1 /*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52
53 #if defined(MBEDTLS_SSL_SRV_C)
54
55 #if defined(MBEDTLS_PLATFORM_C)
56 #include "mbedtls/platform.h"
57 #else
58 #include <stdlib.h>
59 #define mbedtls_calloc calloc
60 #define mbedtls_free free
61 #endif
62
63 #include "mbedtls/debug.h"
64 #include "mbedtls/ssl.h"
65 #include "mbedtls/ssl_internal.h"
66 #include "mbedtls/platform_util.h"
67
68 #include <string.h>
69
70 #if defined(MBEDTLS_ECP_C)
71 #include "mbedtls/ecp.h"
72 #endif
73
74 #if defined(MBEDTLS_HAVE_TIME)
75 #include "mbedtls/platform_time.h"
76 #endif
77
78 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context * ssl,const unsigned char * info,size_t ilen)79 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
80 const unsigned char *info,
81 size_t ilen )
82 {
83 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
84 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
85
86 mbedtls_free( ssl->cli_id );
87
88 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
89 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
90
91 memcpy( ssl->cli_id, info, ilen );
92 ssl->cli_id_len = ilen;
93
94 return( 0 );
95 }
96
mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config * conf,mbedtls_ssl_cookie_write_t * f_cookie_write,mbedtls_ssl_cookie_check_t * f_cookie_check,void * p_cookie)97 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
98 mbedtls_ssl_cookie_write_t *f_cookie_write,
99 mbedtls_ssl_cookie_check_t *f_cookie_check,
100 void *p_cookie )
101 {
102 conf->f_cookie_write = f_cookie_write;
103 conf->f_cookie_check = f_cookie_check;
104 conf->p_cookie = p_cookie;
105 }
106 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
107
108 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl_parse_servername_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)109 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
110 const unsigned char *buf,
111 size_t len )
112 {
113 int ret;
114 size_t servername_list_size, hostname_len;
115 const unsigned char *p;
116
117 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
118
119 if( len < 2 )
120 {
121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
122 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
123 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
124 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
125 }
126 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
127 if( servername_list_size + 2 != len )
128 {
129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
130 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
131 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
132 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
133 }
134
135 p = buf + 2;
136 while( servername_list_size > 2 )
137 {
138 hostname_len = ( ( p[1] << 8 ) | p[2] );
139 if( hostname_len + 3 > servername_list_size )
140 {
141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
142 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
143 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
144 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
145 }
146
147 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
148 {
149 ret = ssl->conf->f_sni( ssl->conf->p_sni,
150 ssl, p + 3, hostname_len );
151 if( ret != 0 )
152 {
153 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
154 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
155 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
156 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
157 }
158 return( 0 );
159 }
160
161 servername_list_size -= hostname_len + 3;
162 p += hostname_len + 3;
163 }
164
165 if( servername_list_size != 0 )
166 {
167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
168 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
169 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
170 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
171 }
172
173 return( 0 );
174 }
175 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
176
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)177 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
178 const unsigned char *buf,
179 size_t len )
180 {
181 #if defined(MBEDTLS_SSL_RENEGOTIATION)
182 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
183 {
184 /* Check verify-data in constant-time. The length OTOH is no secret */
185 if( len != 1 + ssl->verify_data_len ||
186 buf[0] != ssl->verify_data_len ||
187 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
188 ssl->verify_data_len ) != 0 )
189 {
190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
191 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
192 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
193 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
194 }
195 }
196 else
197 #endif /* MBEDTLS_SSL_RENEGOTIATION */
198 {
199 if( len != 1 || buf[0] != 0x0 )
200 {
201 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
202 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
203 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
204 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
205 }
206
207 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
208 }
209
210 return( 0 );
211 }
212
213 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
214 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
215
216 /*
217 * Status of the implementation of signature-algorithms extension:
218 *
219 * Currently, we are only considering the signature-algorithm extension
220 * to pick a ciphersuite which allows us to send the ServerKeyExchange
221 * message with a signature-hash combination that the user allows.
222 *
223 * We do *not* check whether all certificates in our certificate
224 * chain are signed with an allowed signature-hash pair.
225 * This needs to be done at a later stage.
226 *
227 */
ssl_parse_signature_algorithms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)228 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
229 const unsigned char *buf,
230 size_t len )
231 {
232 size_t sig_alg_list_size;
233
234 const unsigned char *p;
235 const unsigned char *end = buf + len;
236
237 mbedtls_md_type_t md_cur;
238 mbedtls_pk_type_t sig_cur;
239
240 if ( len < 2 ) {
241 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
242 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
243 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
244 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
245 }
246 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
247 if( sig_alg_list_size + 2 != len ||
248 sig_alg_list_size % 2 != 0 )
249 {
250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
251 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
252 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
253 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
254 }
255
256 /* Currently we only guarantee signing the ServerKeyExchange message according
257 * to the constraints specified in this extension (see above), so it suffices
258 * to remember only one suitable hash for each possible signature algorithm.
259 *
260 * This will change when we also consider certificate signatures,
261 * in which case we will need to remember the whole signature-hash
262 * pair list from the extension.
263 */
264
265 for( p = buf + 2; p < end; p += 2 )
266 {
267 /* Silently ignore unknown signature or hash algorithms. */
268
269 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
270 {
271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
272 " unknown sig alg encoding %d", p[1] ) );
273 continue;
274 }
275
276 /* Check if we support the hash the user proposes */
277 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
278 if( md_cur == MBEDTLS_MD_NONE )
279 {
280 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
281 " unknown hash alg encoding %d", p[0] ) );
282 continue;
283 }
284
285 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
286 {
287 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
289 " match sig %d and hash %d",
290 sig_cur, md_cur ) );
291 }
292 else
293 {
294 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
295 "hash alg %d not supported", md_cur ) );
296 }
297 }
298
299 return( 0 );
300 }
301 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
302 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
303
304 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
305 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_supported_elliptic_curves(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)306 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
307 const unsigned char *buf,
308 size_t len )
309 {
310 size_t list_size, our_size;
311 const unsigned char *p;
312 const mbedtls_ecp_curve_info *curve_info, **curves;
313
314 if ( len < 2 ) {
315 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
316 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
317 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
318 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
319 }
320 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
321 if( list_size + 2 != len ||
322 list_size % 2 != 0 )
323 {
324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
325 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
326 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
327 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
328 }
329
330 /* Should never happen unless client duplicates the extension */
331 if( ssl->handshake->curves != NULL )
332 {
333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
334 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
335 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
336 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
337 }
338
339 /* Don't allow our peer to make us allocate too much memory,
340 * and leave room for a final 0 */
341 our_size = list_size / 2 + 1;
342 if( our_size > MBEDTLS_ECP_DP_MAX )
343 our_size = MBEDTLS_ECP_DP_MAX;
344
345 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
346 {
347 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
348 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
349 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
350 }
351
352 ssl->handshake->curves = curves;
353
354 p = buf + 2;
355 while( list_size > 0 && our_size > 1 )
356 {
357 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
358
359 if( curve_info != NULL )
360 {
361 *curves++ = curve_info;
362 our_size--;
363 }
364
365 list_size -= 2;
366 p += 2;
367 }
368
369 return( 0 );
370 }
371
ssl_parse_supported_point_formats(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)372 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
373 const unsigned char *buf,
374 size_t len )
375 {
376 size_t list_size;
377 const unsigned char *p;
378
379 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
380 {
381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
382 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
383 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
384 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
385 }
386 list_size = buf[0];
387
388 p = buf + 1;
389 while( list_size > 0 )
390 {
391 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
392 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
393 {
394 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
395 ssl->handshake->ecdh_ctx.point_format = p[0];
396 #endif
397 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
398 ssl->handshake->ecjpake_ctx.point_format = p[0];
399 #endif
400 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
401 return( 0 );
402 }
403
404 list_size--;
405 p++;
406 }
407
408 return( 0 );
409 }
410 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
411 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
412
413 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)414 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
415 const unsigned char *buf,
416 size_t len )
417 {
418 int ret;
419
420 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
421 {
422 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
423 return( 0 );
424 }
425
426 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
427 buf, len ) ) != 0 )
428 {
429 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
430 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
431 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
432 return( ret );
433 }
434
435 /* Only mark the extension as OK when we're sure it is */
436 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
437
438 return( 0 );
439 }
440 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
441
442 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)443 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
444 const unsigned char *buf,
445 size_t len )
446 {
447 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
448 {
449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
450 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
451 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
452 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
453 }
454
455 ssl->session_negotiate->mfl_code = buf[0];
456
457 return( 0 );
458 }
459 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
460
461 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_parse_truncated_hmac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)462 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
463 const unsigned char *buf,
464 size_t len )
465 {
466 if( len != 0 )
467 {
468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
469 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
470 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
471 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
472 }
473
474 ((void) buf);
475
476 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
477 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
478
479 return( 0 );
480 }
481 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
482
483 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)484 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
485 const unsigned char *buf,
486 size_t len )
487 {
488 if( len != 0 )
489 {
490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
492 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
493 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
494 }
495
496 ((void) buf);
497
498 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
499 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
500 {
501 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
502 }
503
504 return( 0 );
505 }
506 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
507
508 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)509 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
510 const unsigned char *buf,
511 size_t len )
512 {
513 if( len != 0 )
514 {
515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
516 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
517 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
518 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
519 }
520
521 ((void) buf);
522
523 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
524 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
525 {
526 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
527 }
528
529 return( 0 );
530 }
531 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
532
533 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)534 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
535 unsigned char *buf,
536 size_t len )
537 {
538 int ret;
539 mbedtls_ssl_session session;
540
541 mbedtls_ssl_session_init( &session );
542
543 if( ssl->conf->f_ticket_parse == NULL ||
544 ssl->conf->f_ticket_write == NULL )
545 {
546 return( 0 );
547 }
548
549 /* Remember the client asked us to send a new ticket */
550 ssl->handshake->new_session_ticket = 1;
551
552 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
553
554 if( len == 0 )
555 return( 0 );
556
557 #if defined(MBEDTLS_SSL_RENEGOTIATION)
558 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
559 {
560 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
561 return( 0 );
562 }
563 #endif /* MBEDTLS_SSL_RENEGOTIATION */
564
565 /*
566 * Failures are ok: just ignore the ticket and proceed.
567 */
568 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
569 buf, len ) ) != 0 )
570 {
571 mbedtls_ssl_session_free( &session );
572
573 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
574 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
575 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
576 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
577 else
578 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
579
580 return( 0 );
581 }
582
583 /*
584 * Keep the session ID sent by the client, since we MUST send it back to
585 * inform them we're accepting the ticket (RFC 5077 section 3.4)
586 */
587 session.id_len = ssl->session_negotiate->id_len;
588 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
589
590 mbedtls_ssl_session_free( ssl->session_negotiate );
591 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
592
593 /* Zeroize instead of free as we copied the content */
594 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
595
596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
597
598 ssl->handshake->resume = 1;
599
600 /* Don't send a new ticket after all, this one is OK */
601 ssl->handshake->new_session_ticket = 0;
602
603 return( 0 );
604 }
605 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
606
607 #if defined(MBEDTLS_SSL_ALPN)
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)608 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
609 const unsigned char *buf, size_t len )
610 {
611 size_t list_len, cur_len, ours_len;
612 const unsigned char *theirs, *start, *end;
613 const char **ours;
614
615 /* If ALPN not configured, just ignore the extension */
616 if( ssl->conf->alpn_list == NULL )
617 return( 0 );
618
619 /*
620 * opaque ProtocolName<1..2^8-1>;
621 *
622 * struct {
623 * ProtocolName protocol_name_list<2..2^16-1>
624 * } ProtocolNameList;
625 */
626
627 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
628 if( len < 4 )
629 {
630 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
631 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
632 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
633 }
634
635 list_len = ( buf[0] << 8 ) | buf[1];
636 if( list_len != len - 2 )
637 {
638 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
639 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
640 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
641 }
642
643 /*
644 * Validate peer's list (lengths)
645 */
646 start = buf + 2;
647 end = buf + len;
648 for( theirs = start; theirs != end; theirs += cur_len )
649 {
650 cur_len = *theirs++;
651
652 /* Current identifier must fit in list */
653 if( cur_len > (size_t)( end - theirs ) )
654 {
655 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
656 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
657 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
658 }
659
660 /* Empty strings MUST NOT be included */
661 if( cur_len == 0 )
662 {
663 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
664 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
665 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
666 }
667 }
668
669 /*
670 * Use our order of preference
671 */
672 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
673 {
674 ours_len = strlen( *ours );
675 for( theirs = start; theirs != end; theirs += cur_len )
676 {
677 cur_len = *theirs++;
678
679 if( cur_len == ours_len &&
680 memcmp( theirs, *ours, cur_len ) == 0 )
681 {
682 ssl->alpn_chosen = *ours;
683 return( 0 );
684 }
685 }
686 }
687
688 /* If we get there, no match was found */
689 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
690 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
691 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
692 }
693 #endif /* MBEDTLS_SSL_ALPN */
694
695 #if defined(MBEDTLS_SSL_DTLS_SRTP)
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)696 static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
697 const unsigned char *buf, size_t len )
698 {
699 enum mbedtls_DTLS_SRTP_protection_profiles client_protection = MBEDTLS_SRTP_UNSET_PROFILE;
700 size_t i,j;
701 uint16_t profile_length;
702
703 /* If use_srtp is not configured, just ignore the extension */
704 if( ( ssl->conf->dtls_srtp_profiles_list == NULL ) || ( ssl->conf->dtls_srtp_profiles_list_len == 0 ) )
705 return( 0 );
706
707 /* RFC5764 section 4.1.1
708 * uint8 SRTPProtectionProfile[2];
709 *
710 * struct {
711 * SRTPProtectionProfiles SRTPProtectionProfiles;
712 * opaque srtp_mki<0..255>;
713 * } UseSRTPData;
714
715 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
716 *
717 * Note: srtp_mki is not supported
718 */
719
720 /* Min length is 5 : at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
721 if( len < 5 )
722 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
723
724 /*
725 * Use our order of preference
726 */
727 profile_length = buf[0]<<8|buf[1]; /* first 2 bytes are protection profile length(in bytes) */
728 for( i=0; i < ssl->conf->dtls_srtp_profiles_list_len; i++)
729 {
730 /* parse the extension list values are defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
731 for (j=0; j<profile_length; j+=2) { /* parse only the protection profile, srtp_mki is not supported and ignored */
732 uint16_t protection_profile_value = buf[j+2]<<8 | buf[j+3]; /* +2 to skip the length field */
733
734 switch ( protection_profile_value ) {
735 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE:
736 client_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
737 break;
738 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE:
739 client_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
740 break;
741 case MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE:
742 client_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
743 break;
744 case MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE:
745 client_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
746 break;
747 default:
748 client_protection = MBEDTLS_SRTP_UNSET_PROFILE;
749 break;
750 }
751
752 if (client_protection == ssl->conf->dtls_srtp_profiles_list[i]) {
753 ssl->chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profiles_list[i];
754 return 0;
755 }
756 }
757 }
758
759 /* If we get there, no match was found */
760 ssl->chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
761 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
762 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
763 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
764 }
765 #endif /* MBEDTLS_SSL_DTLS_SRTP */
766
767 /*
768 * Auxiliary functions for ServerHello parsing and related actions
769 */
770
771 #if defined(MBEDTLS_X509_CRT_PARSE_C)
772 /*
773 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
774 */
775 #if defined(MBEDTLS_ECDSA_C)
ssl_check_key_curve(mbedtls_pk_context * pk,const mbedtls_ecp_curve_info ** curves)776 static int ssl_check_key_curve( mbedtls_pk_context *pk,
777 const mbedtls_ecp_curve_info **curves )
778 {
779 const mbedtls_ecp_curve_info **crv = curves;
780 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
781
782 while( *crv != NULL )
783 {
784 if( (*crv)->grp_id == grp_id )
785 return( 0 );
786 crv++;
787 }
788
789 return( -1 );
790 }
791 #endif /* MBEDTLS_ECDSA_C */
792
793 /*
794 * Try picking a certificate for this ciphersuite,
795 * return 0 on success and -1 on failure.
796 */
ssl_pick_cert(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)797 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
798 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
799 {
800 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
801 mbedtls_pk_type_t pk_alg =
802 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
803 uint32_t flags;
804
805 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
806 if( ssl->handshake->sni_key_cert != NULL )
807 list = ssl->handshake->sni_key_cert;
808 else
809 #endif
810 list = ssl->conf->key_cert;
811
812 if( pk_alg == MBEDTLS_PK_NONE )
813 return( 0 );
814
815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
816
817 if( list == NULL )
818 {
819 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
820 return( -1 );
821 }
822
823 for( cur = list; cur != NULL; cur = cur->next )
824 {
825 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
826 cur->cert );
827
828 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
829 {
830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
831 continue;
832 }
833
834 /*
835 * This avoids sending the client a cert it'll reject based on
836 * keyUsage or other extensions.
837 *
838 * It also allows the user to provision different certificates for
839 * different uses based on keyUsage, eg if they want to avoid signing
840 * and decrypting with the same RSA key.
841 */
842 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
843 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
844 {
845 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
846 "(extended) key usage extension" ) );
847 continue;
848 }
849
850 #if defined(MBEDTLS_ECDSA_C)
851 if( pk_alg == MBEDTLS_PK_ECDSA &&
852 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
853 {
854 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
855 continue;
856 }
857 #endif
858
859 /*
860 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
861 * present them a SHA-higher cert rather than failing if it's the only
862 * one we got that satisfies the other conditions.
863 */
864 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
865 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
866 {
867 if( fallback == NULL )
868 fallback = cur;
869 {
870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
871 "sha-2 with pre-TLS 1.2 client" ) );
872 continue;
873 }
874 }
875
876 /* If we get there, we got a winner */
877 break;
878 }
879
880 if( cur == NULL )
881 cur = fallback;
882
883 /* Do not update ssl->handshake->key_cert unless there is a match */
884 if( cur != NULL )
885 {
886 ssl->handshake->key_cert = cur;
887 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
888 ssl->handshake->key_cert->cert );
889 return( 0 );
890 }
891
892 return( -1 );
893 }
894 #endif /* MBEDTLS_X509_CRT_PARSE_C */
895
896 /*
897 * Check if a given ciphersuite is suitable for use with our config/keys/etc
898 * Sets ciphersuite_info only if the suite matches.
899 */
ssl_ciphersuite_match(mbedtls_ssl_context * ssl,int suite_id,const mbedtls_ssl_ciphersuite_t ** ciphersuite_info)900 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
901 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
902 {
903 const mbedtls_ssl_ciphersuite_t *suite_info;
904
905 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
906 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
907 mbedtls_pk_type_t sig_type;
908 #endif
909
910 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
911 if( suite_info == NULL )
912 {
913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
914 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
915 }
916
917 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
918
919 if( suite_info->min_minor_ver > ssl->minor_ver ||
920 suite_info->max_minor_ver < ssl->minor_ver )
921 {
922 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
923 return( 0 );
924 }
925
926 #if defined(MBEDTLS_SSL_PROTO_DTLS)
927 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
928 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
929 return( 0 );
930 #endif
931
932 #if defined(MBEDTLS_ARC4_C)
933 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
934 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
935 {
936 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
937 return( 0 );
938 }
939 #endif
940
941 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
942 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
943 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
944 {
945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
946 "not configured or ext missing" ) );
947 return( 0 );
948 }
949 #endif
950
951
952 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
953 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
954 ( ssl->handshake->curves == NULL ||
955 ssl->handshake->curves[0] == NULL ) )
956 {
957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
958 "no common elliptic curve" ) );
959 return( 0 );
960 }
961 #endif
962
963 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
964 /* If the ciphersuite requires a pre-shared key and we don't
965 * have one, skip it now rather than failing later */
966 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
967 ssl->conf->f_psk == NULL &&
968 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
969 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
970 {
971 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
972 return( 0 );
973 }
974 #endif
975
976 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
977 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
978 /* If the ciphersuite requires signing, check whether
979 * a suitable hash algorithm is present. */
980 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
981 {
982 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
983 if( sig_type != MBEDTLS_PK_NONE &&
984 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
985 {
986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
987 "for signature algorithm %d", sig_type ) );
988 return( 0 );
989 }
990 }
991
992 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
993 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
994
995 #if defined(MBEDTLS_X509_CRT_PARSE_C)
996 /*
997 * Final check: if ciphersuite requires us to have a
998 * certificate/key of a particular type:
999 * - select the appropriate certificate if we have one, or
1000 * - try the next ciphersuite if we don't
1001 * This must be done last since we modify the key_cert list.
1002 */
1003 if( ssl_pick_cert( ssl, suite_info ) != 0 )
1004 {
1005 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
1006 "no suitable certificate" ) );
1007 return( 0 );
1008 }
1009 #endif
1010
1011 *ciphersuite_info = suite_info;
1012 return( 0 );
1013 }
1014
1015 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
ssl_parse_client_hello_v2(mbedtls_ssl_context * ssl)1016 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
1017 {
1018 int ret, got_common_suite;
1019 unsigned int i, j;
1020 size_t n;
1021 unsigned int ciph_len, sess_len, chal_len;
1022 unsigned char *buf, *p;
1023 const int *ciphersuites;
1024 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1025
1026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
1027
1028 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1029 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1030 {
1031 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
1032 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1033 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1034 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1035 }
1036 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1037
1038 buf = ssl->in_hdr;
1039
1040 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1041
1042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
1043 buf[2] ) );
1044 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
1045 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
1046 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
1047 buf[3], buf[4] ) );
1048
1049 /*
1050 * SSLv2 Client Hello
1051 *
1052 * Record layer:
1053 * 0 . 1 message length
1054 *
1055 * SSL layer:
1056 * 2 . 2 message type
1057 * 3 . 4 protocol version
1058 */
1059 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
1060 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
1061 {
1062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1063 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1064 }
1065
1066 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
1067
1068 if( n < 17 || n > 512 )
1069 {
1070 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1072 }
1073
1074 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1075 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
1076 ? buf[4] : ssl->conf->max_minor_ver;
1077
1078 if( ssl->minor_ver < ssl->conf->min_minor_ver )
1079 {
1080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1081 " [%d:%d] < [%d:%d]",
1082 ssl->major_ver, ssl->minor_ver,
1083 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1084
1085 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1086 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1087 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1088 }
1089
1090 ssl->handshake->max_major_ver = buf[3];
1091 ssl->handshake->max_minor_ver = buf[4];
1092
1093 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
1094 {
1095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1096 return( ret );
1097 }
1098
1099 ssl->handshake->update_checksum( ssl, buf + 2, n );
1100
1101 buf = ssl->in_msg;
1102 n = ssl->in_left - 5;
1103
1104 /*
1105 * 0 . 1 ciphersuitelist length
1106 * 2 . 3 session id length
1107 * 4 . 5 challenge length
1108 * 6 . .. ciphersuitelist
1109 * .. . .. session id
1110 * .. . .. challenge
1111 */
1112 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
1113
1114 ciph_len = ( buf[0] << 8 ) | buf[1];
1115 sess_len = ( buf[2] << 8 ) | buf[3];
1116 chal_len = ( buf[4] << 8 ) | buf[5];
1117
1118 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1119 ciph_len, sess_len, chal_len ) );
1120
1121 /*
1122 * Make sure each parameter length is valid
1123 */
1124 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1125 {
1126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1127 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1128 }
1129
1130 if( sess_len > 32 )
1131 {
1132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1133 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1134 }
1135
1136 if( chal_len < 8 || chal_len > 32 )
1137 {
1138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1139 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1140 }
1141
1142 if( n != 6 + ciph_len + sess_len + chal_len )
1143 {
1144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1146 }
1147
1148 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1149 buf + 6, ciph_len );
1150 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
1151 buf + 6 + ciph_len, sess_len );
1152 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
1153 buf + 6 + ciph_len + sess_len, chal_len );
1154
1155 p = buf + 6 + ciph_len;
1156 ssl->session_negotiate->id_len = sess_len;
1157 memset( ssl->session_negotiate->id, 0,
1158 sizeof( ssl->session_negotiate->id ) );
1159 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
1160
1161 p += sess_len;
1162 memset( ssl->handshake->randbytes, 0, 64 );
1163 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1164
1165 /*
1166 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1167 */
1168 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1169 {
1170 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1171 {
1172 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1173 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1174 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1175 {
1176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1177 "during renegotiation" ) );
1178
1179 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1180 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1181 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1182 }
1183 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1184 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1185 break;
1186 }
1187 }
1188
1189 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1190 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1191 {
1192 if( p[0] == 0 &&
1193 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1194 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1195 {
1196 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1197
1198 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1199 {
1200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1201
1202 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1203 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1204
1205 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1206 }
1207
1208 break;
1209 }
1210 }
1211 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1212
1213 got_common_suite = 0;
1214 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1215 ciphersuite_info = NULL;
1216 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1217 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1218 for( i = 0; ciphersuites[i] != 0; i++ )
1219 #else
1220 for( i = 0; ciphersuites[i] != 0; i++ )
1221 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1222 #endif
1223 {
1224 if( p[0] != 0 ||
1225 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1226 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1227 continue;
1228
1229 got_common_suite = 1;
1230
1231 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1232 &ciphersuite_info ) ) != 0 )
1233 return( ret );
1234
1235 if( ciphersuite_info != NULL )
1236 goto have_ciphersuite_v2;
1237 }
1238
1239 if( got_common_suite )
1240 {
1241 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1242 "but none of them usable" ) );
1243 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1244 }
1245 else
1246 {
1247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1248 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1249 }
1250
1251 have_ciphersuite_v2:
1252 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1253
1254 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1255 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1256
1257 /*
1258 * SSLv2 Client Hello relevant renegotiation security checks
1259 */
1260 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1261 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1262 {
1263 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1264 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1265 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1266 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1267 }
1268
1269 ssl->in_left = 0;
1270 ssl->state++;
1271
1272 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1273
1274 return( 0 );
1275 }
1276 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1277
1278 /* This function doesn't alert on errors that happen early during
1279 ClientHello parsing because they might indicate that the client is
1280 not talking SSL/TLS at all and would not understand our alert. */
ssl_parse_client_hello(mbedtls_ssl_context * ssl)1281 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
1282 {
1283 int ret, got_common_suite;
1284 size_t i, j;
1285 size_t ciph_offset, comp_offset, ext_offset;
1286 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1287 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1288 size_t cookie_offset, cookie_len;
1289 #endif
1290 unsigned char *buf, *p, *ext;
1291 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1292 int renegotiation_info_seen = 0;
1293 #endif
1294 int handshake_failure = 0;
1295 const int *ciphersuites;
1296 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1297 int major, minor;
1298
1299 /* If there is no signature-algorithm extension present,
1300 * we need to fall back to the default values for allowed
1301 * signature-hash pairs. */
1302 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1303 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1304 int sig_hash_alg_ext_present = 0;
1305 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1306 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1307
1308 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1309
1310 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1311 read_record_header:
1312 #endif
1313 /*
1314 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1315 * otherwise read it ourselves manually in order to support SSLv2
1316 * ClientHello, which doesn't use the same record layer format.
1317 */
1318 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1319 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1320 #endif
1321 {
1322 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
1323 {
1324 /* No alert on a read error. */
1325 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1326 return( ret );
1327 }
1328 }
1329
1330 buf = ssl->in_hdr;
1331
1332 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1333 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1334 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
1335 #endif
1336 if( ( buf[0] & 0x80 ) != 0 )
1337 return( ssl_parse_client_hello_v2( ssl ) );
1338 #endif
1339
1340 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
1341
1342 /*
1343 * SSLv3/TLS Client Hello
1344 *
1345 * Record layer:
1346 * 0 . 0 message type
1347 * 1 . 2 protocol version
1348 * 3 . 11 DTLS: epoch + record sequence number
1349 * 3 . 4 message length
1350 */
1351 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1352 buf[0] ) );
1353
1354 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
1355 {
1356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1357 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1358 }
1359
1360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1361 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
1362
1363 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1364 buf[1], buf[2] ) );
1365
1366 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
1367
1368 /* According to RFC 5246 Appendix E.1, the version here is typically
1369 * "{03,00}, the lowest version number supported by the client, [or] the
1370 * value of ClientHello.client_version", so the only meaningful check here
1371 * is the major version shouldn't be less than 3 */
1372 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
1373 {
1374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1375 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1376 }
1377
1378 /* For DTLS if this is the initial handshake, remember the client sequence
1379 * number to use it in our next message (RFC 6347 4.2.1) */
1380 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1381 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1382 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1383 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1384 #endif
1385 )
1386 {
1387 /* Epoch should be 0 for initial handshakes */
1388 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
1389 {
1390 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1391 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1392 }
1393
1394 memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
1395
1396 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1397 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
1398 {
1399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1400 ssl->next_record_offset = 0;
1401 ssl->in_left = 0;
1402 goto read_record_header;
1403 }
1404
1405 /* No MAC to check yet, so we can update right now */
1406 mbedtls_ssl_dtls_replay_update( ssl );
1407 #endif
1408 }
1409 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1410
1411 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
1412
1413 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1414 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1415 {
1416 /* Set by mbedtls_ssl_read_record() */
1417 msg_len = ssl->in_hslen;
1418 }
1419 else
1420 #endif
1421 {
1422 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
1423 {
1424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1425 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1426 }
1427
1428 if( ( ret = mbedtls_ssl_fetch_input( ssl,
1429 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
1430 {
1431 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1432 return( ret );
1433 }
1434
1435 /* Done reading this record, get ready for the next one */
1436 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1437 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1438 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
1439 else
1440 #endif
1441 ssl->in_left = 0;
1442 }
1443
1444 buf = ssl->in_msg;
1445
1446 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
1447
1448 ssl->handshake->update_checksum( ssl, buf, msg_len );
1449
1450 /*
1451 * Handshake layer:
1452 * 0 . 0 handshake type
1453 * 1 . 3 handshake length
1454 * 4 . 5 DTLS only: message seqence number
1455 * 6 . 8 DTLS only: fragment offset
1456 * 9 . 11 DTLS only: fragment length
1457 */
1458 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
1459 {
1460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1461 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1462 }
1463
1464 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
1465
1466 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
1467 {
1468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1469 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1470 }
1471
1472 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1473 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1474
1475 /* We don't support fragmentation of ClientHello (yet?) */
1476 if( buf[1] != 0 ||
1477 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
1478 {
1479 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1480 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1481 }
1482
1483 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1484 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1485 {
1486 /*
1487 * Copy the client's handshake message_seq on initial handshakes,
1488 * check sequence number on renego.
1489 */
1490 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1491 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1492 {
1493 /* This couldn't be done in ssl_prepare_handshake_record() */
1494 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1495 ssl->in_msg[5];
1496
1497 if( cli_msg_seq != ssl->handshake->in_msg_seq )
1498 {
1499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1500 "%d (expected %d)", cli_msg_seq,
1501 ssl->handshake->in_msg_seq ) );
1502 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1503 }
1504
1505 ssl->handshake->in_msg_seq++;
1506 }
1507 else
1508 #endif
1509 {
1510 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1511 ssl->in_msg[5];
1512 ssl->handshake->out_msg_seq = cli_msg_seq;
1513 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1514 }
1515
1516 /*
1517 * For now we don't support fragmentation, so make sure
1518 * fragment_offset == 0 and fragment_length == length
1519 */
1520 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1521 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
1522 {
1523 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1524 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1525 }
1526 }
1527 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1528
1529 buf += mbedtls_ssl_hs_hdr_len( ssl );
1530 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
1531
1532 /*
1533 * ClientHello layer:
1534 * 0 . 1 protocol version
1535 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1536 * 34 . 35 session id length (1 byte)
1537 * 35 . 34+x session id
1538 * 35+x . 35+x DTLS only: cookie length (1 byte)
1539 * 36+x . .. DTLS only: cookie
1540 * .. . .. ciphersuite list length (2 bytes)
1541 * .. . .. ciphersuite list
1542 * .. . .. compression alg. list length (1 byte)
1543 * .. . .. compression alg. list
1544 * .. . .. extensions length (2 bytes, optional)
1545 * .. . .. extensions (optional)
1546 */
1547
1548 /*
1549 * Minimal length (with everything empty and extensions omitted) is
1550 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1551 * read at least up to session id length without worrying.
1552 */
1553 if( msg_len < 38 )
1554 {
1555 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1556 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1557 }
1558
1559 /*
1560 * Check and save the protocol version
1561 */
1562 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
1563
1564 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1565 ssl->conf->transport, buf );
1566
1567 ssl->handshake->max_major_ver = ssl->major_ver;
1568 ssl->handshake->max_minor_ver = ssl->minor_ver;
1569
1570 if( ssl->major_ver < ssl->conf->min_major_ver ||
1571 ssl->minor_ver < ssl->conf->min_minor_ver )
1572 {
1573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1574 " [%d:%d] < [%d:%d]",
1575 ssl->major_ver, ssl->minor_ver,
1576 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1577 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1578 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1579 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1580 }
1581
1582 if( ssl->major_ver > ssl->conf->max_major_ver )
1583 {
1584 ssl->major_ver = ssl->conf->max_major_ver;
1585 ssl->minor_ver = ssl->conf->max_minor_ver;
1586 }
1587 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
1588 ssl->minor_ver = ssl->conf->max_minor_ver;
1589
1590 /*
1591 * Save client random (inc. Unix time)
1592 */
1593 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
1594
1595 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
1596
1597 /*
1598 * Check the session ID length and save session ID
1599 */
1600 sess_len = buf[34];
1601
1602 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
1603 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
1604 {
1605 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1606 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1607 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1608 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1609 }
1610
1611 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
1612
1613 ssl->session_negotiate->id_len = sess_len;
1614 memset( ssl->session_negotiate->id, 0,
1615 sizeof( ssl->session_negotiate->id ) );
1616 memcpy( ssl->session_negotiate->id, buf + 35,
1617 ssl->session_negotiate->id_len );
1618
1619 /*
1620 * Check the cookie length and content
1621 */
1622 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1623 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1624 {
1625 cookie_offset = 35 + sess_len;
1626 cookie_len = buf[cookie_offset];
1627
1628 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
1629 {
1630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1631 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1632 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1633 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1634 }
1635
1636 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1637 buf + cookie_offset + 1, cookie_len );
1638
1639 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1640 if( ssl->conf->f_cookie_check != NULL
1641 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1642 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1643 #endif
1644 )
1645 {
1646 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
1647 buf + cookie_offset + 1, cookie_len,
1648 ssl->cli_id, ssl->cli_id_len ) != 0 )
1649 {
1650 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1651 ssl->handshake->verify_cookie_len = 1;
1652 }
1653 else
1654 {
1655 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1656 ssl->handshake->verify_cookie_len = 0;
1657 }
1658 }
1659 else
1660 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1661 {
1662 /* We know we didn't send a cookie, so it should be empty */
1663 if( cookie_len != 0 )
1664 {
1665 /* This may be an attacker's probe, so don't send an alert */
1666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1668 }
1669
1670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1671 }
1672
1673 /*
1674 * Check the ciphersuitelist length (will be parsed later)
1675 */
1676 ciph_offset = cookie_offset + 1 + cookie_len;
1677 }
1678 else
1679 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1680 ciph_offset = 35 + sess_len;
1681
1682 ciph_len = ( buf[ciph_offset + 0] << 8 )
1683 | ( buf[ciph_offset + 1] );
1684
1685 if( ciph_len < 2 ||
1686 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1687 ( ciph_len % 2 ) != 0 )
1688 {
1689 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1690 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1691 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1692 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1693 }
1694
1695 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1696 buf + ciph_offset + 2, ciph_len );
1697
1698 /*
1699 * Check the compression algorithms length and pick one
1700 */
1701 comp_offset = ciph_offset + 2 + ciph_len;
1702
1703 comp_len = buf[comp_offset];
1704
1705 if( comp_len < 1 ||
1706 comp_len > 16 ||
1707 comp_len + comp_offset + 1 > msg_len )
1708 {
1709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1710 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1711 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1712 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1713 }
1714
1715 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1716 buf + comp_offset + 1, comp_len );
1717
1718 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1719 #if defined(MBEDTLS_ZLIB_SUPPORT)
1720 for( i = 0; i < comp_len; ++i )
1721 {
1722 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
1723 {
1724 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1725 break;
1726 }
1727 }
1728 #endif
1729
1730 /* See comments in ssl_write_client_hello() */
1731 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1732 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1733 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1734 #endif
1735
1736 /* Do not parse the extensions if the protocol is SSLv3 */
1737 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1738 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
1739 {
1740 #endif
1741 /*
1742 * Check the extension length
1743 */
1744 ext_offset = comp_offset + 1 + comp_len;
1745 if( msg_len > ext_offset )
1746 {
1747 if( msg_len < ext_offset + 2 )
1748 {
1749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1750 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1751 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1752 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1753 }
1754
1755 ext_len = ( buf[ext_offset + 0] << 8 )
1756 | ( buf[ext_offset + 1] );
1757
1758 if( ( ext_len > 0 && ext_len < 4 ) ||
1759 msg_len != ext_offset + 2 + ext_len )
1760 {
1761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1762 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1763 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1764 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1765 }
1766 }
1767 else
1768 ext_len = 0;
1769
1770 ext = buf + ext_offset + 2;
1771 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
1772
1773 while( ext_len != 0 )
1774 {
1775 unsigned int ext_id;
1776 unsigned int ext_size;
1777 if ( ext_len < 4 ) {
1778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1779 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1780 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1781 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1782 }
1783 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
1784 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
1785
1786 if( ext_size + 4 > ext_len )
1787 {
1788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1789 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1790 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1791 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1792 }
1793 switch( ext_id )
1794 {
1795 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1796 case MBEDTLS_TLS_EXT_SERVERNAME:
1797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1798 if( ssl->conf->f_sni == NULL )
1799 break;
1800
1801 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1802 if( ret != 0 )
1803 return( ret );
1804 break;
1805 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1806
1807 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1808 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1809 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1810 renegotiation_info_seen = 1;
1811 #endif
1812
1813 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1814 if( ret != 0 )
1815 return( ret );
1816 break;
1817
1818 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1819 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1820 case MBEDTLS_TLS_EXT_SIG_ALG:
1821 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1822
1823 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1824 if( ret != 0 )
1825 return( ret );
1826
1827 sig_hash_alg_ext_present = 1;
1828 break;
1829 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1830 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1831
1832 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1833 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1834 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1836
1837 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1838 if( ret != 0 )
1839 return( ret );
1840 break;
1841
1842 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1843 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1844 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1845
1846 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1847 if( ret != 0 )
1848 return( ret );
1849 break;
1850 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1851 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1852
1853 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1854 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1855 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1856
1857 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
1858 if( ret != 0 )
1859 return( ret );
1860 break;
1861 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1862
1863 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1864 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1865 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1866
1867 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1868 if( ret != 0 )
1869 return( ret );
1870 break;
1871 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1872
1873 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1874 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1875 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1876
1877 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1878 if( ret != 0 )
1879 return( ret );
1880 break;
1881 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1882
1883 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1884 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1885 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1886
1887 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1888 if( ret != 0 )
1889 return( ret );
1890 break;
1891 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1892
1893 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1894 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1895 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1896
1897 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1898 if( ret != 0 )
1899 return( ret );
1900 break;
1901 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1902
1903 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1904 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1905 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1906
1907 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1908 if( ret != 0 )
1909 return( ret );
1910 break;
1911 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1912
1913 #if defined(MBEDTLS_SSL_ALPN)
1914 case MBEDTLS_TLS_EXT_ALPN:
1915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1916
1917 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1918 if( ret != 0 )
1919 return( ret );
1920 break;
1921 #endif /* MBEDTLS_SSL_ALPN */
1922
1923 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1924 case MBEDTLS_TLS_EXT_USE_SRTP:
1925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
1926 ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size );
1927 if ( ret != 0)
1928 return( ret );
1929 break;
1930 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1931
1932 default:
1933 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1934 ext_id ) );
1935 }
1936
1937 ext_len -= 4 + ext_size;
1938 ext += 4 + ext_size;
1939
1940 if( ext_len > 0 && ext_len < 4 )
1941 {
1942 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1943 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1944 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1945 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1946 }
1947 }
1948 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1949 }
1950 #endif
1951
1952 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1953 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1954 {
1955 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1956 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1957 {
1958 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1959
1960 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1961 {
1962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1963
1964 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1965 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1966
1967 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1968 }
1969
1970 break;
1971 }
1972 }
1973 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1974
1975 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1976 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1977
1978 /*
1979 * Try to fall back to default hash SHA1 if the client
1980 * hasn't provided any preferred signature-hash combinations.
1981 */
1982 if( sig_hash_alg_ext_present == 0 )
1983 {
1984 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
1985
1986 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
1987 md_default = MBEDTLS_MD_NONE;
1988
1989 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
1990 }
1991
1992 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1993 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1994
1995 /*
1996 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1997 */
1998 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1999 {
2000 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
2001 {
2002 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
2003 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2004 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
2005 {
2006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
2007 "during renegotiation" ) );
2008 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2009 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2010 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
2011 }
2012 #endif
2013 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
2014 break;
2015 }
2016 }
2017
2018 /*
2019 * Renegotiation security checks
2020 */
2021 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2022 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2023 {
2024 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
2025 handshake_failure = 1;
2026 }
2027 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2028 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2029 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2030 renegotiation_info_seen == 0 )
2031 {
2032 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
2033 handshake_failure = 1;
2034 }
2035 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2036 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2037 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2038 {
2039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2040 handshake_failure = 1;
2041 }
2042 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2043 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2044 renegotiation_info_seen == 1 )
2045 {
2046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
2047 handshake_failure = 1;
2048 }
2049 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2050
2051 if( handshake_failure == 1 )
2052 {
2053 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2054 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2055 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
2056 }
2057
2058 /*
2059 * Search for a matching ciphersuite
2060 * (At the end because we need information from the EC-based extensions
2061 * and certificate from the SNI callback triggered by the SNI extension.)
2062 */
2063 got_common_suite = 0;
2064 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
2065 ciphersuite_info = NULL;
2066 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
2067 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
2068 for( i = 0; ciphersuites[i] != 0; i++ )
2069 #else
2070 for( i = 0; ciphersuites[i] != 0; i++ )
2071 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
2072 #endif
2073 {
2074 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
2075 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
2076 continue;
2077
2078 got_common_suite = 1;
2079
2080 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
2081 &ciphersuite_info ) ) != 0 )
2082 return( ret );
2083
2084 if( ciphersuite_info != NULL )
2085 goto have_ciphersuite;
2086 }
2087
2088 if( got_common_suite )
2089 {
2090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
2091 "but none of them usable" ) );
2092 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2093 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2094 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
2095 }
2096 else
2097 {
2098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
2099 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2100 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2101 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
2102 }
2103
2104 have_ciphersuite:
2105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
2106
2107 ssl->session_negotiate->ciphersuite = ciphersuites[i];
2108 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
2109
2110 ssl->state++;
2111
2112 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2113 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2114 mbedtls_ssl_recv_flight_completed( ssl );
2115 #endif
2116
2117 /* Debugging-only output for testsuite */
2118 #if defined(MBEDTLS_DEBUG_C) && \
2119 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2120 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
2121 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2122 {
2123 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
2124 if( sig_alg != MBEDTLS_PK_NONE )
2125 {
2126 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
2127 sig_alg );
2128 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
2129 mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
2130 }
2131 else
2132 {
2133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
2134 "%d - should not happen", sig_alg ) );
2135 }
2136 }
2137 #endif
2138
2139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
2140
2141 return( 0 );
2142 }
2143
2144 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
ssl_write_truncated_hmac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2145 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
2146 unsigned char *buf,
2147 size_t *olen )
2148 {
2149 unsigned char *p = buf;
2150
2151 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
2152 {
2153 *olen = 0;
2154 return;
2155 }
2156
2157 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
2158
2159 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
2160 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
2161
2162 *p++ = 0x00;
2163 *p++ = 0x00;
2164
2165 *olen = 4;
2166 }
2167 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2168
2169 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2170 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
2171 unsigned char *buf,
2172 size_t *olen )
2173 {
2174 unsigned char *p = buf;
2175 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2176 const mbedtls_cipher_info_t *cipher = NULL;
2177
2178 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
2179 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2180 {
2181 *olen = 0;
2182 return;
2183 }
2184
2185 /*
2186 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2187 * from a client and then selects a stream or Authenticated Encryption
2188 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2189 * encrypt-then-MAC response extension back to the client."
2190 */
2191 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
2192 ssl->session_negotiate->ciphersuite ) ) == NULL ||
2193 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
2194 cipher->mode != MBEDTLS_MODE_CBC )
2195 {
2196 *olen = 0;
2197 return;
2198 }
2199
2200 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
2201
2202 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
2203 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
2204
2205 *p++ = 0x00;
2206 *p++ = 0x00;
2207
2208 *olen = 4;
2209 }
2210 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2211
2212 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2213 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
2214 unsigned char *buf,
2215 size_t *olen )
2216 {
2217 unsigned char *p = buf;
2218
2219 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
2220 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2221 {
2222 *olen = 0;
2223 return;
2224 }
2225
2226 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
2227 "extension" ) );
2228
2229 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
2230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
2231
2232 *p++ = 0x00;
2233 *p++ = 0x00;
2234
2235 *olen = 4;
2236 }
2237 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2238
2239 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2240 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
2241 unsigned char *buf,
2242 size_t *olen )
2243 {
2244 unsigned char *p = buf;
2245
2246 if( ssl->handshake->new_session_ticket == 0 )
2247 {
2248 *olen = 0;
2249 return;
2250 }
2251
2252 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
2253
2254 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
2255 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
2256
2257 *p++ = 0x00;
2258 *p++ = 0x00;
2259
2260 *olen = 4;
2261 }
2262 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2263
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2264 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
2265 unsigned char *buf,
2266 size_t *olen )
2267 {
2268 unsigned char *p = buf;
2269
2270 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
2271 {
2272 *olen = 0;
2273 return;
2274 }
2275
2276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
2277
2278 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
2279 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
2280
2281 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2282 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
2283 {
2284 *p++ = 0x00;
2285 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
2286 *p++ = ssl->verify_data_len * 2 & 0xFF;
2287
2288 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
2289 p += ssl->verify_data_len;
2290 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
2291 p += ssl->verify_data_len;
2292 }
2293 else
2294 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2295 {
2296 *p++ = 0x00;
2297 *p++ = 0x01;
2298 *p++ = 0x00;
2299 }
2300
2301 *olen = p - buf;
2302 }
2303
2304 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2305 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
2306 unsigned char *buf,
2307 size_t *olen )
2308 {
2309 unsigned char *p = buf;
2310
2311 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
2312 {
2313 *olen = 0;
2314 return;
2315 }
2316
2317 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2318
2319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
2320 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
2321
2322 *p++ = 0x00;
2323 *p++ = 1;
2324
2325 *p++ = ssl->session_negotiate->mfl_code;
2326
2327 *olen = 5;
2328 }
2329 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2330
2331 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2332 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2333 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
2334 unsigned char *buf,
2335 size_t *olen )
2336 {
2337 unsigned char *p = buf;
2338 ((void) ssl);
2339
2340 if( ( ssl->handshake->cli_exts &
2341 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2342 {
2343 *olen = 0;
2344 return;
2345 }
2346
2347 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2348
2349 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
2350 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
2351
2352 *p++ = 0x00;
2353 *p++ = 2;
2354
2355 *p++ = 1;
2356 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2357
2358 *olen = 6;
2359 }
2360 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2361
2362 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2363 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
2364 unsigned char *buf,
2365 size_t *olen )
2366 {
2367 int ret;
2368 unsigned char *p = buf;
2369 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2370 size_t kkpp_len;
2371
2372 *olen = 0;
2373
2374 /* Skip costly computation if not needed */
2375 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
2376 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2377 return;
2378
2379 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2380
2381 if( end - p < 4 )
2382 {
2383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2384 return;
2385 }
2386
2387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
2388 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
2389
2390 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
2391 p + 2, end - p - 2, &kkpp_len,
2392 ssl->conf->f_rng, ssl->conf->p_rng );
2393 if( ret != 0 )
2394 {
2395 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
2396 return;
2397 }
2398
2399 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
2400 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
2401
2402 *olen = kkpp_len + 4;
2403 }
2404 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2405
2406 #if defined(MBEDTLS_SSL_ALPN )
ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2407 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2408 unsigned char *buf, size_t *olen )
2409 {
2410 if( ssl->alpn_chosen == NULL )
2411 {
2412 *olen = 0;
2413 return;
2414 }
2415
2416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2417
2418 /*
2419 * 0 . 1 ext identifier
2420 * 2 . 3 ext length
2421 * 4 . 5 protocol list length
2422 * 6 . 6 protocol name length
2423 * 7 . 7+n protocol name
2424 */
2425 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
2426 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
2427
2428 *olen = 7 + strlen( ssl->alpn_chosen );
2429
2430 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2431 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2432
2433 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2434 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2435
2436 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2437
2438 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2439 }
2440 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2441
2442 #if defined(MBEDTLS_SSL_DTLS_SRTP )
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2443 static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
2444 unsigned char *buf, size_t *olen )
2445 {
2446 if( ssl->chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE )
2447 {
2448 *olen = 0;
2449 return;
2450 }
2451
2452 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding use_srtp extension" ) );
2453
2454 /* extension */
2455 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
2456 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
2457 /* total length (5: only one profile(2 bytes) and length(2bytes) and srtp_mki not supported so zero length(1byte) ) */
2458 buf[2] = 0x00;
2459 buf[3] = 0x05;
2460
2461 /* protection profile length: 2 */
2462 buf[4] = 0x00;
2463 buf[5] = 0x02;
2464 switch (ssl->chosen_dtls_srtp_profile) {
2465 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
2466 buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF );
2467 buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) & 0xFF );
2468 break;
2469 case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
2470 buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF );
2471 buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) & 0xFF );
2472 break;
2473 case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
2474 buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF );
2475 buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF );
2476 break;
2477 case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
2478 buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF );
2479 buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF );
2480 break;
2481 default:
2482 *olen = 0;
2483 return;
2484 break;
2485 }
2486
2487 buf[8] = 0x00; /* unsupported srtp_mki variable length vector set to 0 */
2488
2489 *olen = 9;
2490 }
2491 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2492
2493 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
ssl_write_hello_verify_request(mbedtls_ssl_context * ssl)2494 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
2495 {
2496 int ret;
2497 unsigned char *p = ssl->out_msg + 4;
2498 unsigned char *cookie_len_byte;
2499
2500 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2501
2502 /*
2503 * struct {
2504 * ProtocolVersion server_version;
2505 * opaque cookie<0..2^8-1>;
2506 * } HelloVerifyRequest;
2507 */
2508
2509 /* The RFC is not clear on this point, but sending the actual negotiated
2510 * version looks like the most interoperable thing to do. */
2511 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2512 ssl->conf->transport, p );
2513 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
2514 p += 2;
2515
2516 /* If we get here, f_cookie_check is not null */
2517 if( ssl->conf->f_cookie_write == NULL )
2518 {
2519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2520 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2521 }
2522
2523 /* Skip length byte until we know the length */
2524 cookie_len_byte = p++;
2525
2526 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
2527 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2528 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
2529 {
2530 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
2531 return( ret );
2532 }
2533
2534 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
2535
2536 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
2537
2538 ssl->out_msglen = p - ssl->out_msg;
2539 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2540 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2541
2542 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2543
2544 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
2545 {
2546 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
2547 return( ret );
2548 }
2549
2550 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2551 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2552 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2553 {
2554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2555 return( ret );
2556 }
2557 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2558
2559 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2560
2561 return( 0 );
2562 }
2563 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2564
ssl_write_server_hello(mbedtls_ssl_context * ssl)2565 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
2566 {
2567 #if defined(MBEDTLS_HAVE_TIME)
2568 mbedtls_time_t t;
2569 #endif
2570 int ret;
2571 size_t olen, ext_len = 0, n;
2572 unsigned char *buf, *p;
2573
2574 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2575
2576 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2577 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2578 ssl->handshake->verify_cookie_len != 0 )
2579 {
2580 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2581 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2582
2583 return( ssl_write_hello_verify_request( ssl ) );
2584 }
2585 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2586
2587 if( ssl->conf->f_rng == NULL )
2588 {
2589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2590 return( MBEDTLS_ERR_SSL_NO_RNG );
2591 }
2592
2593 /*
2594 * 0 . 0 handshake type
2595 * 1 . 3 handshake length
2596 * 4 . 5 protocol version
2597 * 6 . 9 UNIX time()
2598 * 10 . 37 random bytes
2599 */
2600 buf = ssl->out_msg;
2601 p = buf + 4;
2602
2603 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2604 ssl->conf->transport, p );
2605 p += 2;
2606
2607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2608 buf[4], buf[5] ) );
2609
2610 #if defined(MBEDTLS_HAVE_TIME)
2611 t = mbedtls_time( NULL );
2612 *p++ = (unsigned char)( t >> 24 );
2613 *p++ = (unsigned char)( t >> 16 );
2614 *p++ = (unsigned char)( t >> 8 );
2615 *p++ = (unsigned char)( t );
2616
2617 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
2618 #else
2619 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
2620 return( ret );
2621
2622 p += 4;
2623 #endif /* MBEDTLS_HAVE_TIME */
2624
2625 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
2626 return( ret );
2627
2628 p += 28;
2629
2630 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
2631
2632 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2633
2634 /*
2635 * Resume is 0 by default, see ssl_handshake_init().
2636 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2637 * If not, try looking up session ID in our cache.
2638 */
2639 if( ssl->handshake->resume == 0 &&
2640 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2641 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
2642 #endif
2643 ssl->session_negotiate->id_len != 0 &&
2644 ssl->conf->f_get_cache != NULL &&
2645 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
2646 {
2647 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2648 ssl->handshake->resume = 1;
2649 }
2650
2651 if( ssl->handshake->resume == 0 )
2652 {
2653 /*
2654 * New session, create a new session id,
2655 * unless we're about to issue a session ticket
2656 */
2657 ssl->state++;
2658
2659 #if defined(MBEDTLS_HAVE_TIME)
2660 ssl->session_negotiate->start = mbedtls_time( NULL );
2661 #endif
2662
2663 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2664 if( ssl->handshake->new_session_ticket != 0 )
2665 {
2666 ssl->session_negotiate->id_len = n = 0;
2667 memset( ssl->session_negotiate->id, 0, 32 );
2668 }
2669 else
2670 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2671 {
2672 ssl->session_negotiate->id_len = n = 32;
2673 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
2674 n ) ) != 0 )
2675 return( ret );
2676 }
2677 }
2678 else
2679 {
2680 /*
2681 * Resuming a session
2682 */
2683 n = ssl->session_negotiate->id_len;
2684 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2685
2686 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2687 {
2688 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2689 return( ret );
2690 }
2691 }
2692
2693 /*
2694 * 38 . 38 session id length
2695 * 39 . 38+n session id
2696 * 39+n . 40+n chosen ciphersuite
2697 * 41+n . 41+n chosen compression alg.
2698 * 42+n . 43+n extensions length
2699 * 44+n . 43+n+m extensions
2700 */
2701 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2702 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
2703 p += ssl->session_negotiate->id_len;
2704
2705 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2706 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2707 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2708 ssl->handshake->resume ? "a" : "no" ) );
2709
2710 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2711 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2712 *p++ = (unsigned char)( ssl->session_negotiate->compression );
2713
2714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2715 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
2716 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2717 ssl->session_negotiate->compression ) );
2718
2719 /* Do not write the extensions if the protocol is SSLv3 */
2720 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2721 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
2722 {
2723 #endif
2724
2725 /*
2726 * First write extensions, then the total length
2727 */
2728 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2729 ext_len += olen;
2730
2731 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2732 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2733 ext_len += olen;
2734 #endif
2735
2736 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2737 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2738 ext_len += olen;
2739 #endif
2740
2741 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2742 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2743 ext_len += olen;
2744 #endif
2745
2746 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2747 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2748 ext_len += olen;
2749 #endif
2750
2751 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2752 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2753 ext_len += olen;
2754 #endif
2755
2756 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2757 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2758 if ( mbedtls_ssl_ciphersuite_uses_ec(
2759 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
2760 {
2761 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2762 ext_len += olen;
2763 }
2764 #endif
2765
2766 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2767 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
2768 ext_len += olen;
2769 #endif
2770
2771 #if defined(MBEDTLS_SSL_ALPN)
2772 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2773 ext_len += olen;
2774 #endif
2775
2776 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2777 ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen);
2778 ext_len += olen;
2779 #endif
2780
2781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
2782
2783 if( ext_len > 0 )
2784 {
2785 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2786 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2787 p += ext_len;
2788 }
2789
2790 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2791 }
2792 #endif
2793
2794 ssl->out_msglen = p - buf;
2795 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2796 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2797
2798 ret = mbedtls_ssl_write_handshake_msg( ssl );
2799
2800 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2801
2802 return( ret );
2803 }
2804
2805 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2806 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2807 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2808 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2809 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
2810 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2811 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2812 {
2813 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2814 ssl->transform_negotiate->ciphersuite_info;
2815
2816 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2817
2818 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2819 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2820 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2821 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2822 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2823 {
2824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2825 ssl->state++;
2826 return( 0 );
2827 }
2828
2829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2830 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2831 }
2832 #else
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2833 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2834 {
2835 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2836 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2837 ssl->transform_negotiate->ciphersuite_info;
2838 size_t dn_size, total_dn_size; /* excluding length bytes */
2839 size_t ct_len, sa_len; /* including length bytes */
2840 unsigned char *buf, *p;
2841 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2842 const mbedtls_x509_crt *crt;
2843 int authmode;
2844
2845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2846
2847 ssl->state++;
2848
2849 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2850 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2851 authmode = ssl->handshake->sni_authmode;
2852 else
2853 #endif
2854 authmode = ssl->conf->authmode;
2855
2856 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2857 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2858 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2859 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2860 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
2861 authmode == MBEDTLS_SSL_VERIFY_NONE )
2862 {
2863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2864 return( 0 );
2865 }
2866
2867 /*
2868 * 0 . 0 handshake type
2869 * 1 . 3 handshake length
2870 * 4 . 4 cert type count
2871 * 5 .. m-1 cert types
2872 * m .. m+1 sig alg length (TLS 1.2 only)
2873 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2874 * n .. n+1 length of all DNs
2875 * n+2 .. n+3 length of DN 1
2876 * n+4 .. ... Distinguished Name #1
2877 * ... .. ... length of DN 2, etc.
2878 */
2879 buf = ssl->out_msg;
2880 p = buf + 4;
2881
2882 /*
2883 * Supported certificate types
2884 *
2885 * ClientCertificateType certificate_types<1..2^8-1>;
2886 * enum { (255) } ClientCertificateType;
2887 */
2888 ct_len = 0;
2889
2890 #if defined(MBEDTLS_RSA_C)
2891 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2892 #endif
2893 #if defined(MBEDTLS_ECDSA_C)
2894 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2895 #endif
2896
2897 p[0] = (unsigned char) ct_len++;
2898 p += ct_len;
2899
2900 sa_len = 0;
2901 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2902 /*
2903 * Add signature_algorithms for verify (TLS 1.2)
2904 *
2905 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2906 *
2907 * struct {
2908 * HashAlgorithm hash;
2909 * SignatureAlgorithm signature;
2910 * } SignatureAndHashAlgorithm;
2911 *
2912 * enum { (255) } HashAlgorithm;
2913 * enum { (255) } SignatureAlgorithm;
2914 */
2915 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2916 {
2917 const int *cur;
2918
2919 /*
2920 * Supported signature algorithms
2921 */
2922 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
2923 {
2924 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
2925
2926 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
2927 continue;
2928
2929 #if defined(MBEDTLS_RSA_C)
2930 p[2 + sa_len++] = hash;
2931 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2932 #endif
2933 #if defined(MBEDTLS_ECDSA_C)
2934 p[2 + sa_len++] = hash;
2935 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2936 #endif
2937 }
2938
2939 p[0] = (unsigned char)( sa_len >> 8 );
2940 p[1] = (unsigned char)( sa_len );
2941 sa_len += 2;
2942 p += sa_len;
2943 }
2944 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2945
2946 /*
2947 * DistinguishedName certificate_authorities<0..2^16-1>;
2948 * opaque DistinguishedName<1..2^16-1>;
2949 */
2950 p += 2;
2951
2952 total_dn_size = 0;
2953
2954 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
2955 {
2956 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2957 if( ssl->handshake->sni_ca_chain != NULL )
2958 crt = ssl->handshake->sni_ca_chain;
2959 else
2960 #endif
2961 crt = ssl->conf->ca_chain;
2962
2963 while( crt != NULL && crt->version != 0 )
2964 {
2965 dn_size = crt->subject_raw.len;
2966
2967 if( end < p ||
2968 (size_t)( end - p ) < dn_size ||
2969 (size_t)( end - p ) < 2 + dn_size )
2970 {
2971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2972 break;
2973 }
2974
2975 *p++ = (unsigned char)( dn_size >> 8 );
2976 *p++ = (unsigned char)( dn_size );
2977 memcpy( p, crt->subject_raw.p, dn_size );
2978 p += dn_size;
2979
2980 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
2981
2982 total_dn_size += 2 + dn_size;
2983 crt = crt->next;
2984 }
2985 }
2986
2987 ssl->out_msglen = p - buf;
2988 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2989 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2990 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2991 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2992
2993 ret = mbedtls_ssl_write_handshake_msg( ssl );
2994
2995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2996
2997 return( ret );
2998 }
2999 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3000 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3001 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3002 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3003 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3004 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3005
3006 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3007 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)3008 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
3009 {
3010 int ret;
3011
3012 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
3013 {
3014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
3015 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
3016 }
3017
3018 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
3019 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
3020 MBEDTLS_ECDH_OURS ) ) != 0 )
3021 {
3022 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
3023 return( ret );
3024 }
3025
3026 return( 0 );
3027 }
3028 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
3029 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3030
3031 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
3032 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_resume_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)3033 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
3034 size_t *signature_len )
3035 {
3036 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3037 * signature length which will be added in ssl_write_server_key_exchange
3038 * after the call to ssl_prepare_server_key_exchange.
3039 * ssl_write_server_key_exchange also takes care of incrementing
3040 * ssl->out_msglen. */
3041 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
3042 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
3043 - sig_start );
3044 int ret = ssl->conf->f_async_resume( ssl,
3045 sig_start, signature_len, sig_max_len );
3046 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3047 {
3048 ssl->handshake->async_in_progress = 0;
3049 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3050 }
3051 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
3052 return( ret );
3053 }
3054 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
3055 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3056
3057 /* Prepare the ServerKeyExchange message, up to and including
3058 * calculating the signature if any, but excluding formatting the
3059 * signature and sending the message. */
ssl_prepare_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)3060 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
3061 size_t *signature_len )
3062 {
3063 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3064 ssl->transform_negotiate->ciphersuite_info;
3065 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
3066 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3067 unsigned char *dig_signed = NULL;
3068 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3069 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
3070
3071 (void) ciphersuite_info; /* unused in some configurations */
3072 #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3073 (void) signature_len;
3074 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3075
3076 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
3077
3078 /*
3079 *
3080 * Part 1: Provide key exchange parameters for chosen ciphersuite.
3081 *
3082 */
3083
3084 /*
3085 * - ECJPAKE key exchanges
3086 */
3087 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3088 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3089 {
3090 int ret;
3091 size_t len = 0;
3092
3093 ret = mbedtls_ecjpake_write_round_two(
3094 &ssl->handshake->ecjpake_ctx,
3095 ssl->out_msg + ssl->out_msglen,
3096 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
3097 ssl->conf->f_rng, ssl->conf->p_rng );
3098 if( ret != 0 )
3099 {
3100 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3101 return( ret );
3102 }
3103
3104 ssl->out_msglen += len;
3105 }
3106 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3107
3108 /*
3109 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
3110 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
3111 * we use empty support identity hints here.
3112 **/
3113 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
3114 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3115 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3116 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3117 {
3118 ssl->out_msg[ssl->out_msglen++] = 0x00;
3119 ssl->out_msg[ssl->out_msglen++] = 0x00;
3120 }
3121 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
3122 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3123
3124 /*
3125 * - DHE key exchanges
3126 */
3127 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
3128 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
3129 {
3130 int ret;
3131 size_t len = 0;
3132
3133 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
3134 {
3135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
3136 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3137 }
3138
3139 /*
3140 * Ephemeral DH parameters:
3141 *
3142 * struct {
3143 * opaque dh_p<1..2^16-1>;
3144 * opaque dh_g<1..2^16-1>;
3145 * opaque dh_Ys<1..2^16-1>;
3146 * } ServerDHParams;
3147 */
3148 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
3149 &ssl->conf->dhm_P,
3150 &ssl->conf->dhm_G ) ) != 0 )
3151 {
3152 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
3153 return( ret );
3154 }
3155
3156 if( ( ret = mbedtls_dhm_make_params(
3157 &ssl->handshake->dhm_ctx,
3158 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3159 ssl->out_msg + ssl->out_msglen, &len,
3160 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3161 {
3162 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
3163 return( ret );
3164 }
3165
3166 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3167 dig_signed = ssl->out_msg + ssl->out_msglen;
3168 #endif
3169
3170 ssl->out_msglen += len;
3171
3172 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3173 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
3174 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
3175 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3176 }
3177 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
3178
3179 /*
3180 * - ECDHE key exchanges
3181 */
3182 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
3183 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
3184 {
3185 /*
3186 * Ephemeral ECDH parameters:
3187 *
3188 * struct {
3189 * ECParameters curve_params;
3190 * ECPoint public;
3191 * } ServerECDHParams;
3192 */
3193 const mbedtls_ecp_curve_info **curve = NULL;
3194 const mbedtls_ecp_group_id *gid;
3195 int ret;
3196 size_t len = 0;
3197
3198 /* Match our preference list against the offered curves */
3199 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
3200 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
3201 if( (*curve)->grp_id == *gid )
3202 goto curve_matching_done;
3203
3204 curve_matching_done:
3205 if( curve == NULL || *curve == NULL )
3206 {
3207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
3208 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
3209 }
3210
3211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
3212
3213 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
3214 (*curve)->grp_id ) ) != 0 )
3215 {
3216 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
3217 return( ret );
3218 }
3219
3220 if( ( ret = mbedtls_ecdh_make_params(
3221 &ssl->handshake->ecdh_ctx, &len,
3222 ssl->out_msg + ssl->out_msglen,
3223 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3224 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3225 {
3226 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
3227 return( ret );
3228 }
3229
3230 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3231 dig_signed = ssl->out_msg + ssl->out_msglen;
3232 #endif
3233
3234 ssl->out_msglen += len;
3235
3236 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3237 MBEDTLS_DEBUG_ECDH_Q );
3238 }
3239 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
3240
3241 /*
3242 *
3243 * Part 2: For key exchanges involving the server signing the
3244 * exchange parameters, compute and add the signature here.
3245 *
3246 */
3247 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3248 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
3249 {
3250 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3251 size_t hashlen = 0;
3252 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3253 int ret;
3254
3255 /*
3256 * 2.1: Choose hash algorithm:
3257 * A: For TLS 1.2, obey signature-hash-algorithm extension
3258 * to choose appropriate hash.
3259 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3260 * (RFC 4492, Sec. 5.4)
3261 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3262 */
3263
3264 mbedtls_md_type_t md_alg;
3265
3266 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3267 mbedtls_pk_type_t sig_alg =
3268 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
3269 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3270 {
3271 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3272 * (RFC 5246, Sec. 7.4.1.4.1). */
3273 if( sig_alg == MBEDTLS_PK_NONE ||
3274 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
3275 sig_alg ) ) == MBEDTLS_MD_NONE )
3276 {
3277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3278 /* (... because we choose a cipher suite
3279 * only if there is a matching hash.) */
3280 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3281 }
3282 }
3283 else
3284 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3285 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3286 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3287 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3288 {
3289 /* B: Default hash SHA1 */
3290 md_alg = MBEDTLS_MD_SHA1;
3291 }
3292 else
3293 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3294 MBEDTLS_SSL_PROTO_TLS1_1 */
3295 {
3296 /* C: MD5 + SHA1 */
3297 md_alg = MBEDTLS_MD_NONE;
3298 }
3299
3300 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
3301
3302 /*
3303 * 2.2: Compute the hash to be signed
3304 */
3305 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3306 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3307 if( md_alg == MBEDTLS_MD_NONE )
3308 {
3309 hashlen = 36;
3310 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
3311 dig_signed,
3312 dig_signed_len );
3313 if( ret != 0 )
3314 return( ret );
3315 }
3316 else
3317 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3318 MBEDTLS_SSL_PROTO_TLS1_1 */
3319 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3320 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3321 if( md_alg != MBEDTLS_MD_NONE )
3322 {
3323 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3324 dig_signed,
3325 dig_signed_len,
3326 md_alg );
3327 if( ret != 0 )
3328 return( ret );
3329 }
3330 else
3331 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3332 MBEDTLS_SSL_PROTO_TLS1_2 */
3333 {
3334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3335 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3336 }
3337
3338 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
3339
3340 /*
3341 * 2.3: Compute and add the signature
3342 */
3343 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3344 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3345 {
3346 /*
3347 * For TLS 1.2, we need to specify signature and hash algorithm
3348 * explicitly through a prefix to the signature.
3349 *
3350 * struct {
3351 * HashAlgorithm hash;
3352 * SignatureAlgorithm signature;
3353 * } SignatureAndHashAlgorithm;
3354 *
3355 * struct {
3356 * SignatureAndHashAlgorithm algorithm;
3357 * opaque signature<0..2^16-1>;
3358 * } DigitallySigned;
3359 *
3360 */
3361
3362 ssl->out_msg[ssl->out_msglen++] =
3363 mbedtls_ssl_hash_from_md_alg( md_alg );
3364 ssl->out_msg[ssl->out_msglen++] =
3365 mbedtls_ssl_sig_from_pk_alg( sig_alg );
3366 }
3367 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3368
3369 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3370 if( ssl->conf->f_async_sign_start != NULL )
3371 {
3372 ret = ssl->conf->f_async_sign_start( ssl,
3373 mbedtls_ssl_own_cert( ssl ),
3374 md_alg, hash, hashlen );
3375 switch( ret )
3376 {
3377 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3378 /* act as if f_async_sign was null */
3379 break;
3380 case 0:
3381 ssl->handshake->async_in_progress = 1;
3382 return( ssl_resume_server_key_exchange( ssl, signature_len ) );
3383 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3384 ssl->handshake->async_in_progress = 1;
3385 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3386 default:
3387 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
3388 return( ret );
3389 }
3390 }
3391 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3392
3393 if( mbedtls_ssl_own_key( ssl ) == NULL )
3394 {
3395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
3396 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3397 }
3398
3399 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3400 * signature length which will be added in ssl_write_server_key_exchange
3401 * after the call to ssl_prepare_server_key_exchange.
3402 * ssl_write_server_key_exchange also takes care of incrementing
3403 * ssl->out_msglen. */
3404 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
3405 md_alg, hash, hashlen,
3406 ssl->out_msg + ssl->out_msglen + 2,
3407 signature_len,
3408 ssl->conf->f_rng,
3409 ssl->conf->p_rng ) ) != 0 )
3410 {
3411 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3412 return( ret );
3413 }
3414 }
3415 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3416
3417 return( 0 );
3418 }
3419
3420 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3421 * that do not include a ServerKeyExchange message, do nothing. Either
3422 * way, if successful, move on to the next step in the SSL state
3423 * machine. */
ssl_write_server_key_exchange(mbedtls_ssl_context * ssl)3424 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
3425 {
3426 int ret;
3427 size_t signature_len = 0;
3428 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3429 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3430 ssl->transform_negotiate->ciphersuite_info;
3431 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3432
3433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
3434
3435 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3436 /* Extract static ECDH parameters and abort if ServerKeyExchange
3437 * is not needed. */
3438 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
3439 {
3440 /* For suites involving ECDH, extract DH parameters
3441 * from certificate at this point. */
3442 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
3443 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
3444 {
3445 ssl_get_ecdh_params_from_cert( ssl );
3446 }
3447 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
3448
3449 /* Key exchanges not involving ephemeral keys don't use
3450 * ServerKeyExchange, so end here. */
3451 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
3452 ssl->state++;
3453 return( 0 );
3454 }
3455 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3456
3457 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
3458 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3459 /* If we have already prepared the message and there is an ongoing
3460 * signature operation, resume signing. */
3461 if( ssl->handshake->async_in_progress != 0 )
3462 {
3463 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
3464 ret = ssl_resume_server_key_exchange( ssl, &signature_len );
3465 }
3466 else
3467 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
3468 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3469 {
3470 /* ServerKeyExchange is needed. Prepare the message. */
3471 ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
3472 }
3473
3474 if( ret != 0 )
3475 {
3476 /* If we're starting to write a new message, set ssl->out_msglen
3477 * to 0. But if we're resuming after an asynchronous message,
3478 * out_msglen is the amount of data written so far and mst be
3479 * preserved. */
3480 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3481 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
3482 else
3483 ssl->out_msglen = 0;
3484 return( ret );
3485 }
3486
3487 /* If there is a signature, write its length.
3488 * ssl_prepare_server_key_exchange already wrote the signature
3489 * itself at its proper place in the output buffer. */
3490 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3491 if( signature_len != 0 )
3492 {
3493 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
3494 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
3495
3496 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
3497 ssl->out_msg + ssl->out_msglen,
3498 signature_len );
3499
3500 /* Skip over the already-written signature */
3501 ssl->out_msglen += signature_len;
3502 }
3503 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3504
3505 /* Add header and send. */
3506 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3507 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3508
3509 ssl->state++;
3510
3511 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3512 {
3513 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3514 return( ret );
3515 }
3516
3517 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3518 return( 0 );
3519 }
3520
ssl_write_server_hello_done(mbedtls_ssl_context * ssl)3521 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
3522 {
3523 int ret;
3524
3525 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3526
3527 ssl->out_msglen = 4;
3528 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3529 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3530
3531 ssl->state++;
3532
3533 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3534 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3535 mbedtls_ssl_send_flight_completed( ssl );
3536 #endif
3537
3538 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3539 {
3540 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3541 return( ret );
3542 }
3543
3544 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3545 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3546 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3547 {
3548 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
3549 return( ret );
3550 }
3551 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3552
3553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3554
3555 return( 0 );
3556 }
3557
3558 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3559 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
ssl_parse_client_dh_public(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3560 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
3561 const unsigned char *end )
3562 {
3563 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3564 size_t n;
3565
3566 /*
3567 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3568 */
3569 if( *p + 2 > end )
3570 {
3571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3572 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3573 }
3574
3575 n = ( (*p)[0] << 8 ) | (*p)[1];
3576 *p += 2;
3577
3578 if( *p + n > end )
3579 {
3580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3581 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3582 }
3583
3584 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
3585 {
3586 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
3587 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3588 }
3589
3590 *p += n;
3591
3592 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
3593
3594 return( ret );
3595 }
3596 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3597 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3598
3599 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3600 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3601
3602 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_resume_decrypt_pms(mbedtls_ssl_context * ssl,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3603 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
3604 unsigned char *peer_pms,
3605 size_t *peer_pmslen,
3606 size_t peer_pmssize )
3607 {
3608 int ret = ssl->conf->f_async_resume( ssl,
3609 peer_pms, peer_pmslen, peer_pmssize );
3610 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3611 {
3612 ssl->handshake->async_in_progress = 0;
3613 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3614 }
3615 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
3616 return( ret );
3617 }
3618 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3619
ssl_decrypt_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3620 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
3621 const unsigned char *p,
3622 const unsigned char *end,
3623 unsigned char *peer_pms,
3624 size_t *peer_pmslen,
3625 size_t peer_pmssize )
3626 {
3627 int ret;
3628 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
3629 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
3630 size_t len = mbedtls_pk_get_len( public_key );
3631
3632 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3633 /* If we have already started decoding the message and there is an ongoing
3634 * decryption operation, resume signing. */
3635 if( ssl->handshake->async_in_progress != 0 )
3636 {
3637 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
3638 return( ssl_resume_decrypt_pms( ssl,
3639 peer_pms, peer_pmslen, peer_pmssize ) );
3640 }
3641 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3642
3643 /*
3644 * Prepare to decrypt the premaster using own private RSA key
3645 */
3646 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3647 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3648 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
3649 {
3650 if ( p + 2 > end ) {
3651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3652 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3653 }
3654 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
3655 *p++ != ( ( len ) & 0xFF ) )
3656 {
3657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3658 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3659 }
3660 }
3661 #endif
3662
3663 if( p + len != end )
3664 {
3665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3666 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3667 }
3668
3669 /*
3670 * Decrypt the premaster secret
3671 */
3672 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3673 if( ssl->conf->f_async_decrypt_start != NULL )
3674 {
3675 ret = ssl->conf->f_async_decrypt_start( ssl,
3676 mbedtls_ssl_own_cert( ssl ),
3677 p, len );
3678 switch( ret )
3679 {
3680 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3681 /* act as if f_async_decrypt_start was null */
3682 break;
3683 case 0:
3684 ssl->handshake->async_in_progress = 1;
3685 return( ssl_resume_decrypt_pms( ssl,
3686 peer_pms,
3687 peer_pmslen,
3688 peer_pmssize ) );
3689 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3690 ssl->handshake->async_in_progress = 1;
3691 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3692 default:
3693 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
3694 return( ret );
3695 }
3696 }
3697 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3698
3699 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
3700 {
3701 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3702 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3703 }
3704
3705 ret = mbedtls_pk_decrypt( private_key, p, len,
3706 peer_pms, peer_pmslen, peer_pmssize,
3707 ssl->conf->f_rng, ssl->conf->p_rng );
3708 return( ret );
3709 }
3710
ssl_parse_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,size_t pms_offset)3711 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
3712 const unsigned char *p,
3713 const unsigned char *end,
3714 size_t pms_offset )
3715 {
3716 int ret;
3717 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3718 unsigned char ver[2];
3719 unsigned char fake_pms[48], peer_pms[48];
3720 unsigned char mask;
3721 size_t i, peer_pmslen;
3722 unsigned int diff;
3723
3724 /* In case of a failure in decryption, the decryption may write less than
3725 * 2 bytes of output, but we always read the first two bytes. It doesn't
3726 * matter in the end because diff will be nonzero in that case due to
3727 * ret being nonzero, and we only care whether diff is 0.
3728 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3729 * also makes memory analyzers happy (don't access uninitialized memory,
3730 * even if it's an unsigned char). */
3731 peer_pms[0] = peer_pms[1] = ~0;
3732 peer_pmslen = 0;
3733
3734 ret = ssl_decrypt_encrypted_pms( ssl, p, end,
3735 peer_pms,
3736 &peer_pmslen,
3737 sizeof( peer_pms ) );
3738
3739 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3740 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3741 return( ret );
3742 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3743
3744 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
3745 ssl->handshake->max_minor_ver,
3746 ssl->conf->transport, ver );
3747
3748 /* Avoid data-dependent branches while checking for invalid
3749 * padding, to protect against timing-based Bleichenbacher-type
3750 * attacks. */
3751 diff = (unsigned int) ret;
3752 diff |= peer_pmslen ^ 48;
3753 diff |= peer_pms[0] ^ ver[0];
3754 diff |= peer_pms[1] ^ ver[1];
3755
3756 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3757 /* MSVC has a warning about unary minus on unsigned, but this is
3758 * well-defined and precisely what we want to do here */
3759 #if defined(_MSC_VER)
3760 #pragma warning( push )
3761 #pragma warning( disable : 4146 )
3762 #endif
3763 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3764 #if defined(_MSC_VER)
3765 #pragma warning( pop )
3766 #endif
3767
3768 /*
3769 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3770 * must not cause the connection to end immediately; instead, send a
3771 * bad_record_mac later in the handshake.
3772 * To protect against timing-based variants of the attack, we must
3773 * not have any branch that depends on whether the decryption was
3774 * successful. In particular, always generate the fake premaster secret,
3775 * regardless of whether it will ultimately influence the output or not.
3776 */
3777 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
3778 if( ret != 0 )
3779 {
3780 /* It's ok to abort on an RNG failure, since this does not reveal
3781 * anything about the RSA decryption. */
3782 return( ret );
3783 }
3784
3785 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3786 if( diff != 0 )
3787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3788 #endif
3789
3790 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
3791 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
3792 {
3793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3794 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3795 }
3796 ssl->handshake->pmslen = 48;
3797
3798 /* Set pms to either the true or the fake PMS, without
3799 * data-dependent branches. */
3800 for( i = 0; i < ssl->handshake->pmslen; i++ )
3801 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
3802
3803 return( 0 );
3804 }
3805 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3806 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3807
3808 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
ssl_parse_client_psk_identity(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3809 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
3810 const unsigned char *end )
3811 {
3812 int ret = 0;
3813 size_t n;
3814
3815 if( ssl->conf->f_psk == NULL &&
3816 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
3817 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
3818 {
3819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3820 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3821 }
3822
3823 /*
3824 * Receive client pre-shared key identity name
3825 */
3826 if( end - *p < 2 )
3827 {
3828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3829 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3830 }
3831
3832 n = ( (*p)[0] << 8 ) | (*p)[1];
3833 *p += 2;
3834
3835 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
3836 {
3837 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3838 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3839 }
3840
3841 if( ssl->conf->f_psk != NULL )
3842 {
3843 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
3844 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3845 }
3846 else
3847 {
3848 /* Identity is not a big secret since clients send it in the clear,
3849 * but treat it carefully anyway, just in case */
3850 if( n != ssl->conf->psk_identity_len ||
3851 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
3852 {
3853 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3854 }
3855 }
3856
3857 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
3858 {
3859 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
3860 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3861 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
3862 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
3863 }
3864
3865 *p += n;
3866
3867 return( 0 );
3868 }
3869 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3870
ssl_parse_client_key_exchange(mbedtls_ssl_context * ssl)3871 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
3872 {
3873 int ret;
3874 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3875 unsigned char *p, *end;
3876
3877 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3878
3879 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3880
3881 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3882 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3883 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
3884 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3885 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
3886 ( ssl->handshake->async_in_progress != 0 ) )
3887 {
3888 /* We've already read a record and there is an asynchronous
3889 * operation in progress to decrypt it. So skip reading the
3890 * record. */
3891 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
3892 }
3893 else
3894 #endif
3895 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3896 {
3897 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3898 return( ret );
3899 }
3900
3901 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3902 end = ssl->in_msg + ssl->in_hslen;
3903
3904 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3905 {
3906 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3907 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3908 }
3909
3910 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
3911 {
3912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3913 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3914 }
3915
3916 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3917 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3918 {
3919 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3920 {
3921 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3922 return( ret );
3923 }
3924
3925 if( p != end )
3926 {
3927 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3928 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3929 }
3930
3931 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3932 ssl->handshake->premaster,
3933 MBEDTLS_PREMASTER_SIZE,
3934 &ssl->handshake->pmslen,
3935 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3936 {
3937 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3938 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3939 }
3940
3941 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3942 }
3943 else
3944 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3945 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3946 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3947 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3948 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3949 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3950 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3951 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3952 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3953 {
3954 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3955 p, end - p) ) != 0 )
3956 {
3957 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3958 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3959 }
3960
3961 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3962 MBEDTLS_DEBUG_ECDH_QP );
3963
3964 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3965 &ssl->handshake->pmslen,
3966 ssl->handshake->premaster,
3967 MBEDTLS_MPI_MAX_SIZE,
3968 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3969 {
3970 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3971 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3972 }
3973
3974 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3975 MBEDTLS_DEBUG_ECDH_Z );
3976 }
3977 else
3978 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3979 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3980 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3981 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3982 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3983 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3984 {
3985 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3986 {
3987 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3988 return( ret );
3989 }
3990
3991 if( p != end )
3992 {
3993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3994 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3995 }
3996
3997 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3998 ciphersuite_info->key_exchange ) ) != 0 )
3999 {
4000 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4001 return( ret );
4002 }
4003 }
4004 else
4005 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
4006 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
4007 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
4008 {
4009 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4010 if ( ssl->handshake->async_in_progress != 0 )
4011 {
4012 /* There is an asynchronous operation in progress to
4013 * decrypt the encrypted premaster secret, so skip
4014 * directly to resuming this operation. */
4015 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
4016 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
4017 * won't actually use it, but maintain p anyway for robustness. */
4018 p += ssl->conf->psk_identity_len + 2;
4019 }
4020 else
4021 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4022 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4023 {
4024 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4025 return( ret );
4026 }
4027
4028 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
4029 {
4030 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
4031 return( ret );
4032 }
4033
4034 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4035 ciphersuite_info->key_exchange ) ) != 0 )
4036 {
4037 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4038 return( ret );
4039 }
4040 }
4041 else
4042 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
4043 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
4044 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
4045 {
4046 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4047 {
4048 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4049 return( ret );
4050 }
4051 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
4052 {
4053 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
4054 return( ret );
4055 }
4056
4057 if( p != end )
4058 {
4059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
4060 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
4061 }
4062
4063 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4064 ciphersuite_info->key_exchange ) ) != 0 )
4065 {
4066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4067 return( ret );
4068 }
4069 }
4070 else
4071 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
4072 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
4073 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
4074 {
4075 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4076 {
4077 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4078 return( ret );
4079 }
4080
4081 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
4082 p, end - p ) ) != 0 )
4083 {
4084 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
4085 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
4086 }
4087
4088 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
4089 MBEDTLS_DEBUG_ECDH_QP );
4090
4091 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4092 ciphersuite_info->key_exchange ) ) != 0 )
4093 {
4094 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4095 return( ret );
4096 }
4097 }
4098 else
4099 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4100 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4101 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
4102 {
4103 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
4104 {
4105 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
4106 return( ret );
4107 }
4108 }
4109 else
4110 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
4111 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4112 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4113 {
4114 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
4115 p, end - p );
4116 if( ret != 0 )
4117 {
4118 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
4119 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
4120 }
4121
4122 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
4123 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4124 ssl->conf->f_rng, ssl->conf->p_rng );
4125 if( ret != 0 )
4126 {
4127 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
4128 return( ret );
4129 }
4130 }
4131 else
4132 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4133 {
4134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4135 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4136 }
4137
4138 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
4139 {
4140 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
4141 return( ret );
4142 }
4143
4144 ssl->state++;
4145
4146 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
4147
4148 return( 0 );
4149 }
4150
4151 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
4152 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
4153 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
4154 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
4155 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
4156 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4157 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4158 {
4159 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4160 ssl->transform_negotiate->ciphersuite_info;
4161
4162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4163
4164 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
4165 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
4166 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
4167 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
4168 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4169 {
4170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4171 ssl->state++;
4172 return( 0 );
4173 }
4174
4175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4176 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4177 }
4178 #else
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4179 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4180 {
4181 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4182 size_t i, sig_len;
4183 unsigned char hash[48];
4184 unsigned char *hash_start = hash;
4185 size_t hashlen;
4186 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4187 mbedtls_pk_type_t pk_alg;
4188 #endif
4189 mbedtls_md_type_t md_alg;
4190 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4191 ssl->transform_negotiate->ciphersuite_info;
4192
4193 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4194
4195 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
4196 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
4197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
4198 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
4199 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
4200 ssl->session_negotiate->peer_cert == NULL )
4201 {
4202 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4203 ssl->state++;
4204 return( 0 );
4205 }
4206
4207 /* Read the message without adding it to the checksum */
4208 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
4209 if( 0 != ret )
4210 {
4211 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
4212 return( ret );
4213 }
4214
4215 ssl->state++;
4216
4217 /* Process the message contents */
4218 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4219 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
4220 {
4221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4222 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4223 }
4224
4225 i = mbedtls_ssl_hs_hdr_len( ssl );
4226
4227 /*
4228 * struct {
4229 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4230 * opaque signature<0..2^16-1>;
4231 * } DigitallySigned;
4232 */
4233 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4234 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4235 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
4236 {
4237 md_alg = MBEDTLS_MD_NONE;
4238 hashlen = 36;
4239
4240 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
4241 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
4242 MBEDTLS_PK_ECDSA ) )
4243 {
4244 hash_start += 16;
4245 hashlen -= 16;
4246 md_alg = MBEDTLS_MD_SHA1;
4247 }
4248 }
4249 else
4250 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
4251 MBEDTLS_SSL_PROTO_TLS1_1 */
4252 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4253 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
4254 {
4255 if( i + 2 > ssl->in_hslen )
4256 {
4257 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4258 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4259 }
4260
4261 /*
4262 * Hash
4263 */
4264 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
4265
4266 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
4267 {
4268 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4269 " for verify message" ) );
4270 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4271 }
4272
4273 #if !defined(MBEDTLS_MD_SHA1)
4274 if( MBEDTLS_MD_SHA1 == md_alg )
4275 hash_start += 16;
4276 #endif
4277
4278 /* Info from md_alg will be used instead */
4279 hashlen = 0;
4280
4281 i++;
4282
4283 /*
4284 * Signature
4285 */
4286 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
4287 == MBEDTLS_PK_NONE )
4288 {
4289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4290 " for verify message" ) );
4291 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4292 }
4293
4294 /*
4295 * Check the certificate's key type matches the signature alg
4296 */
4297 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
4298 {
4299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
4300 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4301 }
4302
4303 i++;
4304 }
4305 else
4306 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4307 {
4308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4309 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4310 }
4311
4312 if( i + 2 > ssl->in_hslen )
4313 {
4314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4315 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4316 }
4317
4318 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
4319 i += 2;
4320
4321 if( i + sig_len != ssl->in_hslen )
4322 {
4323 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4324 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4325 }
4326
4327 /* Calculate hash and verify signature */
4328 ssl->handshake->calc_verify( ssl, hash );
4329
4330 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
4331 md_alg, hash_start, hashlen,
4332 ssl->in_msg + i, sig_len ) ) != 0 )
4333 {
4334 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
4335 return( ret );
4336 }
4337
4338 mbedtls_ssl_update_handshake_status( ssl );
4339
4340 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
4341
4342 return( ret );
4343 }
4344 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
4345 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
4346 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
4347 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
4348 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
4349 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
4350
4351 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_new_session_ticket(mbedtls_ssl_context * ssl)4352 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
4353 {
4354 int ret;
4355 size_t tlen;
4356 uint32_t lifetime;
4357
4358 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
4359
4360 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4361 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4362
4363 /*
4364 * struct {
4365 * uint32 ticket_lifetime_hint;
4366 * opaque ticket<0..2^16-1>;
4367 * } NewSessionTicket;
4368 *
4369 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4370 * 8 . 9 ticket_len (n)
4371 * 10 . 9+n ticket content
4372 */
4373
4374 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
4375 ssl->session_negotiate,
4376 ssl->out_msg + 10,
4377 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4378 &tlen, &lifetime ) ) != 0 )
4379 {
4380 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
4381 tlen = 0;
4382 }
4383
4384 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
4385 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
4386 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
4387 ssl->out_msg[7] = ( lifetime ) & 0xFF;
4388
4389 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
4390 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
4391
4392 ssl->out_msglen = 10 + tlen;
4393
4394 /*
4395 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4396 * ChangeCipherSpec share the same state.
4397 */
4398 ssl->handshake->new_session_ticket = 0;
4399
4400 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4401 {
4402 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4403 return( ret );
4404 }
4405
4406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
4407
4408 return( 0 );
4409 }
4410 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4411
4412 /*
4413 * SSL handshake -- server side -- single step
4414 */
mbedtls_ssl_handshake_server_step(mbedtls_ssl_context * ssl)4415 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
4416 {
4417 int ret = 0;
4418
4419 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
4420 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4421
4422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
4423
4424 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
4425 return( ret );
4426
4427 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4428 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4429 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
4430 {
4431 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
4432 return( ret );
4433 }
4434 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4435
4436 switch( ssl->state )
4437 {
4438 case MBEDTLS_SSL_HELLO_REQUEST:
4439 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4440 break;
4441
4442 /*
4443 * <== ClientHello
4444 */
4445 case MBEDTLS_SSL_CLIENT_HELLO:
4446 ret = ssl_parse_client_hello( ssl );
4447 break;
4448
4449 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4450 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4451 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4452 #endif
4453
4454 /*
4455 * ==> ServerHello
4456 * Certificate
4457 * ( ServerKeyExchange )
4458 * ( CertificateRequest )
4459 * ServerHelloDone
4460 */
4461 case MBEDTLS_SSL_SERVER_HELLO:
4462 ret = ssl_write_server_hello( ssl );
4463 break;
4464
4465 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4466 ret = mbedtls_ssl_write_certificate( ssl );
4467 break;
4468
4469 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4470 ret = ssl_write_server_key_exchange( ssl );
4471 break;
4472
4473 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4474 ret = ssl_write_certificate_request( ssl );
4475 break;
4476
4477 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4478 ret = ssl_write_server_hello_done( ssl );
4479 break;
4480
4481 /*
4482 * <== ( Certificate/Alert )
4483 * ClientKeyExchange
4484 * ( CertificateVerify )
4485 * ChangeCipherSpec
4486 * Finished
4487 */
4488 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4489 ret = mbedtls_ssl_parse_certificate( ssl );
4490 break;
4491
4492 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4493 ret = ssl_parse_client_key_exchange( ssl );
4494 break;
4495
4496 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4497 ret = ssl_parse_certificate_verify( ssl );
4498 break;
4499
4500 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4501 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4502 break;
4503
4504 case MBEDTLS_SSL_CLIENT_FINISHED:
4505 ret = mbedtls_ssl_parse_finished( ssl );
4506 break;
4507
4508 /*
4509 * ==> ( NewSessionTicket )
4510 * ChangeCipherSpec
4511 * Finished
4512 */
4513 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4514 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4515 if( ssl->handshake->new_session_ticket != 0 )
4516 ret = ssl_write_new_session_ticket( ssl );
4517 else
4518 #endif
4519 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4520 break;
4521
4522 case MBEDTLS_SSL_SERVER_FINISHED:
4523 ret = mbedtls_ssl_write_finished( ssl );
4524 break;
4525
4526 case MBEDTLS_SSL_FLUSH_BUFFERS:
4527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4528 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4529 break;
4530
4531 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4532 mbedtls_ssl_handshake_wrapup( ssl );
4533 break;
4534
4535 default:
4536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4537 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4538 }
4539
4540 return( ret );
4541 }
4542 #endif /* MBEDTLS_SSL_SRV_C */
4543