1 /* 2 * SSLv3/TLSv1 client-side functions 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 #if !defined(MBEDTLS_CONFIG_FILE) 25 #include "mbedtls/config.h" 26 #else 27 #include MBEDTLS_CONFIG_FILE 28 #endif 29 30 #if defined(MBEDTLS_SSL_CLI_C) 31 32 #if defined(MBEDTLS_PLATFORM_C) 33 #include "mbedtls/platform.h" 34 #else 35 #include <stdlib.h> 36 #define mbedtls_calloc calloc 37 #define mbedtls_free free 38 #endif 39 40 #include "mbedtls/debug.h" 41 #include "mbedtls/ssl.h" 42 #include "mbedtls/ssl_internal.h" 43 44 #include <string.h> 45 46 #include <stdint.h> 47 48 #if defined(MBEDTLS_HAVE_TIME) 49 #include "mbedtls/platform_time.h" 50 #endif 51 52 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 53 /* Implementation that should never be optimized out by the compiler */ 54 static void mbedtls_zeroize( void *v, size_t n ) { 55 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 56 } 57 #endif 58 59 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 60 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 61 unsigned char *buf, 62 size_t *olen ) 63 { 64 unsigned char *p = buf; 65 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 66 size_t hostname_len; 67 68 *olen = 0; 69 70 if( ssl->hostname == NULL ) 71 return; 72 73 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 74 ssl->hostname ) ); 75 76 hostname_len = strlen( ssl->hostname ); 77 78 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 79 { 80 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 81 return; 82 } 83 84 /* 85 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 86 * 87 * In order to provide any of the server names, clients MAY include an 88 * extension of type "server_name" in the (extended) client hello. The 89 * "extension_data" field of this extension SHALL contain 90 * "ServerNameList" where: 91 * 92 * struct { 93 * NameType name_type; 94 * select (name_type) { 95 * case host_name: HostName; 96 * } name; 97 * } ServerName; 98 * 99 * enum { 100 * host_name(0), (255) 101 * } NameType; 102 * 103 * opaque HostName<1..2^16-1>; 104 * 105 * struct { 106 * ServerName server_name_list<1..2^16-1> 107 * } ServerNameList; 108 * 109 */ 110 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 111 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 112 113 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 114 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 115 116 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 117 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 118 119 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 120 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 121 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 122 123 memcpy( p, ssl->hostname, hostname_len ); 124 125 *olen = hostname_len + 9; 126 } 127 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 128 129 #if defined(MBEDTLS_SSL_RENEGOTIATION) 130 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 131 unsigned char *buf, 132 size_t *olen ) 133 { 134 unsigned char *p = buf; 135 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 136 137 *olen = 0; 138 139 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 140 * initial ClientHello, in which case also adding the renegotiation 141 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 142 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 143 return; 144 145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 146 147 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 148 { 149 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 150 return; 151 } 152 153 /* 154 * Secure renegotiation 155 */ 156 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 157 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 158 159 *p++ = 0x00; 160 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 161 *p++ = ssl->verify_data_len & 0xFF; 162 163 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 164 165 *olen = 5 + ssl->verify_data_len; 166 } 167 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 168 169 /* 170 * Only if we handle at least one key exchange that needs signatures. 171 */ 172 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 173 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 174 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 175 unsigned char *buf, 176 size_t *olen ) 177 { 178 unsigned char *p = buf; 179 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 180 size_t sig_alg_len = 0; 181 const int *md; 182 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 183 unsigned char *sig_alg_list = buf + 6; 184 #endif 185 186 *olen = 0; 187 188 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 189 return; 190 191 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 192 193 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 194 { 195 #if defined(MBEDTLS_ECDSA_C) 196 sig_alg_len += 2; 197 #endif 198 #if defined(MBEDTLS_RSA_C) 199 sig_alg_len += 2; 200 #endif 201 } 202 203 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 204 { 205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 206 return; 207 } 208 209 /* 210 * Prepare signature_algorithms extension (TLS 1.2) 211 */ 212 sig_alg_len = 0; 213 214 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 215 { 216 #if defined(MBEDTLS_ECDSA_C) 217 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 218 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 219 #endif 220 #if defined(MBEDTLS_RSA_C) 221 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 222 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 223 #endif 224 } 225 226 /* 227 * enum { 228 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 229 * sha512(6), (255) 230 * } HashAlgorithm; 231 * 232 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 233 * SignatureAlgorithm; 234 * 235 * struct { 236 * HashAlgorithm hash; 237 * SignatureAlgorithm signature; 238 * } SignatureAndHashAlgorithm; 239 * 240 * SignatureAndHashAlgorithm 241 * supported_signature_algorithms<2..2^16-2>; 242 */ 243 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 244 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 245 246 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 247 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 248 249 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 250 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 251 252 *olen = 6 + sig_alg_len; 253 } 254 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 255 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 256 257 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 258 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 259 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 260 unsigned char *buf, 261 size_t *olen ) 262 { 263 unsigned char *p = buf; 264 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 265 unsigned char *elliptic_curve_list = p + 6; 266 size_t elliptic_curve_len = 0; 267 const mbedtls_ecp_curve_info *info; 268 #if defined(MBEDTLS_ECP_C) 269 const mbedtls_ecp_group_id *grp_id; 270 #else 271 ((void) ssl); 272 #endif 273 274 *olen = 0; 275 276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 277 278 #if defined(MBEDTLS_ECP_C) 279 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 280 #else 281 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 282 #endif 283 { 284 #if defined(MBEDTLS_ECP_C) 285 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 286 #endif 287 if( info == NULL ) 288 { 289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 290 return; 291 } 292 293 elliptic_curve_len += 2; 294 } 295 296 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 297 { 298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 299 return; 300 } 301 302 elliptic_curve_len = 0; 303 304 #if defined(MBEDTLS_ECP_C) 305 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 306 #else 307 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 308 #endif 309 { 310 #if defined(MBEDTLS_ECP_C) 311 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 312 #endif 313 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 314 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 315 } 316 317 if( elliptic_curve_len == 0 ) 318 return; 319 320 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 321 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 322 323 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 324 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 325 326 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 327 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 328 329 *olen = 6 + elliptic_curve_len; 330 } 331 332 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 333 unsigned char *buf, 334 size_t *olen ) 335 { 336 unsigned char *p = buf; 337 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 338 339 *olen = 0; 340 341 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 342 343 if( end < p || (size_t)( end - p ) < 6 ) 344 { 345 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 346 return; 347 } 348 349 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 350 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 351 352 *p++ = 0x00; 353 *p++ = 2; 354 355 *p++ = 1; 356 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 357 358 *olen = 6; 359 } 360 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 361 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 362 363 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 364 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 365 unsigned char *buf, 366 size_t *olen ) 367 { 368 int ret; 369 unsigned char *p = buf; 370 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 371 size_t kkpp_len; 372 373 *olen = 0; 374 375 /* Skip costly extension if we can't use EC J-PAKE anyway */ 376 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 377 return; 378 379 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 380 381 if( end - p < 4 ) 382 { 383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 384 return; 385 } 386 387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 388 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 389 390 /* 391 * We may need to send ClientHello multiple times for Hello verification. 392 * We don't want to compute fresh values every time (both for performance 393 * and consistency reasons), so cache the extension content. 394 */ 395 if( ssl->handshake->ecjpake_cache == NULL || 396 ssl->handshake->ecjpake_cache_len == 0 ) 397 { 398 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 399 400 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 401 p + 2, end - p - 2, &kkpp_len, 402 ssl->conf->f_rng, ssl->conf->p_rng ); 403 if( ret != 0 ) 404 { 405 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 406 return; 407 } 408 409 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 410 if( ssl->handshake->ecjpake_cache == NULL ) 411 { 412 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 413 return; 414 } 415 416 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 417 ssl->handshake->ecjpake_cache_len = kkpp_len; 418 } 419 else 420 { 421 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 422 423 kkpp_len = ssl->handshake->ecjpake_cache_len; 424 425 if( (size_t)( end - p - 2 ) < kkpp_len ) 426 { 427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 428 return; 429 } 430 431 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 432 } 433 434 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 435 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 436 437 *olen = kkpp_len + 4; 438 } 439 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 440 441 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 442 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 443 unsigned char *buf, 444 size_t *olen ) 445 { 446 unsigned char *p = buf; 447 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 448 449 *olen = 0; 450 451 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 452 return; 453 } 454 455 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 456 457 if( end < p || (size_t)( end - p ) < 5 ) 458 { 459 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 460 return; 461 } 462 463 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 464 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 465 466 *p++ = 0x00; 467 *p++ = 1; 468 469 *p++ = ssl->conf->mfl_code; 470 471 *olen = 5; 472 } 473 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 474 475 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 476 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 477 unsigned char *buf, size_t *olen ) 478 { 479 unsigned char *p = buf; 480 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 481 482 *olen = 0; 483 484 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 485 { 486 return; 487 } 488 489 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 490 491 if( end < p || (size_t)( end - p ) < 4 ) 492 { 493 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 494 return; 495 } 496 497 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 498 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 499 500 *p++ = 0x00; 501 *p++ = 0x00; 502 503 *olen = 4; 504 } 505 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 506 507 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 508 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 509 unsigned char *buf, size_t *olen ) 510 { 511 unsigned char *p = buf; 512 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 513 514 *olen = 0; 515 516 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 517 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 518 { 519 return; 520 } 521 522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 523 "extension" ) ); 524 525 if( end < p || (size_t)( end - p ) < 4 ) 526 { 527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 528 return; 529 } 530 531 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 532 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 533 534 *p++ = 0x00; 535 *p++ = 0x00; 536 537 *olen = 4; 538 } 539 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 540 541 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 542 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 543 unsigned char *buf, size_t *olen ) 544 { 545 unsigned char *p = buf; 546 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 547 548 *olen = 0; 549 550 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 551 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 552 { 553 return; 554 } 555 556 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 557 "extension" ) ); 558 559 if( end < p || (size_t)( end - p ) < 4 ) 560 { 561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 562 return; 563 } 564 565 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 566 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 567 568 *p++ = 0x00; 569 *p++ = 0x00; 570 571 *olen = 4; 572 } 573 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 574 575 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 576 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 577 unsigned char *buf, size_t *olen ) 578 { 579 unsigned char *p = buf; 580 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 581 size_t tlen = ssl->session_negotiate->ticket_len; 582 583 *olen = 0; 584 585 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 586 { 587 return; 588 } 589 590 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 591 592 if( end < p || (size_t)( end - p ) < 4 + tlen ) 593 { 594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 595 return; 596 } 597 598 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 599 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 600 601 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 602 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 603 604 *olen = 4; 605 606 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 607 { 608 return; 609 } 610 611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 612 613 memcpy( p, ssl->session_negotiate->ticket, tlen ); 614 615 *olen += tlen; 616 } 617 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 618 619 #if defined(MBEDTLS_SSL_ALPN) 620 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 621 unsigned char *buf, size_t *olen ) 622 { 623 unsigned char *p = buf; 624 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 625 size_t alpnlen = 0; 626 const char **cur; 627 628 *olen = 0; 629 630 if( ssl->conf->alpn_list == NULL ) 631 { 632 return; 633 } 634 635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 636 637 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 638 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 639 640 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 641 { 642 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 643 return; 644 } 645 646 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 647 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 648 649 /* 650 * opaque ProtocolName<1..2^8-1>; 651 * 652 * struct { 653 * ProtocolName protocol_name_list<2..2^16-1> 654 * } ProtocolNameList; 655 */ 656 657 /* Skip writing extension and list length for now */ 658 p += 4; 659 660 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 661 { 662 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 663 memcpy( p + 1, *cur, *p ); 664 p += 1 + *p; 665 } 666 667 *olen = p - buf; 668 669 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 670 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 671 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 672 673 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 674 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 675 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 676 } 677 #endif /* MBEDTLS_SSL_ALPN */ 678 679 /* 680 * Generate random bytes for ClientHello 681 */ 682 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 683 { 684 int ret; 685 unsigned char *p = ssl->handshake->randbytes; 686 #if defined(MBEDTLS_HAVE_TIME) 687 mbedtls_time_t t; 688 #endif 689 690 /* 691 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 692 */ 693 #if defined(MBEDTLS_SSL_PROTO_DTLS) 694 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 695 ssl->handshake->verify_cookie != NULL ) 696 { 697 return( 0 ); 698 } 699 #endif 700 701 #if defined(MBEDTLS_HAVE_TIME) 702 t = mbedtls_time( NULL ); 703 *p++ = (unsigned char)( t >> 24 ); 704 *p++ = (unsigned char)( t >> 16 ); 705 *p++ = (unsigned char)( t >> 8 ); 706 *p++ = (unsigned char)( t ); 707 708 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 709 #else 710 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 711 return( ret ); 712 713 p += 4; 714 #endif /* MBEDTLS_HAVE_TIME */ 715 716 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 717 return( ret ); 718 719 return( 0 ); 720 } 721 722 /** 723 * \brief Validate cipher suite against config in SSL context. 724 * 725 * \param suite_info cipher suite to validate 726 * \param ssl SSL context 727 * \param min_minor_ver Minimal minor version to accept a cipher suite 728 * \param max_minor_ver Maximal minor version to accept a cipher suite 729 * 730 * \return 0 if valid, else 1 731 */ 732 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, 733 const mbedtls_ssl_context * ssl, 734 int min_minor_ver, int max_minor_ver ) 735 { 736 (void) ssl; 737 if( suite_info == NULL ) 738 return( 1 ); 739 740 if( suite_info->min_minor_ver > max_minor_ver || 741 suite_info->max_minor_ver < min_minor_ver ) 742 return( 1 ); 743 744 #if defined(MBEDTLS_SSL_PROTO_DTLS) 745 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 746 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 747 return( 1 ); 748 #endif 749 750 #if defined(MBEDTLS_ARC4_C) 751 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 752 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 753 return( 1 ); 754 #endif 755 756 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 757 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 758 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 759 return( 1 ); 760 #endif 761 762 return( 0 ); 763 } 764 765 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 766 { 767 int ret; 768 size_t i, n, olen, ext_len = 0; 769 unsigned char *buf; 770 unsigned char *p, *q; 771 unsigned char offer_compress; 772 const int *ciphersuites; 773 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 774 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 775 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 776 int uses_ec = 0; 777 #endif 778 779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 780 781 if( ssl->conf->f_rng == NULL ) 782 { 783 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 784 return( MBEDTLS_ERR_SSL_NO_RNG ); 785 } 786 787 #if defined(MBEDTLS_SSL_RENEGOTIATION) 788 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 789 #endif 790 { 791 ssl->major_ver = ssl->conf->min_major_ver; 792 ssl->minor_ver = ssl->conf->min_minor_ver; 793 } 794 795 if( ssl->conf->max_major_ver == 0 ) 796 { 797 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 798 "consider using mbedtls_ssl_config_defaults()" ) ); 799 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 800 } 801 802 /* 803 * 0 . 0 handshake type 804 * 1 . 3 handshake length 805 * 4 . 5 highest version supported 806 * 6 . 9 current UNIX time 807 * 10 . 37 random bytes 808 */ 809 buf = ssl->out_msg; 810 p = buf + 4; 811 812 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 813 ssl->conf->transport, p ); 814 p += 2; 815 816 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 817 buf[4], buf[5] ) ); 818 819 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 820 { 821 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 822 return( ret ); 823 } 824 825 memcpy( p, ssl->handshake->randbytes, 32 ); 826 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 827 p += 32; 828 829 /* 830 * 38 . 38 session id length 831 * 39 . 39+n session id 832 * 39+n . 39+n DTLS only: cookie length (1 byte) 833 * 40+n . .. DTSL only: cookie 834 * .. . .. ciphersuitelist length (2 bytes) 835 * .. . .. ciphersuitelist 836 * .. . .. compression methods length (1 byte) 837 * .. . .. compression methods 838 * .. . .. extensions length (2 bytes) 839 * .. . .. extensions 840 */ 841 n = ssl->session_negotiate->id_len; 842 843 if( n < 16 || n > 32 || 844 #if defined(MBEDTLS_SSL_RENEGOTIATION) 845 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 846 #endif 847 ssl->handshake->resume == 0 ) 848 { 849 n = 0; 850 } 851 852 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 853 /* 854 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 855 * generate and include a Session ID in the TLS ClientHello." 856 */ 857 #if defined(MBEDTLS_SSL_RENEGOTIATION) 858 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 859 #endif 860 { 861 if( ssl->session_negotiate->ticket != NULL && 862 ssl->session_negotiate->ticket_len != 0 ) 863 { 864 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 865 866 if( ret != 0 ) 867 return( ret ); 868 869 ssl->session_negotiate->id_len = n = 32; 870 } 871 } 872 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 873 874 *p++ = (unsigned char) n; 875 876 for( i = 0; i < n; i++ ) 877 *p++ = ssl->session_negotiate->id[i]; 878 879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 880 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 881 882 /* 883 * DTLS cookie 884 */ 885 #if defined(MBEDTLS_SSL_PROTO_DTLS) 886 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 887 { 888 if( ssl->handshake->verify_cookie == NULL ) 889 { 890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 891 *p++ = 0; 892 } 893 else 894 { 895 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 896 ssl->handshake->verify_cookie, 897 ssl->handshake->verify_cookie_len ); 898 899 *p++ = ssl->handshake->verify_cookie_len; 900 memcpy( p, ssl->handshake->verify_cookie, 901 ssl->handshake->verify_cookie_len ); 902 p += ssl->handshake->verify_cookie_len; 903 } 904 } 905 #endif 906 907 /* 908 * Ciphersuite list 909 */ 910 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 911 912 /* Skip writing ciphersuite length for now */ 913 n = 0; 914 q = p; 915 p += 2; 916 917 for( i = 0; ciphersuites[i] != 0; i++ ) 918 { 919 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 920 921 if( ssl_validate_ciphersuite( ciphersuite_info, ssl, 922 ssl->conf->min_minor_ver, 923 ssl->conf->max_minor_ver ) != 0 ) 924 continue; 925 926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 927 ciphersuites[i] ) ); 928 929 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 930 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 931 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info ); 932 #endif 933 934 n++; 935 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 936 *p++ = (unsigned char)( ciphersuites[i] ); 937 } 938 939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); 940 941 /* 942 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 943 */ 944 #if defined(MBEDTLS_SSL_RENEGOTIATION) 945 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 946 #endif 947 { 948 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); 949 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 950 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 951 n++; 952 } 953 954 /* Some versions of OpenSSL don't handle it correctly if not at end */ 955 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 956 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 957 { 958 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 959 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 960 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 961 n++; 962 } 963 #endif 964 965 *q++ = (unsigned char)( n >> 7 ); 966 *q++ = (unsigned char)( n << 1 ); 967 968 #if defined(MBEDTLS_ZLIB_SUPPORT) 969 offer_compress = 1; 970 #else 971 offer_compress = 0; 972 #endif 973 974 /* 975 * We don't support compression with DTLS right now: if many records come 976 * in the same datagram, uncompressing one could overwrite the next one. 977 * We don't want to add complexity for handling that case unless there is 978 * an actual need for it. 979 */ 980 #if defined(MBEDTLS_SSL_PROTO_DTLS) 981 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 982 offer_compress = 0; 983 #endif 984 985 if( offer_compress ) 986 { 987 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 988 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 989 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 990 991 *p++ = 2; 992 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 993 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 994 } 995 else 996 { 997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 998 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 999 MBEDTLS_SSL_COMPRESS_NULL ) ); 1000 1001 *p++ = 1; 1002 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 1003 } 1004 1005 // First write extensions, then the total length 1006 // 1007 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1008 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 1009 ext_len += olen; 1010 #endif 1011 1012 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 1013 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 1014 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1015 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 1016 ext_len += olen; 1017 #endif 1018 1019 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1020 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 1021 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 1022 ext_len += olen; 1023 #endif 1024 1025 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1026 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1027 if( uses_ec ) 1028 { 1029 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 1030 ext_len += olen; 1031 1032 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 1033 ext_len += olen; 1034 } 1035 #endif 1036 1037 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1038 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 1039 ext_len += olen; 1040 #endif 1041 1042 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1043 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 1044 ext_len += olen; 1045 #endif 1046 1047 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1048 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 1049 ext_len += olen; 1050 #endif 1051 1052 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1053 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 1054 ext_len += olen; 1055 #endif 1056 1057 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1058 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 1059 ext_len += olen; 1060 #endif 1061 1062 #if defined(MBEDTLS_SSL_ALPN) 1063 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 1064 ext_len += olen; 1065 #endif 1066 1067 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1068 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 1069 ext_len += olen; 1070 #endif 1071 1072 /* olen unused if all extensions are disabled */ 1073 ((void) olen); 1074 1075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 1076 ext_len ) ); 1077 1078 if( ext_len > 0 ) 1079 { 1080 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 1081 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 1082 p += ext_len; 1083 } 1084 1085 ssl->out_msglen = p - buf; 1086 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 1087 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 1088 1089 ssl->state++; 1090 1091 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1092 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1093 mbedtls_ssl_send_flight_completed( ssl ); 1094 #endif 1095 1096 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 1097 { 1098 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 1099 return( ret ); 1100 } 1101 1102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 1103 1104 return( 0 ); 1105 } 1106 1107 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 1108 const unsigned char *buf, 1109 size_t len ) 1110 { 1111 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1112 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 1113 { 1114 /* Check verify-data in constant-time. The length OTOH is no secret */ 1115 if( len != 1 + ssl->verify_data_len * 2 || 1116 buf[0] != ssl->verify_data_len * 2 || 1117 mbedtls_ssl_safer_memcmp( buf + 1, 1118 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 1119 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 1120 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 1121 { 1122 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 1123 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1124 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1125 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1126 } 1127 } 1128 else 1129 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1130 { 1131 if( len != 1 || buf[0] != 0x00 ) 1132 { 1133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 1134 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1135 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1136 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1137 } 1138 1139 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 1140 } 1141 1142 return( 0 ); 1143 } 1144 1145 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1146 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 1147 const unsigned char *buf, 1148 size_t len ) 1149 { 1150 /* 1151 * server should use the extension only if we did, 1152 * and if so the server's value should match ours (and len is always 1) 1153 */ 1154 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 1155 len != 1 || 1156 buf[0] != ssl->conf->mfl_code ) 1157 { 1158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 1159 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1160 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1162 } 1163 1164 return( 0 ); 1165 } 1166 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1167 1168 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1169 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 1170 const unsigned char *buf, 1171 size_t len ) 1172 { 1173 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 1174 len != 0 ) 1175 { 1176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 1177 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1178 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1179 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1180 } 1181 1182 ((void) buf); 1183 1184 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 1185 1186 return( 0 ); 1187 } 1188 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 1189 1190 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1191 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 1192 const unsigned char *buf, 1193 size_t len ) 1194 { 1195 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 1196 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1197 len != 0 ) 1198 { 1199 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 1200 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1201 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1202 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1203 } 1204 1205 ((void) buf); 1206 1207 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 1208 1209 return( 0 ); 1210 } 1211 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1212 1213 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1214 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 1215 const unsigned char *buf, 1216 size_t len ) 1217 { 1218 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 1219 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 1220 len != 0 ) 1221 { 1222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 1223 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1224 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1225 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1226 } 1227 1228 ((void) buf); 1229 1230 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 1231 1232 return( 0 ); 1233 } 1234 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1235 1236 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1237 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 1238 const unsigned char *buf, 1239 size_t len ) 1240 { 1241 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 1242 len != 0 ) 1243 { 1244 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 1245 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1246 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1247 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1248 } 1249 1250 ((void) buf); 1251 1252 ssl->handshake->new_session_ticket = 1; 1253 1254 return( 0 ); 1255 } 1256 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1257 1258 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1259 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1260 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 1261 const unsigned char *buf, 1262 size_t len ) 1263 { 1264 size_t list_size; 1265 const unsigned char *p; 1266 1267 if( len == 0 || (size_t)( buf[0] + 1 ) != len ) 1268 { 1269 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1270 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1271 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1273 } 1274 list_size = buf[0]; 1275 1276 p = buf + 1; 1277 while( list_size > 0 ) 1278 { 1279 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 1280 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 1281 { 1282 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 1283 ssl->handshake->ecdh_ctx.point_format = p[0]; 1284 #endif 1285 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1286 ssl->handshake->ecjpake_ctx.point_format = p[0]; 1287 #endif 1288 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 1289 return( 0 ); 1290 } 1291 1292 list_size--; 1293 p++; 1294 } 1295 1296 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 1297 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1298 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1299 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1300 } 1301 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1302 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1303 1304 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1305 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 1306 const unsigned char *buf, 1307 size_t len ) 1308 { 1309 int ret; 1310 1311 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 1312 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 1313 { 1314 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 1315 return( 0 ); 1316 } 1317 1318 /* If we got here, we no longer need our cached extension */ 1319 mbedtls_free( ssl->handshake->ecjpake_cache ); 1320 ssl->handshake->ecjpake_cache = NULL; 1321 ssl->handshake->ecjpake_cache_len = 0; 1322 1323 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 1324 buf, len ) ) != 0 ) 1325 { 1326 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 1327 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1328 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1329 return( ret ); 1330 } 1331 1332 return( 0 ); 1333 } 1334 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1335 1336 #if defined(MBEDTLS_SSL_ALPN) 1337 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 1338 const unsigned char *buf, size_t len ) 1339 { 1340 size_t list_len, name_len; 1341 const char **p; 1342 1343 /* If we didn't send it, the server shouldn't send it */ 1344 if( ssl->conf->alpn_list == NULL ) 1345 { 1346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 1347 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1348 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1349 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1350 } 1351 1352 /* 1353 * opaque ProtocolName<1..2^8-1>; 1354 * 1355 * struct { 1356 * ProtocolName protocol_name_list<2..2^16-1> 1357 * } ProtocolNameList; 1358 * 1359 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 1360 */ 1361 1362 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 1363 if( len < 4 ) 1364 { 1365 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1366 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1367 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1368 } 1369 1370 list_len = ( buf[0] << 8 ) | buf[1]; 1371 if( list_len != len - 2 ) 1372 { 1373 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1374 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1375 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1376 } 1377 1378 name_len = buf[2]; 1379 if( name_len != list_len - 1 ) 1380 { 1381 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1382 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1383 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1384 } 1385 1386 /* Check that the server chosen protocol was in our list and save it */ 1387 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 1388 { 1389 if( name_len == strlen( *p ) && 1390 memcmp( buf + 3, *p, name_len ) == 0 ) 1391 { 1392 ssl->alpn_chosen = *p; 1393 return( 0 ); 1394 } 1395 } 1396 1397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 1398 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1399 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1400 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1401 } 1402 #endif /* MBEDTLS_SSL_ALPN */ 1403 1404 /* 1405 * Parse HelloVerifyRequest. Only called after verifying the HS type. 1406 */ 1407 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1408 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 1409 { 1410 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 1411 int major_ver, minor_ver; 1412 unsigned char cookie_len; 1413 1414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 1415 1416 /* 1417 * struct { 1418 * ProtocolVersion server_version; 1419 * opaque cookie<0..2^8-1>; 1420 * } HelloVerifyRequest; 1421 */ 1422 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 1423 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 1424 p += 2; 1425 1426 /* 1427 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 1428 * even is lower than our min version. 1429 */ 1430 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 1431 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 1432 major_ver > ssl->conf->max_major_ver || 1433 minor_ver > ssl->conf->max_minor_ver ) 1434 { 1435 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 1436 1437 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1438 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1439 1440 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1441 } 1442 1443 cookie_len = *p++; 1444 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 1445 1446 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 1447 { 1448 MBEDTLS_SSL_DEBUG_MSG( 1, 1449 ( "cookie length does not match incoming message size" ) ); 1450 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1451 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1452 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1453 } 1454 1455 mbedtls_free( ssl->handshake->verify_cookie ); 1456 1457 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 1458 if( ssl->handshake->verify_cookie == NULL ) 1459 { 1460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 1461 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 1462 } 1463 1464 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 1465 ssl->handshake->verify_cookie_len = cookie_len; 1466 1467 /* Start over at ClientHello */ 1468 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 1469 mbedtls_ssl_reset_checksum( ssl ); 1470 1471 mbedtls_ssl_recv_flight_completed( ssl ); 1472 1473 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 1474 1475 return( 0 ); 1476 } 1477 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1478 1479 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 1480 { 1481 int ret, i; 1482 size_t n; 1483 size_t ext_len; 1484 unsigned char *buf, *ext; 1485 unsigned char comp; 1486 #if defined(MBEDTLS_ZLIB_SUPPORT) 1487 int accept_comp; 1488 #endif 1489 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1490 int renegotiation_info_seen = 0; 1491 #endif 1492 int handshake_failure = 0; 1493 const mbedtls_ssl_ciphersuite_t *suite_info; 1494 1495 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 1496 1497 buf = ssl->in_msg; 1498 1499 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 1500 { 1501 /* No alert on a read error. */ 1502 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 1503 return( ret ); 1504 } 1505 1506 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 1507 { 1508 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1509 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 1510 { 1511 ssl->renego_records_seen++; 1512 1513 if( ssl->conf->renego_max_records >= 0 && 1514 ssl->renego_records_seen > ssl->conf->renego_max_records ) 1515 { 1516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 1517 "but not honored by server" ) ); 1518 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1519 } 1520 1521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 1522 1523 ssl->keep_current_message = 1; 1524 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 1525 } 1526 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1527 1528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1529 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1530 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 1531 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 1532 } 1533 1534 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1535 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1536 { 1537 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 1538 { 1539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 1540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 1541 return( ssl_parse_hello_verify_request( ssl ) ); 1542 } 1543 else 1544 { 1545 /* We made it through the verification process */ 1546 mbedtls_free( ssl->handshake->verify_cookie ); 1547 ssl->handshake->verify_cookie = NULL; 1548 ssl->handshake->verify_cookie_len = 0; 1549 } 1550 } 1551 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1552 1553 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 1554 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 1555 { 1556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1557 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1558 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1559 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1560 } 1561 1562 /* 1563 * 0 . 1 server_version 1564 * 2 . 33 random (maybe including 4 bytes of Unix time) 1565 * 34 . 34 session_id length = n 1566 * 35 . 34+n session_id 1567 * 35+n . 36+n cipher_suite 1568 * 37+n . 37+n compression_method 1569 * 1570 * 38+n . 39+n extensions length (optional) 1571 * 40+n . .. extensions 1572 */ 1573 buf += mbedtls_ssl_hs_hdr_len( ssl ); 1574 1575 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 1576 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 1577 ssl->conf->transport, buf + 0 ); 1578 1579 if( ssl->major_ver < ssl->conf->min_major_ver || 1580 ssl->minor_ver < ssl->conf->min_minor_ver || 1581 ssl->major_ver > ssl->conf->max_major_ver || 1582 ssl->minor_ver > ssl->conf->max_minor_ver ) 1583 { 1584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 1585 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 1586 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 1587 ssl->major_ver, ssl->minor_ver, 1588 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 1589 1590 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1591 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 1592 1593 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 1594 } 1595 1596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 1597 ( (uint32_t) buf[2] << 24 ) | 1598 ( (uint32_t) buf[3] << 16 ) | 1599 ( (uint32_t) buf[4] << 8 ) | 1600 ( (uint32_t) buf[5] ) ) ); 1601 1602 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 1603 1604 n = buf[34]; 1605 1606 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 1607 1608 if( n > 32 ) 1609 { 1610 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1612 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1613 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1614 } 1615 1616 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 1617 { 1618 ext_len = ( ( buf[38 + n] << 8 ) 1619 | ( buf[39 + n] ) ); 1620 1621 if( ( ext_len > 0 && ext_len < 4 ) || 1622 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 1623 { 1624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1625 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1626 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1627 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1628 } 1629 } 1630 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 1631 { 1632 ext_len = 0; 1633 } 1634 else 1635 { 1636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1637 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1638 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1639 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1640 } 1641 1642 /* ciphersuite (used later) */ 1643 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 1644 1645 /* 1646 * Read and check compression 1647 */ 1648 comp = buf[37 + n]; 1649 1650 #if defined(MBEDTLS_ZLIB_SUPPORT) 1651 /* See comments in ssl_write_client_hello() */ 1652 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1653 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 1654 accept_comp = 0; 1655 else 1656 #endif 1657 accept_comp = 1; 1658 1659 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 1660 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 1661 #else /* MBEDTLS_ZLIB_SUPPORT */ 1662 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 1663 #endif/* MBEDTLS_ZLIB_SUPPORT */ 1664 { 1665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 1666 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1667 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1668 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 1669 } 1670 1671 /* 1672 * Initialize update checksum functions 1673 */ 1674 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 1675 1676 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 1677 { 1678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 1679 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1680 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1681 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 1682 } 1683 1684 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 1685 1686 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 1687 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 1688 1689 /* 1690 * Check if the session can be resumed 1691 */ 1692 if( ssl->handshake->resume == 0 || n == 0 || 1693 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1694 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 1695 #endif 1696 ssl->session_negotiate->ciphersuite != i || 1697 ssl->session_negotiate->compression != comp || 1698 ssl->session_negotiate->id_len != n || 1699 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 1700 { 1701 ssl->state++; 1702 ssl->handshake->resume = 0; 1703 #if defined(MBEDTLS_HAVE_TIME) 1704 ssl->session_negotiate->start = mbedtls_time( NULL ); 1705 #endif 1706 ssl->session_negotiate->ciphersuite = i; 1707 ssl->session_negotiate->compression = comp; 1708 ssl->session_negotiate->id_len = n; 1709 memcpy( ssl->session_negotiate->id, buf + 35, n ); 1710 } 1711 else 1712 { 1713 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 1714 1715 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 1716 { 1717 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 1718 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1719 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 1720 return( ret ); 1721 } 1722 } 1723 1724 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 1725 ssl->handshake->resume ? "a" : "no" ) ); 1726 1727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 1728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 1729 1730 /* 1731 * Perform cipher suite validation in same way as in ssl_write_client_hello. 1732 */ 1733 i = 0; 1734 while( 1 ) 1735 { 1736 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 1737 { 1738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1739 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1740 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1741 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1742 } 1743 1744 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 1745 ssl->session_negotiate->ciphersuite ) 1746 { 1747 break; 1748 } 1749 } 1750 1751 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 1752 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 ) 1753 { 1754 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1755 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1756 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1757 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1758 } 1759 1760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 1761 1762 if( comp != MBEDTLS_SSL_COMPRESS_NULL 1763 #if defined(MBEDTLS_ZLIB_SUPPORT) 1764 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 1765 #endif 1766 ) 1767 { 1768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1769 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1770 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 1771 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1772 } 1773 ssl->session_negotiate->compression = comp; 1774 1775 ext = buf + 40 + n; 1776 1777 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 1778 1779 while( ext_len ) 1780 { 1781 unsigned int ext_id = ( ( ext[0] << 8 ) 1782 | ( ext[1] ) ); 1783 unsigned int ext_size = ( ( ext[2] << 8 ) 1784 | ( ext[3] ) ); 1785 1786 if( ext_size + 4 > ext_len ) 1787 { 1788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1789 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1790 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 1791 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1792 } 1793 1794 switch( ext_id ) 1795 { 1796 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 1797 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 1798 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1799 renegotiation_info_seen = 1; 1800 #endif 1801 1802 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 1803 ext_size ) ) != 0 ) 1804 return( ret ); 1805 1806 break; 1807 1808 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 1809 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 1810 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 1811 1812 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 1813 ext + 4, ext_size ) ) != 0 ) 1814 { 1815 return( ret ); 1816 } 1817 1818 break; 1819 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 1820 1821 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 1822 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 1823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 1824 1825 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 1826 ext + 4, ext_size ) ) != 0 ) 1827 { 1828 return( ret ); 1829 } 1830 1831 break; 1832 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 1833 1834 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1835 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 1836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 1837 1838 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 1839 ext + 4, ext_size ) ) != 0 ) 1840 { 1841 return( ret ); 1842 } 1843 1844 break; 1845 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1846 1847 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 1848 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 1849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 1850 1851 if( ( ret = ssl_parse_extended_ms_ext( ssl, 1852 ext + 4, ext_size ) ) != 0 ) 1853 { 1854 return( ret ); 1855 } 1856 1857 break; 1858 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 1859 1860 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1861 case MBEDTLS_TLS_EXT_SESSION_TICKET: 1862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 1863 1864 if( ( ret = ssl_parse_session_ticket_ext( ssl, 1865 ext + 4, ext_size ) ) != 0 ) 1866 { 1867 return( ret ); 1868 } 1869 1870 break; 1871 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 1872 1873 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 1874 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1875 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 1876 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 1877 1878 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 1879 ext + 4, ext_size ) ) != 0 ) 1880 { 1881 return( ret ); 1882 } 1883 1884 break; 1885 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 1886 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1887 1888 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1889 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 1890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 1891 1892 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 1893 ext + 4, ext_size ) ) != 0 ) 1894 { 1895 return( ret ); 1896 } 1897 1898 break; 1899 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 1900 1901 #if defined(MBEDTLS_SSL_ALPN) 1902 case MBEDTLS_TLS_EXT_ALPN: 1903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 1904 1905 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 1906 return( ret ); 1907 1908 break; 1909 #endif /* MBEDTLS_SSL_ALPN */ 1910 1911 default: 1912 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 1913 ext_id ) ); 1914 } 1915 1916 ext_len -= 4 + ext_size; 1917 ext += 4 + ext_size; 1918 1919 if( ext_len > 0 && ext_len < 4 ) 1920 { 1921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 1922 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1923 } 1924 } 1925 1926 /* 1927 * Renegotiation security checks 1928 */ 1929 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1930 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 1931 { 1932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 1933 handshake_failure = 1; 1934 } 1935 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1936 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1937 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 1938 renegotiation_info_seen == 0 ) 1939 { 1940 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 1941 handshake_failure = 1; 1942 } 1943 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1944 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1945 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 1946 { 1947 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 1948 handshake_failure = 1; 1949 } 1950 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 1951 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 1952 renegotiation_info_seen == 1 ) 1953 { 1954 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 1955 handshake_failure = 1; 1956 } 1957 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1958 1959 if( handshake_failure == 1 ) 1960 { 1961 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 1962 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 1963 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 1964 } 1965 1966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 1967 1968 return( 0 ); 1969 } 1970 1971 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 1972 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 1973 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 1974 unsigned char *end ) 1975 { 1976 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1977 1978 /* 1979 * Ephemeral DH parameters: 1980 * 1981 * struct { 1982 * opaque dh_p<1..2^16-1>; 1983 * opaque dh_g<1..2^16-1>; 1984 * opaque dh_Ys<1..2^16-1>; 1985 * } ServerDHParams; 1986 */ 1987 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 1988 { 1989 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 1990 return( ret ); 1991 } 1992 1993 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 1994 { 1995 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 1996 ssl->handshake->dhm_ctx.len * 8, 1997 ssl->conf->dhm_min_bitlen ) ); 1998 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 1999 } 2000 2001 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 2002 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 2003 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 2004 2005 return( ret ); 2006 } 2007 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2008 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2009 2010 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2011 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2012 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2013 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2014 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2015 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 2016 { 2017 const mbedtls_ecp_curve_info *curve_info; 2018 2019 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 2020 if( curve_info == NULL ) 2021 { 2022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2023 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2024 } 2025 2026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 2027 2028 #if defined(MBEDTLS_ECP_C) 2029 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 2030 #else 2031 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 2032 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 2033 #endif 2034 return( -1 ); 2035 2036 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 2037 2038 return( 0 ); 2039 } 2040 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2041 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2042 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2043 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2044 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2045 2046 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2047 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2048 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 2049 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 2050 unsigned char **p, 2051 unsigned char *end ) 2052 { 2053 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2054 2055 /* 2056 * Ephemeral ECDH parameters: 2057 * 2058 * struct { 2059 * ECParameters curve_params; 2060 * ECPoint public; 2061 * } ServerECDHParams; 2062 */ 2063 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 2064 (const unsigned char **) p, end ) ) != 0 ) 2065 { 2066 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 2067 return( ret ); 2068 } 2069 2070 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2071 { 2072 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 2073 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2074 } 2075 2076 return( ret ); 2077 } 2078 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2079 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2080 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 2081 2082 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2083 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 2084 unsigned char **p, 2085 unsigned char *end ) 2086 { 2087 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2088 size_t len; 2089 ((void) ssl); 2090 2091 /* 2092 * PSK parameters: 2093 * 2094 * opaque psk_identity_hint<0..2^16-1>; 2095 */ 2096 if( end - (*p) < 2 ) 2097 { 2098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 2099 "(psk_identity_hint length)" ) ); 2100 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2101 } 2102 len = (*p)[0] << 8 | (*p)[1]; 2103 *p += 2; 2104 2105 if( end - (*p) < (int) len ) 2106 { 2107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 2108 "(psk_identity_hint length)" ) ); 2109 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2110 } 2111 2112 /* 2113 * Note: we currently ignore the PKS identity hint, as we only allow one 2114 * PSK to be provisionned on the client. This could be changed later if 2115 * someone needs that feature. 2116 */ 2117 *p += len; 2118 ret = 0; 2119 2120 return( ret ); 2121 } 2122 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2123 2124 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 2125 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2126 /* 2127 * Generate a pre-master secret and encrypt it with the server's RSA key 2128 */ 2129 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 2130 size_t offset, size_t *olen, 2131 size_t pms_offset ) 2132 { 2133 int ret; 2134 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 2135 unsigned char *p = ssl->handshake->premaster + pms_offset; 2136 2137 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2138 { 2139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 2140 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2141 } 2142 2143 /* 2144 * Generate (part of) the pre-master as 2145 * struct { 2146 * ProtocolVersion client_version; 2147 * opaque random[46]; 2148 * } PreMasterSecret; 2149 */ 2150 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 2151 ssl->conf->transport, p ); 2152 2153 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 2154 { 2155 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 2156 return( ret ); 2157 } 2158 2159 ssl->handshake->pmslen = 48; 2160 2161 if( ssl->session_negotiate->peer_cert == NULL ) 2162 { 2163 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2164 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2165 } 2166 2167 /* 2168 * Now write it out, encrypted 2169 */ 2170 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2171 MBEDTLS_PK_RSA ) ) 2172 { 2173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 2174 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2175 } 2176 2177 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 2178 p, ssl->handshake->pmslen, 2179 ssl->out_msg + offset + len_bytes, olen, 2180 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 2181 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2182 { 2183 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 2184 return( ret ); 2185 } 2186 2187 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2188 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2189 if( len_bytes == 2 ) 2190 { 2191 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 2192 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 2193 *olen += 2; 2194 } 2195 #endif 2196 2197 return( 0 ); 2198 } 2199 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 2200 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2201 2202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2203 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2204 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2205 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2206 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 2207 unsigned char **p, 2208 unsigned char *end, 2209 mbedtls_md_type_t *md_alg, 2210 mbedtls_pk_type_t *pk_alg ) 2211 { 2212 ((void) ssl); 2213 *md_alg = MBEDTLS_MD_NONE; 2214 *pk_alg = MBEDTLS_PK_NONE; 2215 2216 /* Only in TLS 1.2 */ 2217 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 2218 { 2219 return( 0 ); 2220 } 2221 2222 if( (*p) + 2 > end ) 2223 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2224 2225 /* 2226 * Get hash algorithm 2227 */ 2228 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 2229 { 2230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 2231 "HashAlgorithm %d", *(p)[0] ) ); 2232 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2233 } 2234 2235 /* 2236 * Get signature algorithm 2237 */ 2238 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 2239 { 2240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 2241 "SignatureAlgorithm %d", (*p)[1] ) ); 2242 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2243 } 2244 2245 /* 2246 * Check if the hash is acceptable 2247 */ 2248 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 2249 { 2250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 2251 *(p)[0] ) ); 2252 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2253 } 2254 2255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 2256 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 2257 *p += 2; 2258 2259 return( 0 ); 2260 } 2261 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2262 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2263 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2264 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2265 2266 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2267 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2268 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 2269 { 2270 int ret; 2271 const mbedtls_ecp_keypair *peer_key; 2272 2273 if( ssl->session_negotiate->peer_cert == NULL ) 2274 { 2275 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2276 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2277 } 2278 2279 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 2280 MBEDTLS_PK_ECKEY ) ) 2281 { 2282 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 2283 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2284 } 2285 2286 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 2287 2288 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 2289 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 2290 { 2291 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 2292 return( ret ); 2293 } 2294 2295 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 2296 { 2297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 2298 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 2299 } 2300 2301 return( ret ); 2302 } 2303 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 2304 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2305 2306 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 2307 { 2308 int ret; 2309 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2310 ssl->transform_negotiate->ciphersuite_info; 2311 unsigned char *p = NULL, *end = NULL; 2312 2313 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 2314 2315 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 2316 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 2317 { 2318 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2319 ssl->state++; 2320 return( 0 ); 2321 } 2322 ((void) p); 2323 ((void) end); 2324 #endif 2325 2326 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2327 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2328 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2329 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 2330 { 2331 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 2332 { 2333 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 2334 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2335 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2336 return( ret ); 2337 } 2338 2339 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 2340 ssl->state++; 2341 return( 0 ); 2342 } 2343 ((void) p); 2344 ((void) end); 2345 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2346 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2347 2348 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2349 { 2350 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2351 return( ret ); 2352 } 2353 2354 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2355 { 2356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2357 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2358 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2359 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2360 } 2361 2362 /* 2363 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 2364 * doesn't use a psk_identity_hint 2365 */ 2366 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 2367 { 2368 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2369 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2370 { 2371 /* Current message is probably either 2372 * CertificateRequest or ServerHelloDone */ 2373 ssl->keep_current_message = 1; 2374 goto exit; 2375 } 2376 2377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 2378 "not be skipped" ) ); 2379 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2380 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2381 2382 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2383 } 2384 2385 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2386 end = ssl->in_msg + ssl->in_hslen; 2387 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 2388 2389 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2390 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2391 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 2392 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 2393 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 2394 { 2395 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 2396 { 2397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2398 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2399 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2400 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2401 } 2402 } /* FALLTROUGH */ 2403 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 2404 2405 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 2406 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2407 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 2408 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2409 ; /* nothing more to do */ 2410 else 2411 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 2412 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 2413 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 2414 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2415 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 2416 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 2417 { 2418 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 2419 { 2420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2421 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2422 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2423 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2424 } 2425 } 2426 else 2427 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 2428 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 2429 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2430 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 2431 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 2432 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2433 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 2434 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 2435 { 2436 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 2437 { 2438 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2439 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2440 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2441 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2442 } 2443 } 2444 else 2445 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2446 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 2447 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 2448 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 2449 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 2450 { 2451 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 2452 p, end - p ); 2453 if( ret != 0 ) 2454 { 2455 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 2456 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2457 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2458 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2459 } 2460 } 2461 else 2462 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2463 { 2464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2465 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2466 } 2467 2468 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 2469 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 2470 { 2471 size_t sig_len, hashlen; 2472 unsigned char hash[64]; 2473 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 2474 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 2475 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 2476 size_t params_len = p - params; 2477 2478 /* 2479 * Handle the digitally-signed structure 2480 */ 2481 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2482 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 2483 { 2484 if( ssl_parse_signature_algorithm( ssl, &p, end, 2485 &md_alg, &pk_alg ) != 0 ) 2486 { 2487 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2488 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2489 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2490 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2491 } 2492 2493 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 2494 { 2495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2496 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2497 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 2498 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2499 } 2500 } 2501 else 2502 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2503 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2504 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2505 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 2506 { 2507 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 2508 2509 /* Default hash for ECDSA is SHA-1 */ 2510 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 2511 md_alg = MBEDTLS_MD_SHA1; 2512 } 2513 else 2514 #endif 2515 { 2516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2517 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2518 } 2519 2520 /* 2521 * Read signature 2522 */ 2523 if( p > end - 2 ) 2524 { 2525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2526 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2527 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2528 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2529 } 2530 sig_len = ( p[0] << 8 ) | p[1]; 2531 p += 2; 2532 2533 if( p != end - sig_len ) 2534 { 2535 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2536 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2537 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2538 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 2539 } 2540 2541 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 2542 2543 /* 2544 * Compute the hash that has been signed 2545 */ 2546 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 2547 defined(MBEDTLS_SSL_PROTO_TLS1_1) 2548 if( md_alg == MBEDTLS_MD_NONE ) 2549 { 2550 hashlen = 36; 2551 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 2552 params_len ); 2553 if( ret != 0 ) 2554 return( ret ); 2555 } 2556 else 2557 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 2558 MBEDTLS_SSL_PROTO_TLS1_1 */ 2559 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 2560 defined(MBEDTLS_SSL_PROTO_TLS1_2) 2561 if( md_alg != MBEDTLS_MD_NONE ) 2562 { 2563 /* Info from md_alg will be used instead */ 2564 hashlen = 0; 2565 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params, 2566 params_len, md_alg ); 2567 if( ret != 0 ) 2568 return( ret ); 2569 } 2570 else 2571 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 2572 MBEDTLS_SSL_PROTO_TLS1_2 */ 2573 { 2574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2575 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2576 } 2577 2578 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 2579 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 2580 2581 if( ssl->session_negotiate->peer_cert == NULL ) 2582 { 2583 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 2584 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2585 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2586 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2587 } 2588 2589 /* 2590 * Verify signature 2591 */ 2592 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 2593 { 2594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 2595 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2596 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 2597 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 2598 } 2599 2600 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 2601 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 2602 { 2603 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2604 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 2605 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 2606 return( ret ); 2607 } 2608 } 2609 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 2610 2611 exit: 2612 ssl->state++; 2613 2614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 2615 2616 return( 0 ); 2617 } 2618 2619 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 2620 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2621 { 2622 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2623 ssl->transform_negotiate->ciphersuite_info; 2624 2625 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2626 2627 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2628 { 2629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2630 ssl->state++; 2631 return( 0 ); 2632 } 2633 2634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2635 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2636 } 2637 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 2638 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 2639 { 2640 int ret; 2641 unsigned char *buf; 2642 size_t n = 0; 2643 size_t cert_type_len = 0, dn_len = 0; 2644 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2645 ssl->transform_negotiate->ciphersuite_info; 2646 2647 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 2648 2649 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 2650 { 2651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 2652 ssl->state++; 2653 return( 0 ); 2654 } 2655 2656 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2657 { 2658 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2659 return( ret ); 2660 } 2661 2662 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2663 { 2664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2665 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2666 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 2667 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2668 } 2669 2670 ssl->state++; 2671 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 2672 2673 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 2674 ssl->client_auth ? "a" : "no" ) ); 2675 2676 if( ssl->client_auth == 0 ) 2677 { 2678 /* Current message is probably the ServerHelloDone */ 2679 ssl->keep_current_message = 1; 2680 goto exit; 2681 } 2682 2683 /* 2684 * struct { 2685 * ClientCertificateType certificate_types<1..2^8-1>; 2686 * SignatureAndHashAlgorithm 2687 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 2688 * DistinguishedName certificate_authorities<0..2^16-1>; 2689 * } CertificateRequest; 2690 * 2691 * Since we only support a single certificate on clients, let's just 2692 * ignore all the information that's supposed to help us pick a 2693 * certificate. 2694 * 2695 * We could check that our certificate matches the request, and bail out 2696 * if it doesn't, but it's simpler to just send the certificate anyway, 2697 * and give the server the opportunity to decide if it should terminate 2698 * the connection when it doesn't like our certificate. 2699 * 2700 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 2701 * point we only have one hash available (see comments in 2702 * write_certificate_verify), so let's just use what we have. 2703 * 2704 * However, we still minimally parse the message to check it is at least 2705 * superficially sane. 2706 */ 2707 buf = ssl->in_msg; 2708 2709 /* certificate_types */ 2710 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) ) 2711 { 2712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2713 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2714 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2715 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2716 } 2717 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 2718 n = cert_type_len; 2719 2720 /* 2721 * In the subsequent code there are two paths that read from buf: 2722 * * the length of the signature algorithms field (if minor version of 2723 * SSL is 3), 2724 * * distinguished name length otherwise. 2725 * Both reach at most the index: 2726 * ...hdr_len + 2 + n, 2727 * therefore the buffer length at this point must be greater than that 2728 * regardless of the actual code path. 2729 */ 2730 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 2731 { 2732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2733 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2734 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2735 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2736 } 2737 2738 /* supported_signature_algorithms */ 2739 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2740 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 2741 { 2742 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 2743 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 2744 #if defined(MBEDTLS_DEBUG_C) 2745 unsigned char* sig_alg; 2746 size_t i; 2747 #endif 2748 2749 /* 2750 * The furthest access in buf is in the loop few lines below: 2751 * sig_alg[i + 1], 2752 * where: 2753 * sig_alg = buf + ...hdr_len + 3 + n, 2754 * max(i) = sig_alg_len - 1. 2755 * Therefore the furthest access is: 2756 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1], 2757 * which reduces to: 2758 * buf[...hdr_len + 3 + n + sig_alg_len], 2759 * which is one less than we need the buf to be. 2760 */ 2761 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len ) 2762 { 2763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2764 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2765 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2766 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2767 } 2768 2769 #if defined(MBEDTLS_DEBUG_C) 2770 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 2771 for( i = 0; i < sig_alg_len; i += 2 ) 2772 { 2773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 2774 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 2775 } 2776 #endif 2777 2778 n += 2 + sig_alg_len; 2779 } 2780 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2781 2782 /* certificate_authorities */ 2783 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 2784 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 2785 2786 n += dn_len; 2787 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 2788 { 2789 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 2790 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2791 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2792 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 2793 } 2794 2795 exit: 2796 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 2797 2798 return( 0 ); 2799 } 2800 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 2801 2802 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 2803 { 2804 int ret; 2805 2806 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 2807 2808 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 2809 { 2810 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 2811 return( ret ); 2812 } 2813 2814 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 2815 { 2816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 2817 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 2818 } 2819 2820 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 2821 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 2822 { 2823 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 2824 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 2825 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 2826 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 2827 } 2828 2829 ssl->state++; 2830 2831 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2832 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2833 mbedtls_ssl_recv_flight_completed( ssl ); 2834 #endif 2835 2836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 2837 2838 return( 0 ); 2839 } 2840 2841 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 2842 { 2843 int ret; 2844 size_t i, n; 2845 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 2846 ssl->transform_negotiate->ciphersuite_info; 2847 2848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 2849 2850 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 2851 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 2852 { 2853 /* 2854 * DHM key exchange -- send G^X mod P 2855 */ 2856 n = ssl->handshake->dhm_ctx.len; 2857 2858 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 2859 ssl->out_msg[5] = (unsigned char)( n ); 2860 i = 6; 2861 2862 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 2863 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 2864 &ssl->out_msg[i], n, 2865 ssl->conf->f_rng, ssl->conf->p_rng ); 2866 if( ret != 0 ) 2867 { 2868 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 2869 return( ret ); 2870 } 2871 2872 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 2873 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 2874 2875 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 2876 ssl->handshake->premaster, 2877 MBEDTLS_PREMASTER_SIZE, 2878 &ssl->handshake->pmslen, 2879 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2880 { 2881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 2882 return( ret ); 2883 } 2884 2885 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 2886 } 2887 else 2888 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 2889 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 2890 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 2891 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 2892 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 2893 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 2894 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 2895 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 2896 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 2897 { 2898 /* 2899 * ECDH key exchange -- send client public value 2900 */ 2901 i = 4; 2902 2903 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 2904 &n, 2905 &ssl->out_msg[i], 1000, 2906 ssl->conf->f_rng, ssl->conf->p_rng ); 2907 if( ret != 0 ) 2908 { 2909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 2910 return( ret ); 2911 } 2912 2913 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 2914 2915 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 2916 &ssl->handshake->pmslen, 2917 ssl->handshake->premaster, 2918 MBEDTLS_MPI_MAX_SIZE, 2919 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2920 { 2921 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 2922 return( ret ); 2923 } 2924 2925 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 2926 } 2927 else 2928 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 2929 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 2930 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 2931 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 2932 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 2933 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 2934 { 2935 /* 2936 * opaque psk_identity<0..2^16-1>; 2937 */ 2938 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 2939 { 2940 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 2941 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 2942 } 2943 2944 i = 4; 2945 n = ssl->conf->psk_identity_len; 2946 2947 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2948 { 2949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 2950 "SSL buffer too short" ) ); 2951 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2952 } 2953 2954 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 2955 ssl->out_msg[i++] = (unsigned char)( n ); 2956 2957 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 2958 i += ssl->conf->psk_identity_len; 2959 2960 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 2961 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 2962 { 2963 n = 0; 2964 } 2965 else 2966 #endif 2967 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 2968 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 2969 { 2970 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 2971 return( ret ); 2972 } 2973 else 2974 #endif 2975 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 2976 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 2977 { 2978 /* 2979 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 2980 */ 2981 n = ssl->handshake->dhm_ctx.len; 2982 2983 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 2984 { 2985 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 2986 " or SSL buffer too short" ) ); 2987 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 2988 } 2989 2990 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 2991 ssl->out_msg[i++] = (unsigned char)( n ); 2992 2993 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 2994 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 2995 &ssl->out_msg[i], n, 2996 ssl->conf->f_rng, ssl->conf->p_rng ); 2997 if( ret != 0 ) 2998 { 2999 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 3000 return( ret ); 3001 } 3002 } 3003 else 3004 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 3005 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 3006 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 3007 { 3008 /* 3009 * ClientECDiffieHellmanPublic public; 3010 */ 3011 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 3012 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 3013 ssl->conf->f_rng, ssl->conf->p_rng ); 3014 if( ret != 0 ) 3015 { 3016 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 3017 return( ret ); 3018 } 3019 3020 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 3021 } 3022 else 3023 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 3024 { 3025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3026 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3027 } 3028 3029 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 3030 ciphersuite_info->key_exchange ) ) != 0 ) 3031 { 3032 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 3033 return( ret ); 3034 } 3035 } 3036 else 3037 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 3038 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 3039 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 3040 { 3041 i = 4; 3042 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 3043 return( ret ); 3044 } 3045 else 3046 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3047 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 3048 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3049 { 3050 i = 4; 3051 3052 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 3053 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 3054 ssl->conf->f_rng, ssl->conf->p_rng ); 3055 if( ret != 0 ) 3056 { 3057 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 3058 return( ret ); 3059 } 3060 3061 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 3062 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 3063 ssl->conf->f_rng, ssl->conf->p_rng ); 3064 if( ret != 0 ) 3065 { 3066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 3067 return( ret ); 3068 } 3069 } 3070 else 3071 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 3072 { 3073 ((void) ciphersuite_info); 3074 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3075 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3076 } 3077 3078 ssl->out_msglen = i + n; 3079 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3080 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 3081 3082 ssl->state++; 3083 3084 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 3085 { 3086 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 3087 return( ret ); 3088 } 3089 3090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 3091 3092 return( 0 ); 3093 } 3094 3095 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 3096 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 3097 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 3098 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 3099 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 3100 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 3101 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3102 { 3103 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3104 ssl->transform_negotiate->ciphersuite_info; 3105 int ret; 3106 3107 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3108 3109 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3110 { 3111 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3112 return( ret ); 3113 } 3114 3115 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3116 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3117 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3118 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3119 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3120 { 3121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3122 ssl->state++; 3123 return( 0 ); 3124 } 3125 3126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3127 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3128 } 3129 #else 3130 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 3131 { 3132 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3133 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 3134 ssl->transform_negotiate->ciphersuite_info; 3135 size_t n = 0, offset = 0; 3136 unsigned char hash[48]; 3137 unsigned char *hash_start = hash; 3138 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 3139 unsigned int hashlen; 3140 3141 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 3142 3143 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 3144 { 3145 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 3146 return( ret ); 3147 } 3148 3149 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 3150 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 3151 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 3152 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 3153 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 3154 { 3155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3156 ssl->state++; 3157 return( 0 ); 3158 } 3159 3160 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 3161 { 3162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 3163 ssl->state++; 3164 return( 0 ); 3165 } 3166 3167 if( mbedtls_ssl_own_key( ssl ) == NULL ) 3168 { 3169 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 3170 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 3171 } 3172 3173 /* 3174 * Make an RSA signature of the handshake digests 3175 */ 3176 ssl->handshake->calc_verify( ssl, hash ); 3177 3178 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 3179 defined(MBEDTLS_SSL_PROTO_TLS1_1) 3180 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 3181 { 3182 /* 3183 * digitally-signed struct { 3184 * opaque md5_hash[16]; 3185 * opaque sha_hash[20]; 3186 * }; 3187 * 3188 * md5_hash 3189 * MD5(handshake_messages); 3190 * 3191 * sha_hash 3192 * SHA(handshake_messages); 3193 */ 3194 hashlen = 36; 3195 md_alg = MBEDTLS_MD_NONE; 3196 3197 /* 3198 * For ECDSA, default hash is SHA-1 only 3199 */ 3200 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 3201 { 3202 hash_start += 16; 3203 hashlen -= 16; 3204 md_alg = MBEDTLS_MD_SHA1; 3205 } 3206 } 3207 else 3208 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 3209 MBEDTLS_SSL_PROTO_TLS1_1 */ 3210 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3211 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 3212 { 3213 /* 3214 * digitally-signed struct { 3215 * opaque handshake_messages[handshake_messages_length]; 3216 * }; 3217 * 3218 * Taking shortcut here. We assume that the server always allows the 3219 * PRF Hash function and has sent it in the allowed signature 3220 * algorithms list received in the Certificate Request message. 3221 * 3222 * Until we encounter a server that does not, we will take this 3223 * shortcut. 3224 * 3225 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 3226 * in order to satisfy 'weird' needs from the server side. 3227 */ 3228 if( ssl->transform_negotiate->ciphersuite_info->mac == 3229 MBEDTLS_MD_SHA384 ) 3230 { 3231 md_alg = MBEDTLS_MD_SHA384; 3232 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 3233 } 3234 else 3235 { 3236 md_alg = MBEDTLS_MD_SHA256; 3237 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 3238 } 3239 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 3240 3241 /* Info from md_alg will be used instead */ 3242 hashlen = 0; 3243 offset = 2; 3244 } 3245 else 3246 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3247 { 3248 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 3249 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3250 } 3251 3252 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 3253 ssl->out_msg + 6 + offset, &n, 3254 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 3255 { 3256 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 3257 return( ret ); 3258 } 3259 3260 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 3261 ssl->out_msg[5 + offset] = (unsigned char)( n ); 3262 3263 ssl->out_msglen = 6 + n + offset; 3264 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3265 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 3266 3267 ssl->state++; 3268 3269 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 3270 { 3271 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 3272 return( ret ); 3273 } 3274 3275 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 3276 3277 return( ret ); 3278 } 3279 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 3280 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 3281 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 3282 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 3283 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 3284 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 3285 3286 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3287 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 3288 { 3289 int ret; 3290 uint32_t lifetime; 3291 size_t ticket_len; 3292 unsigned char *ticket; 3293 const unsigned char *msg; 3294 3295 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 3296 3297 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 3298 { 3299 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 3300 return( ret ); 3301 } 3302 3303 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 3304 { 3305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3306 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3307 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 3308 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 3309 } 3310 3311 /* 3312 * struct { 3313 * uint32 ticket_lifetime_hint; 3314 * opaque ticket<0..2^16-1>; 3315 * } NewSessionTicket; 3316 * 3317 * 0 . 3 ticket_lifetime_hint 3318 * 4 . 5 ticket_len (n) 3319 * 6 . 5+n ticket content 3320 */ 3321 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 3322 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 3323 { 3324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3325 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3326 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3327 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3328 } 3329 3330 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 3331 3332 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) | 3333 ( msg[2] << 8 ) | ( msg[3] ); 3334 3335 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 3336 3337 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 3338 { 3339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 3340 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3341 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 3342 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 3343 } 3344 3345 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 3346 3347 /* We're not waiting for a NewSessionTicket message any more */ 3348 ssl->handshake->new_session_ticket = 0; 3349 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 3350 3351 /* 3352 * Zero-length ticket means the server changed his mind and doesn't want 3353 * to send a ticket after all, so just forget it 3354 */ 3355 if( ticket_len == 0 ) 3356 return( 0 ); 3357 3358 mbedtls_zeroize( ssl->session_negotiate->ticket, 3359 ssl->session_negotiate->ticket_len ); 3360 mbedtls_free( ssl->session_negotiate->ticket ); 3361 ssl->session_negotiate->ticket = NULL; 3362 ssl->session_negotiate->ticket_len = 0; 3363 3364 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 3365 { 3366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 3367 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 3368 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 3369 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 3370 } 3371 3372 memcpy( ticket, msg + 6, ticket_len ); 3373 3374 ssl->session_negotiate->ticket = ticket; 3375 ssl->session_negotiate->ticket_len = ticket_len; 3376 ssl->session_negotiate->ticket_lifetime = lifetime; 3377 3378 /* 3379 * RFC 5077 section 3.4: 3380 * "If the client receives a session ticket from the server, then it 3381 * discards any Session ID that was sent in the ServerHello." 3382 */ 3383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 3384 ssl->session_negotiate->id_len = 0; 3385 3386 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 3387 3388 return( 0 ); 3389 } 3390 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3391 3392 /* 3393 * SSL handshake -- client side -- single step 3394 */ 3395 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 3396 { 3397 int ret = 0; 3398 3399 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 3400 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3401 3402 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 3403 3404 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 3405 return( ret ); 3406 3407 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3408 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3409 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 3410 { 3411 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 3412 return( ret ); 3413 } 3414 #endif 3415 3416 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 3417 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 3418 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3419 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 3420 ssl->handshake->new_session_ticket != 0 ) 3421 { 3422 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 3423 } 3424 #endif 3425 3426 switch( ssl->state ) 3427 { 3428 case MBEDTLS_SSL_HELLO_REQUEST: 3429 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 3430 break; 3431 3432 /* 3433 * ==> ClientHello 3434 */ 3435 case MBEDTLS_SSL_CLIENT_HELLO: 3436 ret = ssl_write_client_hello( ssl ); 3437 break; 3438 3439 /* 3440 * <== ServerHello 3441 * Certificate 3442 * ( ServerKeyExchange ) 3443 * ( CertificateRequest ) 3444 * ServerHelloDone 3445 */ 3446 case MBEDTLS_SSL_SERVER_HELLO: 3447 ret = ssl_parse_server_hello( ssl ); 3448 break; 3449 3450 case MBEDTLS_SSL_SERVER_CERTIFICATE: 3451 ret = mbedtls_ssl_parse_certificate( ssl ); 3452 break; 3453 3454 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 3455 ret = ssl_parse_server_key_exchange( ssl ); 3456 break; 3457 3458 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 3459 ret = ssl_parse_certificate_request( ssl ); 3460 break; 3461 3462 case MBEDTLS_SSL_SERVER_HELLO_DONE: 3463 ret = ssl_parse_server_hello_done( ssl ); 3464 break; 3465 3466 /* 3467 * ==> ( Certificate/Alert ) 3468 * ClientKeyExchange 3469 * ( CertificateVerify ) 3470 * ChangeCipherSpec 3471 * Finished 3472 */ 3473 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 3474 ret = mbedtls_ssl_write_certificate( ssl ); 3475 break; 3476 3477 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 3478 ret = ssl_write_client_key_exchange( ssl ); 3479 break; 3480 3481 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 3482 ret = ssl_write_certificate_verify( ssl ); 3483 break; 3484 3485 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 3486 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 3487 break; 3488 3489 case MBEDTLS_SSL_CLIENT_FINISHED: 3490 ret = mbedtls_ssl_write_finished( ssl ); 3491 break; 3492 3493 /* 3494 * <== ( NewSessionTicket ) 3495 * ChangeCipherSpec 3496 * Finished 3497 */ 3498 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3499 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 3500 ret = ssl_parse_new_session_ticket( ssl ); 3501 break; 3502 #endif 3503 3504 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 3505 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 3506 break; 3507 3508 case MBEDTLS_SSL_SERVER_FINISHED: 3509 ret = mbedtls_ssl_parse_finished( ssl ); 3510 break; 3511 3512 case MBEDTLS_SSL_FLUSH_BUFFERS: 3513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 3514 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 3515 break; 3516 3517 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 3518 mbedtls_ssl_handshake_wrapup( ssl ); 3519 break; 3520 3521 default: 3522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 3523 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 3524 } 3525 3526 return( ret ); 3527 } 3528 #endif /* MBEDTLS_SSL_CLI_C */ 3529