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1383 const unsigned char *buf,
1384 size_t len )
1385 {
1386 /*
1387 * server should use the extension only if we did,
1388 * and if so the server's value should match ours (and len is always 1)
1389 */
1390 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1391 len != 1 ||
1392 buf[0] != ssl->conf->mfl_code )
1393 {
1394 MBEDTLS_SSL_DEBUG_MSG( 1,
1395 ( "non-matching max fragment length extension" ) );
1396 mbedtls_ssl_send_alert_message(
1397 ssl,
1398 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1399 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1400 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1401 }
1402
1403 return( 0 );
1404 }
1405 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1406
1407 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_parse_truncated_hmac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1408 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1409 const unsigned char *buf,
1410 size_t len )
1411 {
1412 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1413 len != 0 )
1414 {
1415 MBEDTLS_SSL_DEBUG_MSG( 1,
1416 ( "non-matching truncated HMAC extension" ) );
1417 mbedtls_ssl_send_alert_message(
1418 ssl,
1419 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1420 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1421 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1422 }
1423
1424 ((void) buf);
1425
1426 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1427
1428 return( 0 );
1429 }
1430 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1431
1432 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1433 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1434 const unsigned char *buf,
1435 size_t len )
1436 {
1437 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1438 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1439 len != 0 )
1440 {
1441 MBEDTLS_SSL_DEBUG_MSG( 1,
1442 ( "non-matching encrypt-then-MAC extension" ) );
1443 mbedtls_ssl_send_alert_message(
1444 ssl,
1445 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1446 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1447 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1448 }
1449
1450 ((void) buf);
1451
1452 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1453
1454 return( 0 );
1455 }
1456 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1457
1458 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1459 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1460 const unsigned char *buf,
1461 size_t len )
1462 {
1463 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1464 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1465 len != 0 )
1466 {
1467 MBEDTLS_SSL_DEBUG_MSG( 1,
1468 ( "non-matching extended master secret extension" ) );
1469 mbedtls_ssl_send_alert_message(
1470 ssl,
1471 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1472 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1473 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1474 }
1475
1476 ((void) buf);
1477
1478 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1479
1480 return( 0 );
1481 }
1482 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1483
1484 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1485 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1486 const unsigned char *buf,
1487 size_t len )
1488 {
1489 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1490 len != 0 )
1491 {
1492 MBEDTLS_SSL_DEBUG_MSG( 1,
1493 ( "non-matching session ticket extension" ) );
1494 mbedtls_ssl_send_alert_message(
1495 ssl,
1496 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1497 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1498 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1499 }
1500
1501 ((void) buf);
1502
1503 ssl->handshake->new_session_ticket = 1;
1504
1505 return( 0 );
1506 }
1507 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1508
1509 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1510 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_supported_point_formats_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1511 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1512 const unsigned char *buf,
1513 size_t len )
1514 {
1515 size_t list_size;
1516 const unsigned char *p;
1517
1518 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1519 {
1520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1521 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1522 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1523 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1524 }
1525 list_size = buf[0];
1526
1527 p = buf + 1;
1528 while( list_size > 0 )
1529 {
1530 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1531 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1532 {
1533 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1534 ssl->handshake->ecdh_ctx.point_format = p[0];
1535 #endif
1536 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1537 ssl->handshake->ecjpake_ctx.point_format = p[0];
1538 #endif
1539 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1540 return( 0 );
1541 }
1542
1543 list_size--;
1544 p++;
1545 }
1546
1547 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1548 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1549 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1550 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1551 }
1552 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1553 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1554
1555 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1556 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1557 const unsigned char *buf,
1558 size_t len )
1559 {
1560 int ret;
1561
1562 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1563 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1564 {
1565 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1566 return( 0 );
1567 }
1568
1569 /* If we got here, we no longer need our cached extension */
1570 mbedtls_free( ssl->handshake->ecjpake_cache );
1571 ssl->handshake->ecjpake_cache = NULL;
1572 ssl->handshake->ecjpake_cache_len = 0;
1573
1574 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1575 buf, len ) ) != 0 )
1576 {
1577 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1578 mbedtls_ssl_send_alert_message(
1579 ssl,
1580 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1581 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1582 return( ret );
1583 }
1584
1585 return( 0 );
1586 }
1587 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1588
1589 #if defined(MBEDTLS_SSL_ALPN)
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1590 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1591 const unsigned char *buf, size_t len )
1592 {
1593 size_t list_len, name_len;
1594 const char **p;
1595
1596 /* If we didn't send it, the server shouldn't send it */
1597 if( ssl->conf->alpn_list == NULL )
1598 {
1599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1600 mbedtls_ssl_send_alert_message(
1601 ssl,
1602 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1603 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
1604 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1605 }
1606
1607 /*
1608 * opaque ProtocolName<1..2^8-1>;
1609 *
1610 * struct {
1611 * ProtocolName protocol_name_list<2..2^16-1>
1612 * } ProtocolNameList;
1613 *
1614 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1615 */
1616
1617 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1618 if( len < 4 )
1619 {
1620 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1621 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1622 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1623 }
1624
1625 list_len = ( buf[0] << 8 ) | buf[1];
1626 if( list_len != len - 2 )
1627 {
1628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1629 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1630 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1631 }
1632
1633 name_len = buf[2];
1634 if( name_len != list_len - 1 )
1635 {
1636 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1637 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1638 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1639 }
1640
1641 /* Check that the server chosen protocol was in our list and save it */
1642 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1643 {
1644 if( name_len == strlen( *p ) &&
1645 memcmp( buf + 3, *p, name_len ) == 0 )
1646 {
1647 ssl->alpn_chosen = *p;
1648 return( 0 );
1649 }
1650 }
1651
1652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1653 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1654 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1655 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1656 }
1657 #endif /* MBEDTLS_SSL_ALPN */
1658
1659 #if defined(MBEDTLS_SSL_DTLS_SRTP)
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)1660 static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
1661 const unsigned char *buf, size_t len )
1662 {
1663 enum mbedtls_DTLS_SRTP_protection_profiles server_protection = MBEDTLS_SRTP_UNSET_PROFILE;
1664 size_t i;
1665 uint16_t server_protection_profile_value = 0;
1666
1667 /* If use_srtp is not configured, just ignore the extension */
1668 if( ( ssl->conf->dtls_srtp_profiles_list == NULL ) || ( ssl->conf->dtls_srtp_profiles_list_len == 0 ) )
1669 return( 0 );
1670
1671 /* RFC5764 section 4.1.1
1672 * uint8 SRTPProtectionProfile[2];
1673 *
1674 * struct {
1675 * SRTPProtectionProfiles SRTPProtectionProfiles;
1676 * opaque srtp_mki<0..255>;
1677 * } UseSRTPData;
1678
1679 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1680 *
1681 * Note: srtp_mki is not supported
1682 */
1683
1684 /* Length is 5 : one protection profile(2 bytes) + length(2 bytes) and potential srtp_mki which won't be parsed */
1685 if( len < 5 )
1686 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1687
1688 /*
1689 * get the server protection profile
1690 */
1691 if (((uint16_t)(buf[0]<<8 | buf[1])) != 0x0002) { /* protection profile length must be 0x0002 as we must have only one protection profile in server Hello */
1692 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1693 } else {
1694 server_protection_profile_value = buf[2]<<8 | buf[3];
1695 }
1696
1697 /*
1698 * Check we have the server profile in our list
1699 */
1700 for( i=0; i < ssl->conf->dtls_srtp_profiles_list_len; i++)
1701 {
1702 switch ( server_protection_profile_value ) {
1703 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE:
1704 server_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
1705 break;
1706 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE:
1707 server_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
1708 break;
1709 case MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE:
1710 server_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
1711 break;
1712 case MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE:
1713 server_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
1714 break;
1715 default:
1716 server_protection = MBEDTLS_SRTP_UNSET_PROFILE;
1717 break;
1718 }
1719
1720 if (server_protection == ssl->conf->dtls_srtp_profiles_list[i]) {
1721 ssl->chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profiles_list[i];
1722 return 0;
1723 }
1724 }
1725
1726 /* If we get there, no match was found : server problem, it shall never answer with incompatible profile */
1727 ssl->chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
1728 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1729 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1730 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1731 }
1732 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1733
1734 /*
1735 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1736 */
1737 #if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_parse_hello_verify_request(mbedtls_ssl_context * ssl)1738 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1739 {
1740 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1741 int major_ver, minor_ver;
1742 unsigned char cookie_len;
1743
1744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1745
1746 /* Check that there is enough room for:
1747 * - 2 bytes of version
1748 * - 1 byte of cookie_len
1749 */
1750 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1751 {
1752 MBEDTLS_SSL_DEBUG_MSG( 1,
1753 ( "incoming HelloVerifyRequest message is too short" ) );
1754 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1755 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1756 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1757 }
1758
1759 /*
1760 * struct {
1761 * ProtocolVersion server_version;
1762 * opaque cookie<0..2^8-1>;
1763 * } HelloVerifyRequest;
1764 */
1765 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1766 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1767 p += 2;
1768
1769 /*
1770 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1771 * even is lower than our min version.
1772 */
1773 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1774 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1775 major_ver > ssl->conf->max_major_ver ||
1776 minor_ver > ssl->conf->max_minor_ver )
1777 {
1778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1779
1780 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1781 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1782
1783 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1784 }
1785
1786 cookie_len = *p++;
1787 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1788 {
1789 MBEDTLS_SSL_DEBUG_MSG( 1,
1790 ( "cookie length does not match incoming message size" ) );
1791 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1792 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1793 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1794 }
1795 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1796
1797 mbedtls_free( ssl->handshake->verify_cookie );
1798
1799 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1800 if( ssl->handshake->verify_cookie == NULL )
1801 {
1802 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1803 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1804 }
1805
1806 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1807 ssl->handshake->verify_cookie_len = cookie_len;
1808
1809 /* Start over at ClientHello */
1810 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1811 mbedtls_ssl_reset_checksum( ssl );
1812
1813 mbedtls_ssl_recv_flight_completed( ssl );
1814
1815 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1816
1817 return( 0 );
1818 }
1819 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1820
ssl_parse_server_hello(mbedtls_ssl_context * ssl)1821 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1822 {
1823 int ret, i;
1824 size_t n;
1825 size_t ext_len;
1826 unsigned char *buf, *ext;
1827 unsigned char comp;
1828 #if defined(MBEDTLS_ZLIB_SUPPORT)
1829 int accept_comp;
1830 #endif
1831 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1832 int renegotiation_info_seen = 0;
1833 #endif
1834 int handshake_failure = 0;
1835 const mbedtls_ssl_ciphersuite_t *suite_info;
1836
1837 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1838
1839 buf = ssl->in_msg;
1840
1841 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
1842 {
1843 /* No alert on a read error. */
1844 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1845 return( ret );
1846 }
1847
1848 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1849 {
1850 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1851 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1852 {
1853 ssl->renego_records_seen++;
1854
1855 if( ssl->conf->renego_max_records >= 0 &&
1856 ssl->renego_records_seen > ssl->conf->renego_max_records )
1857 {
1858 MBEDTLS_SSL_DEBUG_MSG( 1,
1859 ( "renegotiation requested, but not honored by server" ) );
1860 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1861 }
1862
1863 MBEDTLS_SSL_DEBUG_MSG( 1,
1864 ( "non-handshake message during renegotiation" ) );
1865
1866 ssl->keep_current_message = 1;
1867 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1868 }
1869 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1870
1871 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1872 mbedtls_ssl_send_alert_message(
1873 ssl,
1874 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1875 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1876 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1877 }
1878
1879 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1880 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1881 {
1882 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1883 {
1884 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1885 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1886 return( ssl_parse_hello_verify_request( ssl ) );
1887 }
1888 else
1889 {
1890 /* We made it through the verification process */
1891 mbedtls_free( ssl->handshake->verify_cookie );
1892 ssl->handshake->verify_cookie = NULL;
1893 ssl->handshake->verify_cookie_len = 0;
1894 }
1895 }
1896 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1897
1898 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1899 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1900 {
1901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1902 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1903 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1904 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1905 }
1906
1907 /*
1908 * 0 . 1 server_version
1909 * 2 . 33 random (maybe including 4 bytes of Unix time)
1910 * 34 . 34 session_id length = n
1911 * 35 . 34+n session_id
1912 * 35+n . 36+n cipher_suite
1913 * 37+n . 37+n compression_method
1914 *
1915 * 38+n . 39+n extensions length (optional)
1916 * 40+n . .. extensions
1917 */
1918 buf += mbedtls_ssl_hs_hdr_len( ssl );
1919
1920 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1921 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1922 ssl->conf->transport, buf + 0 );
1923
1924 if( ssl->major_ver < ssl->conf->min_major_ver ||
1925 ssl->minor_ver < ssl->conf->min_minor_ver ||
1926 ssl->major_ver > ssl->conf->max_major_ver ||
1927 ssl->minor_ver > ssl->conf->max_minor_ver )
1928 {
1929 MBEDTLS_SSL_DEBUG_MSG( 1,
1930 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1931 ssl->conf->min_major_ver,
1932 ssl->conf->min_minor_ver,
1933 ssl->major_ver, ssl->minor_ver,
1934 ssl->conf->max_major_ver,
1935 ssl->conf->max_minor_ver ) );
1936
1937 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1938 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1939
1940 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1941 }
1942
1943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1944 ( (uint32_t) buf[2] << 24 ) |
1945 ( (uint32_t) buf[3] << 16 ) |
1946 ( (uint32_t) buf[4] << 8 ) |
1947 ( (uint32_t) buf[5] ) ) );
1948
1949 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1950
1951 n = buf[34];
1952
1953 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1954
1955 if( n > 32 )
1956 {
1957 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1958 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1959 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1960 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1961 }
1962
1963 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1964 {
1965 ext_len = ( ( buf[38 + n] << 8 )
1966 | ( buf[39 + n] ) );
1967
1968 if( ( ext_len > 0 && ext_len < 4 ) ||
1969 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1970 {
1971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1972 mbedtls_ssl_send_alert_message(
1973 ssl,
1974 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1975 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1976 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1977 }
1978 }
1979 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1980 {
1981 ext_len = 0;
1982 }
1983 else
1984 {
1985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1986 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1987 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1988 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1989 }
1990
1991 /* ciphersuite (used later) */
1992 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1993
1994 /*
1995 * Read and check compression
1996 */
1997 comp = buf[37 + n];
1998
1999 #if defined(MBEDTLS_ZLIB_SUPPORT)
2000 /* See comments in ssl_write_client_hello() */
2001 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2002 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2003 accept_comp = 0;
2004 else
2005 #endif
2006 accept_comp = 1;
2007
2008 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
2009 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
2010 #else /* MBEDTLS_ZLIB_SUPPORT */
2011 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
2012 #endif/* MBEDTLS_ZLIB_SUPPORT */
2013 {
2014 MBEDTLS_SSL_DEBUG_MSG( 1,
2015 ( "server hello, bad compression: %d", comp ) );
2016 mbedtls_ssl_send_alert_message(
2017 ssl,
2018 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2019 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2020 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2021 }
2022
2023 /*
2024 * Initialize update checksum functions
2025 */
2026 ssl->transform_negotiate->ciphersuite_info =
2027 mbedtls_ssl_ciphersuite_from_id( i );
2028
2029 if( ssl->transform_negotiate->ciphersuite_info == NULL )
2030 {
2031 MBEDTLS_SSL_DEBUG_MSG( 1,
2032 ( "ciphersuite info for %04x not found", i ) );
2033 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2034 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2035 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2036 }
2037
2038 mbedtls_ssl_optimize_checksum( ssl,
2039 ssl->transform_negotiate->ciphersuite_info );
2040
2041 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2042 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
2043
2044 /*
2045 * Check if the session can be resumed
2046 */
2047 if( ssl->handshake->resume == 0 || n == 0 ||
2048 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2049 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
2050 #endif
2051 ssl->session_negotiate->ciphersuite != i ||
2052 ssl->session_negotiate->compression != comp ||
2053 ssl->session_negotiate->id_len != n ||
2054 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
2055 {
2056 ssl->state++;
2057 ssl->handshake->resume = 0;
2058 #if defined(MBEDTLS_HAVE_TIME)
2059 ssl->session_negotiate->start = mbedtls_time( NULL );
2060 #endif
2061 ssl->session_negotiate->ciphersuite = i;
2062 ssl->session_negotiate->compression = comp;
2063 ssl->session_negotiate->id_len = n;
2064 memcpy( ssl->session_negotiate->id, buf + 35, n );
2065 }
2066 else
2067 {
2068 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2069
2070 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2071 {
2072 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2073 mbedtls_ssl_send_alert_message(
2074 ssl,
2075 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2076 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2077 return( ret );
2078 }
2079 }
2080
2081 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2082 ssl->handshake->resume ? "a" : "no" ) );
2083
2084 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
2085 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
2086 buf[37 + n] ) );
2087
2088 /*
2089 * Perform cipher suite validation in same way as in ssl_write_client_hello.
2090 */
2091 i = 0;
2092 while( 1 )
2093 {
2094 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
2095 {
2096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2097 mbedtls_ssl_send_alert_message(
2098 ssl,
2099 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2100 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2101 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2102 }
2103
2104 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
2105 ssl->session_negotiate->ciphersuite )
2106 {
2107 break;
2108 }
2109 }
2110
2111 suite_info = mbedtls_ssl_ciphersuite_from_id(
2112 ssl->session_negotiate->ciphersuite );
2113 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
2114 ssl->minor_ver ) != 0 )
2115 {
2116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2117 mbedtls_ssl_send_alert_message(
2118 ssl,
2119 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2120 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2122 }
2123
2124 MBEDTLS_SSL_DEBUG_MSG( 3,
2125 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
2126
2127 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2128 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
2129 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2130 {
2131 ssl->handshake->ecrs_enabled = 1;
2132 }
2133 #endif
2134
2135 if( comp != MBEDTLS_SSL_COMPRESS_NULL
2136 #if defined(MBEDTLS_ZLIB_SUPPORT)
2137 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
2138 #endif
2139 )
2140 {
2141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2142 mbedtls_ssl_send_alert_message(
2143 ssl,
2144 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2145 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2146 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2147 }
2148 ssl->session_negotiate->compression = comp;
2149
2150 ext = buf + 40 + n;
2151
2152 MBEDTLS_SSL_DEBUG_MSG( 2,
2153 ( "server hello, total extension length: %d", ext_len ) );
2154
2155 while( ext_len )
2156 {
2157 unsigned int ext_id = ( ( ext[0] << 8 )
2158 | ( ext[1] ) );
2159 unsigned int ext_size = ( ( ext[2] << 8 )
2160 | ( ext[3] ) );
2161
2162 if( ext_size + 4 > ext_len )
2163 {
2164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2165 mbedtls_ssl_send_alert_message(
2166 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2167 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2168 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2169 }
2170
2171 switch( ext_id )
2172 {
2173 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2174 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
2175 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2176 renegotiation_info_seen = 1;
2177 #endif
2178
2179 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
2180 ext_size ) ) != 0 )
2181 return( ret );
2182
2183 break;
2184
2185 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2186 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
2187 MBEDTLS_SSL_DEBUG_MSG( 3,
2188 ( "found max_fragment_length extension" ) );
2189
2190 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
2191 ext + 4, ext_size ) ) != 0 )
2192 {
2193 return( ret );
2194 }
2195
2196 break;
2197 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2198
2199 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2200 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2201 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
2202
2203 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2204 ext + 4, ext_size ) ) != 0 )
2205 {
2206 return( ret );
2207 }
2208
2209 break;
2210 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2211
2212 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2213 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2214 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
2215
2216 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2217 ext + 4, ext_size ) ) != 0 )
2218 {
2219 return( ret );
2220 }
2221
2222 break;
2223 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2224
2225 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2226 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2227 MBEDTLS_SSL_DEBUG_MSG( 3,
2228 ( "found extended_master_secret extension" ) );
2229
2230 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2231 ext + 4, ext_size ) ) != 0 )
2232 {
2233 return( ret );
2234 }
2235
2236 break;
2237 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2238
2239 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2240 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2241 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
2242
2243 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2244 ext + 4, ext_size ) ) != 0 )
2245 {
2246 return( ret );
2247 }
2248
2249 break;
2250 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2251
2252 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2254 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2255 MBEDTLS_SSL_DEBUG_MSG( 3,
2256 ( "found supported_point_formats extension" ) );
2257
2258 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2259 ext + 4, ext_size ) ) != 0 )
2260 {
2261 return( ret );
2262 }
2263
2264 break;
2265 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2266 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2267
2268 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2269 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2270 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2271
2272 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2273 ext + 4, ext_size ) ) != 0 )
2274 {
2275 return( ret );
2276 }
2277
2278 break;
2279 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2280
2281 #if defined(MBEDTLS_SSL_ALPN)
2282 case MBEDTLS_TLS_EXT_ALPN:
2283 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2284
2285 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2286 return( ret );
2287
2288 break;
2289 #endif /* MBEDTLS_SSL_ALPN */
2290
2291 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2292 case MBEDTLS_TLS_EXT_USE_SRTP:
2293 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
2294
2295 if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 )
2296 return( ret );
2297
2298 break;
2299 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2300
2301 default:
2302 MBEDTLS_SSL_DEBUG_MSG( 3,
2303 ( "unknown extension found: %d (ignoring)", ext_id ) );
2304 }
2305
2306 ext_len -= 4 + ext_size;
2307 ext += 4 + ext_size;
2308
2309 if( ext_len > 0 && ext_len < 4 )
2310 {
2311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2312 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2313 }
2314 }
2315
2316 /*
2317 * Renegotiation security checks
2318 */
2319 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2320 ssl->conf->allow_legacy_renegotiation ==
2321 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2322 {
2323 MBEDTLS_SSL_DEBUG_MSG( 1,
2324 ( "legacy renegotiation, breaking off handshake" ) );
2325 handshake_failure = 1;
2326 }
2327 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2328 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2329 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2330 renegotiation_info_seen == 0 )
2331 {
2332 MBEDTLS_SSL_DEBUG_MSG( 1,
2333 ( "renegotiation_info extension missing (secure)" ) );
2334 handshake_failure = 1;
2335 }
2336 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2337 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2338 ssl->conf->allow_legacy_renegotiation ==
2339 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2340 {
2341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2342 handshake_failure = 1;
2343 }
2344 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2345 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2346 renegotiation_info_seen == 1 )
2347 {
2348 MBEDTLS_SSL_DEBUG_MSG( 1,
2349 ( "renegotiation_info extension present (legacy)" ) );
2350 handshake_failure = 1;
2351 }
2352 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2353
2354 if( handshake_failure == 1 )
2355 {
2356 mbedtls_ssl_send_alert_message(
2357 ssl,
2358 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2359 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2360 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2361 }
2362
2363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2364
2365 return( 0 );
2366 }
2367
2368 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2369 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
ssl_parse_server_dh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2370 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2371 unsigned char **p,
2372 unsigned char *end )
2373 {
2374 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2375 size_t dhm_actual_bitlen;
2376
2377 /*
2378 * Ephemeral DH parameters:
2379 *
2380 * struct {
2381 * opaque dh_p<1..2^16-1>;
2382 * opaque dh_g<1..2^16-1>;
2383 * opaque dh_Ys<1..2^16-1>;
2384 * } ServerDHParams;
2385 */
2386 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
2387 p, end ) ) != 0 )
2388 {
2389 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2390 return( ret );
2391 }
2392
2393 dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
2394 if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
2395 {
2396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
2397 (unsigned) dhm_actual_bitlen,
2398 ssl->conf->dhm_min_bitlen ) );
2399 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2400 }
2401
2402 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2403 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2404 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2405
2406 return( ret );
2407 }
2408 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2409 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2410
2411 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2412 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2413 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2414 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2415 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_check_server_ecdh_params(const mbedtls_ssl_context * ssl)2416 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2417 {
2418 const mbedtls_ecp_curve_info *curve_info;
2419 mbedtls_ecp_group_id grp_id;
2420 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2421 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2422 #else
2423 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2424 #endif
2425
2426 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
2427 if( curve_info == NULL )
2428 {
2429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2430 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2431 }
2432
2433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2434
2435 #if defined(MBEDTLS_ECP_C)
2436 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
2437 #else
2438 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2439 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2440 #endif
2441 return( -1 );
2442
2443 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2444 MBEDTLS_DEBUG_ECDH_QP );
2445
2446 return( 0 );
2447 }
2448 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2449 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2450 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2451 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2452 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2453
2454 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2455 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2456 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
ssl_parse_server_ecdh_params(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2457 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2458 unsigned char **p,
2459 unsigned char *end )
2460 {
2461 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2462
2463 /*
2464 * Ephemeral ECDH parameters:
2465 *
2466 * struct {
2467 * ECParameters curve_params;
2468 * ECPoint public;
2469 * } ServerECDHParams;
2470 */
2471 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2472 (const unsigned char **) p, end ) ) != 0 )
2473 {
2474 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2475 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2476 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2477 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2478 #endif
2479 return( ret );
2480 }
2481
2482 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2483 {
2484 MBEDTLS_SSL_DEBUG_MSG( 1,
2485 ( "bad server key exchange message (ECDHE curve)" ) );
2486 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2487 }
2488
2489 return( ret );
2490 }
2491 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2492 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2493 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2494
2495 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
ssl_parse_server_psk_hint(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end)2496 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2497 unsigned char **p,
2498 unsigned char *end )
2499 {
2500 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2501 size_t len;
2502 ((void) ssl);
2503
2504 /*
2505 * PSK parameters:
2506 *
2507 * opaque psk_identity_hint<0..2^16-1>;
2508 */
2509 if( end - (*p) < 2 )
2510 {
2511 MBEDTLS_SSL_DEBUG_MSG( 1,
2512 ( "bad server key exchange message (psk_identity_hint length)" ) );
2513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2514 }
2515 len = (*p)[0] << 8 | (*p)[1];
2516 *p += 2;
2517
2518 if( end - (*p) < (int) len )
2519 {
2520 MBEDTLS_SSL_DEBUG_MSG( 1,
2521 ( "bad server key exchange message (psk_identity_hint length)" ) );
2522 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2523 }
2524
2525 /*
2526 * Note: we currently ignore the PKS identity hint, as we only allow one
2527 * PSK to be provisionned on the client. This could be changed later if
2528 * someone needs that feature.
2529 */
2530 *p += len;
2531 ret = 0;
2532
2533 return( ret );
2534 }
2535 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2536
2537 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2538 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2539 /*
2540 * Generate a pre-master secret and encrypt it with the server's RSA key
2541 */
ssl_write_encrypted_pms(mbedtls_ssl_context * ssl,size_t offset,size_t * olen,size_t pms_offset)2542 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2543 size_t offset, size_t *olen,
2544 size_t pms_offset )
2545 {
2546 int ret;
2547 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2548 unsigned char *p = ssl->handshake->premaster + pms_offset;
2549
2550 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
2551 {
2552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2553 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2554 }
2555
2556 /*
2557 * Generate (part of) the pre-master as
2558 * struct {
2559 * ProtocolVersion client_version;
2560 * opaque random[46];
2561 * } PreMasterSecret;
2562 */
2563 mbedtls_ssl_write_version( ssl->conf->max_major_ver,
2564 ssl->conf->max_minor_ver,
2565 ssl->conf->transport, p );
2566
2567 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2568 {
2569 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2570 return( ret );
2571 }
2572
2573 ssl->handshake->pmslen = 48;
2574
2575 if( ssl->session_negotiate->peer_cert == NULL )
2576 {
2577 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2578 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2579 }
2580
2581 /*
2582 * Now write it out, encrypted
2583 */
2584 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2585 MBEDTLS_PK_RSA ) )
2586 {
2587 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2588 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2589 }
2590
2591 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
2592 p, ssl->handshake->pmslen,
2593 ssl->out_msg + offset + len_bytes, olen,
2594 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2595 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2596 {
2597 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2598 return( ret );
2599 }
2600
2601 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2602 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2603 if( len_bytes == 2 )
2604 {
2605 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2606 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2607 *olen += 2;
2608 }
2609 #endif
2610
2611 return( 0 );
2612 }
2613 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2614 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2615
2616 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2617 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2618 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2619 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_parse_signature_algorithm(mbedtls_ssl_context * ssl,unsigned char ** p,unsigned char * end,mbedtls_md_type_t * md_alg,mbedtls_pk_type_t * pk_alg)2620 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2621 unsigned char **p,
2622 unsigned char *end,
2623 mbedtls_md_type_t *md_alg,
2624 mbedtls_pk_type_t *pk_alg )
2625 {
2626 ((void) ssl);
2627 *md_alg = MBEDTLS_MD_NONE;
2628 *pk_alg = MBEDTLS_PK_NONE;
2629
2630 /* Only in TLS 1.2 */
2631 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2632 {
2633 return( 0 );
2634 }
2635
2636 if( (*p) + 2 > end )
2637 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2638
2639 /*
2640 * Get hash algorithm
2641 */
2642 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2643 == MBEDTLS_MD_NONE )
2644 {
2645 MBEDTLS_SSL_DEBUG_MSG( 1,
2646 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
2647 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2648 }
2649
2650 /*
2651 * Get signature algorithm
2652 */
2653 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
2654 == MBEDTLS_PK_NONE )
2655 {
2656 MBEDTLS_SSL_DEBUG_MSG( 1,
2657 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
2658 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2659 }
2660
2661 /*
2662 * Check if the hash is acceptable
2663 */
2664 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2665 {
2666 MBEDTLS_SSL_DEBUG_MSG( 1,
2667 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
2668 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2669 }
2670
2671 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
2672 (*p)[1] ) );
2673 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
2674 (*p)[0] ) );
2675 *p += 2;
2676
2677 return( 0 );
2678 }
2679 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2680 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2681 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2682 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2683
2684 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2685 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2686 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2687 {
2688 int ret;
2689 const mbedtls_ecp_keypair *peer_key;
2690
2691 if( ssl->session_negotiate->peer_cert == NULL )
2692 {
2693 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2694 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2695 }
2696
2697 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2698 MBEDTLS_PK_ECKEY ) )
2699 {
2700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2701 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2702 }
2703
2704 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2705
2706 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2707 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2708 {
2709 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2710 return( ret );
2711 }
2712
2713 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2714 {
2715 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2716 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2717 }
2718
2719 return( ret );
2720 }
2721 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2722 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2723
ssl_parse_server_key_exchange(mbedtls_ssl_context * ssl)2724 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2725 {
2726 int ret;
2727 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2728 ssl->transform_negotiate->ciphersuite_info;
2729 unsigned char *p = NULL, *end = NULL;
2730
2731 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2732
2733 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2734 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2735 {
2736 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2737 ssl->state++;
2738 return( 0 );
2739 }
2740 ((void) p);
2741 ((void) end);
2742 #endif
2743
2744 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2745 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2746 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2747 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2748 {
2749 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2750 {
2751 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2752 mbedtls_ssl_send_alert_message(
2753 ssl,
2754 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2755 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2756 return( ret );
2757 }
2758
2759 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2760 ssl->state++;
2761 return( 0 );
2762 }
2763 ((void) p);
2764 ((void) end);
2765 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2766 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2767
2768 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2769 if( ssl->handshake->ecrs_enabled &&
2770 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2771 {
2772 goto start_processing;
2773 }
2774 #endif
2775
2776 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2777 {
2778 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2779 return( ret );
2780 }
2781
2782 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2783 {
2784 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2785 mbedtls_ssl_send_alert_message(
2786 ssl,
2787 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2788 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2789 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2790 }
2791
2792 /*
2793 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2794 * doesn't use a psk_identity_hint
2795 */
2796 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2797 {
2798 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2799 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2800 {
2801 /* Current message is probably either
2802 * CertificateRequest or ServerHelloDone */
2803 ssl->keep_current_message = 1;
2804 goto exit;
2805 }
2806
2807 MBEDTLS_SSL_DEBUG_MSG( 1,
2808 ( "server key exchange message must not be skipped" ) );
2809 mbedtls_ssl_send_alert_message(
2810 ssl,
2811 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2812 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2813
2814 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2815 }
2816
2817 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2818 if( ssl->handshake->ecrs_enabled )
2819 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2820
2821 start_processing:
2822 #endif
2823 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2824 end = ssl->in_msg + ssl->in_hslen;
2825 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2826
2827 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2828 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2829 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2830 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2831 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2832 {
2833 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2834 {
2835 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2836 mbedtls_ssl_send_alert_message(
2837 ssl,
2838 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2839 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2840 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2841 }
2842 } /* FALLTROUGH */
2843 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2844
2845 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2846 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2847 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2848 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2849 ; /* nothing more to do */
2850 else
2851 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2852 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2853 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2854 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2855 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2856 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2857 {
2858 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2859 {
2860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2861 mbedtls_ssl_send_alert_message(
2862 ssl,
2863 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2864 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2865 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2866 }
2867 }
2868 else
2869 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2870 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2871 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2872 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2873 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2874 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2875 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2876 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2877 {
2878 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2879 {
2880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2881 mbedtls_ssl_send_alert_message(
2882 ssl,
2883 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2884 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2885 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2886 }
2887 }
2888 else
2889 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2890 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2891 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2892 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2893 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2894 {
2895 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2896 p, end - p );
2897 if( ret != 0 )
2898 {
2899 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2900 mbedtls_ssl_send_alert_message(
2901 ssl,
2902 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2903 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2904 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2905 }
2906 }
2907 else
2908 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2909 {
2910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2911 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2912 }
2913
2914 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2915 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2916 {
2917 size_t sig_len, hashlen;
2918 unsigned char hash[64];
2919 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2920 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2921 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2922 size_t params_len = p - params;
2923 void *rs_ctx = NULL;
2924
2925 /*
2926 * Handle the digitally-signed structure
2927 */
2928 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2929 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2930 {
2931 if( ssl_parse_signature_algorithm( ssl, &p, end,
2932 &md_alg, &pk_alg ) != 0 )
2933 {
2934 MBEDTLS_SSL_DEBUG_MSG( 1,
2935 ( "bad server key exchange message" ) );
2936 mbedtls_ssl_send_alert_message(
2937 ssl,
2938 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2939 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2940 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2941 }
2942
2943 if( pk_alg !=
2944 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2945 {
2946 MBEDTLS_SSL_DEBUG_MSG( 1,
2947 ( "bad server key exchange message" ) );
2948 mbedtls_ssl_send_alert_message(
2949 ssl,
2950 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2951 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2953 }
2954 }
2955 else
2956 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2957 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2958 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2959 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2960 {
2961 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2962
2963 /* Default hash for ECDSA is SHA-1 */
2964 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2965 md_alg = MBEDTLS_MD_SHA1;
2966 }
2967 else
2968 #endif
2969 {
2970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2971 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2972 }
2973
2974 /*
2975 * Read signature
2976 */
2977
2978 if( p > end - 2 )
2979 {
2980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2981 mbedtls_ssl_send_alert_message(
2982 ssl,
2983 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2984 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2985 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2986 }
2987 sig_len = ( p[0] << 8 ) | p[1];
2988 p += 2;
2989
2990 if( p != end - sig_len )
2991 {
2992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2993 mbedtls_ssl_send_alert_message(
2994 ssl,
2995 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2996 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2997 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2998 }
2999
3000 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
3001
3002 /*
3003 * Compute the hash that has been signed
3004 */
3005 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3006 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3007 if( md_alg == MBEDTLS_MD_NONE )
3008 {
3009 hashlen = 36;
3010 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
3011 params_len );
3012 if( ret != 0 )
3013 return( ret );
3014 }
3015 else
3016 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3017 MBEDTLS_SSL_PROTO_TLS1_1 */
3018 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3019 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3020 if( md_alg != MBEDTLS_MD_NONE )
3021 {
3022 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3023 params, params_len,
3024 md_alg );
3025 if( ret != 0 )
3026 return( ret );
3027 }
3028 else
3029 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3030 MBEDTLS_SSL_PROTO_TLS1_2 */
3031 {
3032 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3033 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3034 }
3035
3036 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
3037
3038 if( ssl->session_negotiate->peer_cert == NULL )
3039 {
3040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
3041 mbedtls_ssl_send_alert_message(
3042 ssl,
3043 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3044 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
3045 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3046 }
3047
3048 /*
3049 * Verify signature
3050 */
3051 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3052 pk_alg ) )
3053 {
3054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
3055 mbedtls_ssl_send_alert_message(
3056 ssl,
3057 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3058 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
3059 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
3060 }
3061
3062 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3063 if( ssl->handshake->ecrs_enabled )
3064 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3065 #endif
3066
3067 if( ( ret = mbedtls_pk_verify_restartable(
3068 &ssl->session_negotiate->peer_cert->pk,
3069 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
3070 {
3071 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3072 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
3073 #endif
3074 mbedtls_ssl_send_alert_message(
3075 ssl,
3076 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3077 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
3078 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
3079 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3080 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3081 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3082 #endif
3083 return( ret );
3084 }
3085 }
3086 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3087
3088 exit:
3089 ssl->state++;
3090
3091 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
3092
3093 return( 0 );
3094 }
3095
3096 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)3097 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
3098 {
3099 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3100 ssl->transform_negotiate->ciphersuite_info;
3101
3102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
3103
3104 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3105 {
3106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
3107 ssl->state++;
3108 return( 0 );
3109 }
3110
3111 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3112 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3113 }
3114 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
ssl_parse_certificate_request(mbedtls_ssl_context * ssl)3115 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
3116 {
3117 int ret;
3118 unsigned char *buf;
3119 size_t n = 0;
3120 size_t cert_type_len = 0, dn_len = 0;
3121 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3122 ssl->transform_negotiate->ciphersuite_info;
3123
3124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
3125
3126 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3127 {
3128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
3129 ssl->state++;
3130 return( 0 );
3131 }
3132
3133 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3134 {
3135 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3136 return( ret );
3137 }
3138
3139 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3140 {
3141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3142 mbedtls_ssl_send_alert_message(
3143 ssl,
3144 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3145 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3146 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3147 }
3148
3149 ssl->state++;
3150 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
3151
3152 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
3153 ssl->client_auth ? "a" : "no" ) );
3154
3155 if( ssl->client_auth == 0 )
3156 {
3157 /* Current message is probably the ServerHelloDone */
3158 ssl->keep_current_message = 1;
3159 goto exit;
3160 }
3161
3162 /*
3163 * struct {
3164 * ClientCertificateType certificate_types<1..2^8-1>;
3165 * SignatureAndHashAlgorithm
3166 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3167 * DistinguishedName certificate_authorities<0..2^16-1>;
3168 * } CertificateRequest;
3169 *
3170 * Since we only support a single certificate on clients, let's just
3171 * ignore all the information that's supposed to help us pick a
3172 * certificate.
3173 *
3174 * We could check that our certificate matches the request, and bail out
3175 * if it doesn't, but it's simpler to just send the certificate anyway,
3176 * and give the server the opportunity to decide if it should terminate
3177 * the connection when it doesn't like our certificate.
3178 *
3179 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3180 * point we only have one hash available (see comments in
3181 * write_certificate_verify), so let's just use what we have.
3182 *
3183 * However, we still minimally parse the message to check it is at least
3184 * superficially sane.
3185 */
3186 buf = ssl->in_msg;
3187
3188 /* certificate_types */
3189 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3190 {
3191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3192 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3193 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3194 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3195 }
3196 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
3197 n = cert_type_len;
3198
3199 /*
3200 * In the subsequent code there are two paths that read from buf:
3201 * * the length of the signature algorithms field (if minor version of
3202 * SSL is 3),
3203 * * distinguished name length otherwise.
3204 * Both reach at most the index:
3205 * ...hdr_len + 2 + n,
3206 * therefore the buffer length at this point must be greater than that
3207 * regardless of the actual code path.
3208 */
3209 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
3210 {
3211 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3212 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3213 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3214 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3215 }
3216
3217 /* supported_signature_algorithms */
3218 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3219 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3220 {
3221 size_t sig_alg_len =
3222 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3223 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3224 #if defined(MBEDTLS_DEBUG_C)
3225 unsigned char* sig_alg;
3226 size_t i;
3227 #endif
3228
3229 /*
3230 * The furthest access in buf is in the loop few lines below:
3231 * sig_alg[i + 1],
3232 * where:
3233 * sig_alg = buf + ...hdr_len + 3 + n,
3234 * max(i) = sig_alg_len - 1.
3235 * Therefore the furthest access is:
3236 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3237 * which reduces to:
3238 * buf[...hdr_len + 3 + n + sig_alg_len],
3239 * which is one less than we need the buf to be.
3240 */
3241 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
3242 + 3 + n + sig_alg_len )
3243 {
3244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3245 mbedtls_ssl_send_alert_message(
3246 ssl,
3247 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3248 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3249 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3250 }
3251
3252 #if defined(MBEDTLS_DEBUG_C)
3253 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
3254 for( i = 0; i < sig_alg_len; i += 2 )
3255 {
3256 MBEDTLS_SSL_DEBUG_MSG( 3,
3257 ( "Supported Signature Algorithm found: %d,%d",
3258 sig_alg[i], sig_alg[i + 1] ) );
3259 }
3260 #endif
3261
3262 n += 2 + sig_alg_len;
3263 }
3264 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3265
3266 /* certificate_authorities */
3267 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3268 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3269
3270 n += dn_len;
3271 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3272 {
3273 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3274 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3275 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3276 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3277 }
3278
3279 exit:
3280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3281
3282 return( 0 );
3283 }
3284 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3285
ssl_parse_server_hello_done(mbedtls_ssl_context * ssl)3286 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3287 {
3288 int ret;
3289
3290 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3291
3292 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3293 {
3294 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3295 return( ret );
3296 }
3297
3298 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3299 {
3300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3301 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3302 }
3303
3304 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3305 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
3306 {
3307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3308 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3309 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3310 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
3311 }
3312
3313 ssl->state++;
3314
3315 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3316 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3317 mbedtls_ssl_recv_flight_completed( ssl );
3318 #endif
3319
3320 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3321
3322 return( 0 );
3323 }
3324
ssl_write_client_key_exchange(mbedtls_ssl_context * ssl)3325 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3326 {
3327 int ret;
3328 size_t i, n;
3329 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3330 ssl->transform_negotiate->ciphersuite_info;
3331
3332 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3333
3334 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3335 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3336 {
3337 /*
3338 * DHM key exchange -- send G^X mod P
3339 */
3340 n = ssl->handshake->dhm_ctx.len;
3341
3342 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3343 ssl->out_msg[5] = (unsigned char)( n );
3344 i = 6;
3345
3346 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3347 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3348 &ssl->out_msg[i], n,
3349 ssl->conf->f_rng, ssl->conf->p_rng );
3350 if( ret != 0 )
3351 {
3352 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3353 return( ret );
3354 }
3355
3356 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3357 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3358
3359 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3360 ssl->handshake->premaster,
3361 MBEDTLS_PREMASTER_SIZE,
3362 &ssl->handshake->pmslen,
3363 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3364 {
3365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3366 return( ret );
3367 }
3368
3369 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3370 }
3371 else
3372 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3373 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3374 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3375 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3376 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3377 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3378 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3379 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3380 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3381 {
3382 /*
3383 * ECDH key exchange -- send client public value
3384 */
3385 i = 4;
3386
3387 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3388 if( ssl->handshake->ecrs_enabled )
3389 {
3390 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3391 goto ecdh_calc_secret;
3392
3393 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3394 }
3395 #endif
3396
3397 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3398 &n,
3399 &ssl->out_msg[i], 1000,
3400 ssl->conf->f_rng, ssl->conf->p_rng );
3401 if( ret != 0 )
3402 {
3403 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3404 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3405 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3406 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3407 #endif
3408 return( ret );
3409 }
3410
3411 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3412 MBEDTLS_DEBUG_ECDH_Q );
3413
3414 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3415 if( ssl->handshake->ecrs_enabled )
3416 {
3417 ssl->handshake->ecrs_n = n;
3418 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3419 }
3420
3421 ecdh_calc_secret:
3422 if( ssl->handshake->ecrs_enabled )
3423 n = ssl->handshake->ecrs_n;
3424 #endif
3425 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3426 &ssl->handshake->pmslen,
3427 ssl->handshake->premaster,
3428 MBEDTLS_MPI_MAX_SIZE,
3429 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3430 {
3431 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3432 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3433 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3434 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3435 #endif
3436 return( ret );
3437 }
3438
3439 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3440 MBEDTLS_DEBUG_ECDH_Z );
3441 }
3442 else
3443 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3444 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3445 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3446 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3447 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3448 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3449 {
3450 /*
3451 * opaque psk_identity<0..2^16-1>;
3452 */
3453 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
3454 {
3455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
3456 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3457 }
3458
3459 i = 4;
3460 n = ssl->conf->psk_identity_len;
3461
3462 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3463 {
3464 MBEDTLS_SSL_DEBUG_MSG( 1,
3465 ( "psk identity too long or SSL buffer too short" ) );
3466 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3467 }
3468
3469 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3470 ssl->out_msg[i++] = (unsigned char)( n );
3471
3472 memcpy( ssl->out_msg + i,
3473 ssl->conf->psk_identity,
3474 ssl->conf->psk_identity_len );
3475 i += ssl->conf->psk_identity_len;
3476
3477 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3478 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3479 {
3480 n = 0;
3481 }
3482 else
3483 #endif
3484 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3485 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3486 {
3487 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3488 return( ret );
3489 }
3490 else
3491 #endif
3492 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3493 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3494 {
3495 /*
3496 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3497 */
3498 n = ssl->handshake->dhm_ctx.len;
3499
3500 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3501 {
3502 MBEDTLS_SSL_DEBUG_MSG( 1,
3503 ( "psk identity or DHM size too long or SSL buffer too short" ) );
3504 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3505 }
3506
3507 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3508 ssl->out_msg[i++] = (unsigned char)( n );
3509
3510 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3511 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3512 &ssl->out_msg[i], n,
3513 ssl->conf->f_rng, ssl->conf->p_rng );
3514 if( ret != 0 )
3515 {
3516 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3517 return( ret );
3518 }
3519 }
3520 else
3521 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3522 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3523 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3524 {
3525 /*
3526 * ClientECDiffieHellmanPublic public;
3527 */
3528 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
3529 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
3530 ssl->conf->f_rng, ssl->conf->p_rng );
3531 if( ret != 0 )
3532 {
3533 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3534 return( ret );
3535 }
3536
3537 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3538 MBEDTLS_DEBUG_ECDH_Q );
3539 }
3540 else
3541 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3542 {
3543 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3544 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3545 }
3546
3547 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3548 ciphersuite_info->key_exchange ) ) != 0 )
3549 {
3550 MBEDTLS_SSL_DEBUG_RET( 1,
3551 "mbedtls_ssl_psk_derive_premaster", ret );
3552 return( ret );
3553 }
3554 }
3555 else
3556 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3557 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3558 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3559 {
3560 i = 4;
3561 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
3562 return( ret );
3563 }
3564 else
3565 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3566 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3567 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3568 {
3569 i = 4;
3570
3571 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3572 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
3573 ssl->conf->f_rng, ssl->conf->p_rng );
3574 if( ret != 0 )
3575 {
3576 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3577 return( ret );
3578 }
3579
3580 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3581 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3582 ssl->conf->f_rng, ssl->conf->p_rng );
3583 if( ret != 0 )
3584 {
3585 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3586 return( ret );
3587 }
3588 }
3589 else
3590 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3591 {
3592 ((void) ciphersuite_info);
3593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3594 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3595 }
3596
3597 ssl->out_msglen = i + n;
3598 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3599 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3600
3601 ssl->state++;
3602
3603 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3604 {
3605 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3606 return( ret );
3607 }
3608
3609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3610
3611 return( 0 );
3612 }
3613
3614 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3615 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3616 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3617 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3618 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3619 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3620 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3621 {
3622 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3623 ssl->transform_negotiate->ciphersuite_info;
3624 int ret;
3625
3626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3627
3628 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3629 {
3630 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3631 return( ret );
3632 }
3633
3634 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3635 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3636 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3637 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3638 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3639 {
3640 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3641 ssl->state++;
3642 return( 0 );
3643 }
3644
3645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3646 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3647 }
3648 #else
ssl_write_certificate_verify(mbedtls_ssl_context * ssl)3649 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3650 {
3651 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3652 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3653 ssl->transform_negotiate->ciphersuite_info;
3654 size_t n = 0, offset = 0;
3655 unsigned char hash[48];
3656 unsigned char *hash_start = hash;
3657 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3658 unsigned int hashlen;
3659 void *rs_ctx = NULL;
3660
3661 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3662
3663 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3664 if( ssl->handshake->ecrs_enabled &&
3665 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3666 {
3667 goto sign;
3668 }
3669 #endif
3670
3671 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3672 {
3673 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3674 return( ret );
3675 }
3676
3677 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3678 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3679 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3680 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3681 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3682 {
3683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3684 ssl->state++;
3685 return( 0 );
3686 }
3687
3688 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3689 {
3690 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3691 ssl->state++;
3692 return( 0 );
3693 }
3694
3695 if( mbedtls_ssl_own_key( ssl ) == NULL )
3696 {
3697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3698 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3699 }
3700
3701 /*
3702 * Make a signature of the handshake digests
3703 */
3704 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3705 if( ssl->handshake->ecrs_enabled )
3706 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3707
3708 sign:
3709 #endif
3710
3711 ssl->handshake->calc_verify( ssl, hash );
3712
3713 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3714 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3715 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3716 {
3717 /*
3718 * digitally-signed struct {
3719 * opaque md5_hash[16];
3720 * opaque sha_hash[20];
3721 * };
3722 *
3723 * md5_hash
3724 * MD5(handshake_messages);
3725 *
3726 * sha_hash
3727 * SHA(handshake_messages);
3728 */
3729 hashlen = 36;
3730 md_alg = MBEDTLS_MD_NONE;
3731
3732 /*
3733 * For ECDSA, default hash is SHA-1 only
3734 */
3735 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3736 {
3737 hash_start += 16;
3738 hashlen -= 16;
3739 md_alg = MBEDTLS_MD_SHA1;
3740 }
3741 }
3742 else
3743 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3744 MBEDTLS_SSL_PROTO_TLS1_1 */
3745 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3746 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3747 {
3748 /*
3749 * digitally-signed struct {
3750 * opaque handshake_messages[handshake_messages_length];
3751 * };
3752 *
3753 * Taking shortcut here. We assume that the server always allows the
3754 * PRF Hash function and has sent it in the allowed signature
3755 * algorithms list received in the Certificate Request message.
3756 *
3757 * Until we encounter a server that does not, we will take this
3758 * shortcut.
3759 *
3760 * Reason: Otherwise we should have running hashes for SHA512 and
3761 * SHA224 in order to satisfy 'weird' needs from the server
3762 * side.
3763 */
3764 if( ssl->transform_negotiate->ciphersuite_info->mac ==
3765 MBEDTLS_MD_SHA384 )
3766 {
3767 md_alg = MBEDTLS_MD_SHA384;
3768 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3769 }
3770 else
3771 {
3772 md_alg = MBEDTLS_MD_SHA256;
3773 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3774 }
3775 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3776
3777 /* Info from md_alg will be used instead */
3778 hashlen = 0;
3779 offset = 2;
3780 }
3781 else
3782 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3783 {
3784 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3785 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3786 }
3787
3788 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3789 if( ssl->handshake->ecrs_enabled )
3790 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3791 #endif
3792
3793 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3794 md_alg, hash_start, hashlen,
3795 ssl->out_msg + 6 + offset, &n,
3796 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
3797 {
3798 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3799 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3800 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3801 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3802 #endif
3803 return( ret );
3804 }
3805
3806 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3807 ssl->out_msg[5 + offset] = (unsigned char)( n );
3808
3809 ssl->out_msglen = 6 + n + offset;
3810 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3811 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3812
3813 ssl->state++;
3814
3815 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3816 {
3817 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3818 return( ret );
3819 }
3820
3821 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3822
3823 return( ret );
3824 }
3825 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3826 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3827 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3828 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3829 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3830 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3831
3832 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_new_session_ticket(mbedtls_ssl_context * ssl)3833 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3834 {
3835 int ret;
3836 uint32_t lifetime;
3837 size_t ticket_len;
3838 unsigned char *ticket;
3839 const unsigned char *msg;
3840
3841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3842
3843 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3844 {
3845 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3846 return( ret );
3847 }
3848
3849 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3850 {
3851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3852 mbedtls_ssl_send_alert_message(
3853 ssl,
3854 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3855 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3856 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3857 }
3858
3859 /*
3860 * struct {
3861 * uint32 ticket_lifetime_hint;
3862 * opaque ticket<0..2^16-1>;
3863 * } NewSessionTicket;
3864 *
3865 * 0 . 3 ticket_lifetime_hint
3866 * 4 . 5 ticket_len (n)
3867 * 6 . 5+n ticket content
3868 */
3869 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3870 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3871 {
3872 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3873 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3874 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3875 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3876 }
3877
3878 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3879
3880 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3881 ( msg[2] << 8 ) | ( msg[3] );
3882
3883 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3884
3885 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3886 {
3887 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3888 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3889 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3890 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3891 }
3892
3893 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3894
3895 /* We're not waiting for a NewSessionTicket message any more */
3896 ssl->handshake->new_session_ticket = 0;
3897 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3898
3899 /*
3900 * Zero-length ticket means the server changed his mind and doesn't want
3901 * to send a ticket after all, so just forget it
3902 */
3903 if( ticket_len == 0 )
3904 return( 0 );
3905
3906 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3907 ssl->session_negotiate->ticket_len );
3908 mbedtls_free( ssl->session_negotiate->ticket );
3909 ssl->session_negotiate->ticket = NULL;
3910 ssl->session_negotiate->ticket_len = 0;
3911
3912 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3913 {
3914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3915 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3916 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3917 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3918 }
3919
3920 memcpy( ticket, msg + 6, ticket_len );
3921
3922 ssl->session_negotiate->ticket = ticket;
3923 ssl->session_negotiate->ticket_len = ticket_len;
3924 ssl->session_negotiate->ticket_lifetime = lifetime;
3925
3926 /*
3927 * RFC 5077 section 3.4:
3928 * "If the client receives a session ticket from the server, then it
3929 * discards any Session ID that was sent in the ServerHello."
3930 */
3931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3932 ssl->session_negotiate->id_len = 0;
3933
3934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3935
3936 return( 0 );
3937 }
3938 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3939
3940 /*
3941 * SSL handshake -- client side -- single step
3942 */
mbedtls_ssl_handshake_client_step(mbedtls_ssl_context * ssl)3943 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3944 {
3945 int ret = 0;
3946
3947 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3948 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3949
3950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3951
3952 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3953 return( ret );
3954
3955 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3956 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3957 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3958 {
3959 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3960 return( ret );
3961 }
3962 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3963
3964 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3965 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3966 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3967 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3968 ssl->handshake->new_session_ticket != 0 )
3969 {
3970 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3971 }
3972 #endif
3973
3974 switch( ssl->state )
3975 {
3976 case MBEDTLS_SSL_HELLO_REQUEST:
3977 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3978 break;
3979
3980 /*
3981 * ==> ClientHello
3982 */
3983 case MBEDTLS_SSL_CLIENT_HELLO:
3984 ret = ssl_write_client_hello( ssl );
3985 break;
3986
3987 /*
3988 * <== ServerHello
3989 * Certificate
3990 * ( ServerKeyExchange )
3991 * ( CertificateRequest )
3992 * ServerHelloDone
3993 */
3994 case MBEDTLS_SSL_SERVER_HELLO:
3995 ret = ssl_parse_server_hello( ssl );
3996 break;
3997
3998 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3999 ret = mbedtls_ssl_parse_certificate( ssl );
4000 break;
4001
4002 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4003 ret = ssl_parse_server_key_exchange( ssl );
4004 break;
4005
4006 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4007 ret = ssl_parse_certificate_request( ssl );
4008 break;
4009
4010 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4011 ret = ssl_parse_server_hello_done( ssl );
4012 break;
4013
4014 /*
4015 * ==> ( Certificate/Alert )
4016 * ClientKeyExchange
4017 * ( CertificateVerify )
4018 * ChangeCipherSpec
4019 * Finished
4020 */
4021 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4022 ret = mbedtls_ssl_write_certificate( ssl );
4023 break;
4024
4025 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4026 ret = ssl_write_client_key_exchange( ssl );
4027 break;
4028
4029 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4030 ret = ssl_write_certificate_verify( ssl );
4031 break;
4032
4033 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4034 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4035 break;
4036
4037 case MBEDTLS_SSL_CLIENT_FINISHED:
4038 ret = mbedtls_ssl_write_finished( ssl );
4039 break;
4040
4041 /*
4042 * <== ( NewSessionTicket )
4043 * ChangeCipherSpec
4044 * Finished
4045 */
4046 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4047 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
4048 ret = ssl_parse_new_session_ticket( ssl );
4049 break;
4050 #endif
4051
4052 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4053 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4054 break;
4055
4056 case MBEDTLS_SSL_SERVER_FINISHED:
4057 ret = mbedtls_ssl_parse_finished( ssl );
4058 break;
4059
4060 case MBEDTLS_SSL_FLUSH_BUFFERS:
4061 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4062 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4063 break;
4064
4065 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4066 mbedtls_ssl_handshake_wrapup( ssl );
4067 break;
4068
4069 default:
4070 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4071 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4072 }
4073
4074 return( ret );
4075 }
4076 #endif /* MBEDTLS_SSL_CLI_C */
4077