This Trac instance is not used for development anymore!

We migrated our development workflow to git and Gitea.
To test the future redirection, replace trac by ariadne in the page URL.

source: ps/trunk/build/premake/premake5/contrib/mbedtls/library/ssl_cli.c

Last change on this file was 20366, checked in by Itms, 7 years ago

Alpha 12 version of Premake 5, including prebuilt binary for Windows.
Directly taken from https://premake.github.io/.

Refs #3729.
File size: 107.7 KB
Line 
1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_SSL_CLI_C)
29
30#include "mbedtls/debug.h"
31#include "mbedtls/ssl.h"
32#include "mbedtls/ssl_internal.h"
33
34#include <string.h>
35
36#if defined(MBEDTLS_PLATFORM_C)
37#include "mbedtls/platform.h"
38#else
39#include <stdlib.h>
40#define mbedtls_calloc calloc
41#define mbedtls_free free
42#endif
43
44#include <stdint.h>
45
46#if defined(MBEDTLS_HAVE_TIME)
47#include <time.h>
48#endif
49
50#if defined(MBEDTLS_SSL_SESSION_TICKETS)
51/* Implementation that should never be optimized out by the compiler */
52static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
54}
55#endif
56
57#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
58static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
59 unsigned char *buf,
60 size_t *olen )
61{
62 unsigned char *p = buf;
63 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
64 size_t hostname_len;
65
66 *olen = 0;
67
68 if( ssl->hostname == NULL )
69 return;
70
71 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
72 ssl->hostname ) );
73
74 hostname_len = strlen( ssl->hostname );
75
76 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
77 {
78 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
79 return;
80 }
81
82 /*
83 * struct {
84 * NameType name_type;
85 * select (name_type) {
86 * case host_name: HostName;
87 * } name;
88 * } ServerName;
89 *
90 * enum {
91 * host_name(0), (255)
92 * } NameType;
93 *
94 * opaque HostName<1..2^16-1>;
95 *
96 * struct {
97 * ServerName server_name_list<1..2^16-1>
98 * } ServerNameList;
99 */
100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
102
103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
105
106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
108
109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
112
113 memcpy( p, ssl->hostname, hostname_len );
114
115 *olen = hostname_len + 9;
116}
117#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
118
119#if defined(MBEDTLS_SSL_RENEGOTIATION)
120static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
121 unsigned char *buf,
122 size_t *olen )
123{
124 unsigned char *p = buf;
125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
126
127 *olen = 0;
128
129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
130 return;
131
132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
133
134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
135 {
136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
137 return;
138 }
139
140 /*
141 * Secure renegotiation
142 */
143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
145
146 *p++ = 0x00;
147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
148 *p++ = ssl->verify_data_len & 0xFF;
149
150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
151
152 *olen = 5 + ssl->verify_data_len;
153}
154#endif /* MBEDTLS_SSL_RENEGOTIATION */
155
156/*
157 * Only if we handle at least one key exchange that needs signatures.
158 */
159#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
161static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
162 unsigned char *buf,
163 size_t *olen )
164{
165 unsigned char *p = buf;
166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
167 size_t sig_alg_len = 0;
168 const int *md;
169#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
170 unsigned char *sig_alg_list = buf + 6;
171#endif
172
173 *olen = 0;
174
175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
176 return;
177
178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
179
180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
181 {
182#if defined(MBEDTLS_ECDSA_C)
183 sig_alg_len += 2;
184#endif
185#if defined(MBEDTLS_RSA_C)
186 sig_alg_len += 2;
187#endif
188 }
189
190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
191 {
192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
193 return;
194 }
195
196 /*
197 * Prepare signature_algorithms extension (TLS 1.2)
198 */
199 sig_alg_len = 0;
200
201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
202 {
203#if defined(MBEDTLS_ECDSA_C)
204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
206#endif
207#if defined(MBEDTLS_RSA_C)
208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
210#endif
211 }
212
213 /*
214 * enum {
215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
216 * sha512(6), (255)
217 * } HashAlgorithm;
218 *
219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
220 * SignatureAlgorithm;
221 *
222 * struct {
223 * HashAlgorithm hash;
224 * SignatureAlgorithm signature;
225 * } SignatureAndHashAlgorithm;
226 *
227 * SignatureAndHashAlgorithm
228 * supported_signature_algorithms<2..2^16-2>;
229 */
230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
232
233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
235
236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
238
239 *olen = 6 + sig_alg_len;
240}
241#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
243
244#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
246static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
247 unsigned char *buf,
248 size_t *olen )
249{
250 unsigned char *p = buf;
251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
252 unsigned char *elliptic_curve_list = p + 6;
253 size_t elliptic_curve_len = 0;
254 const mbedtls_ecp_curve_info *info;
255#if defined(MBEDTLS_ECP_C)
256 const mbedtls_ecp_group_id *grp_id;
257#else
258 ((void) ssl);
259#endif
260
261 *olen = 0;
262
263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
264
265#if defined(MBEDTLS_ECP_C)
266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
267 {
268 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
269#else
270 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
271 {
272#endif
273 elliptic_curve_len += 2;
274 }
275
276 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
277 {
278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
279 return;
280 }
281
282 elliptic_curve_len = 0;
283
284#if defined(MBEDTLS_ECP_C)
285 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
286 {
287 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
288#else
289 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
290 {
291#endif
292
293 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
294 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
295 }
296
297 if( elliptic_curve_len == 0 )
298 return;
299
300 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
301 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
302
303 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
304 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
305
306 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
307 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
308
309 *olen = 6 + elliptic_curve_len;
310}
311
312static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
313 unsigned char *buf,
314 size_t *olen )
315{
316 unsigned char *p = buf;
317 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
318
319 *olen = 0;
320
321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
322
323 if( end < p || (size_t)( end - p ) < 6 )
324 {
325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
326 return;
327 }
328
329 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
330 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
331
332 *p++ = 0x00;
333 *p++ = 2;
334
335 *p++ = 1;
336 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
337
338 *olen = 6;
339}
340#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
341 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
342
343#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
344static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
345 unsigned char *buf,
346 size_t *olen )
347{
348 int ret;
349 unsigned char *p = buf;
350 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
351 size_t kkpp_len;
352
353 *olen = 0;
354
355 /* Skip costly extension if we can't use EC J-PAKE anyway */
356 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
357 return;
358
359 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
360
361 if( end - p < 4 )
362 {
363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
364 return;
365 }
366
367 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
368 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
369
370 /*
371 * We may need to send ClientHello multiple times for Hello verification.
372 * We don't want to compute fresh values every time (both for performance
373 * and consistency reasons), so cache the extension content.
374 */
375 if( ssl->handshake->ecjpake_cache == NULL ||
376 ssl->handshake->ecjpake_cache_len == 0 )
377 {
378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
379
380 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
381 p + 2, end - p - 2, &kkpp_len,
382 ssl->conf->f_rng, ssl->conf->p_rng );
383 if( ret != 0 )
384 {
385 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
386 return;
387 }
388
389 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
390 if( ssl->handshake->ecjpake_cache == NULL )
391 {
392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
393 return;
394 }
395
396 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
397 ssl->handshake->ecjpake_cache_len = kkpp_len;
398 }
399 else
400 {
401 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
402
403 kkpp_len = ssl->handshake->ecjpake_cache_len;
404
405 if( (size_t)( end - p - 2 ) < kkpp_len )
406 {
407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
408 return;
409 }
410
411 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
412 }
413
414 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
415 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
416
417 *olen = kkpp_len + 4;
418}
419#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
420
421#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
422static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
423 unsigned char *buf,
424 size_t *olen )
425{
426 unsigned char *p = buf;
427 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
428
429 *olen = 0;
430
431 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
432 return;
433 }
434
435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
436
437 if( end < p || (size_t)( end - p ) < 5 )
438 {
439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
440 return;
441 }
442
443 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
444 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
445
446 *p++ = 0x00;
447 *p++ = 1;
448
449 *p++ = ssl->conf->mfl_code;
450
451 *olen = 5;
452}
453#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
454
455#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
456static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
457 unsigned char *buf, size_t *olen )
458{
459 unsigned char *p = buf;
460 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
461
462 *olen = 0;
463
464 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
465 {
466 return;
467 }
468
469 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
470
471 if( end < p || (size_t)( end - p ) < 4 )
472 {
473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
474 return;
475 }
476
477 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
478 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
479
480 *p++ = 0x00;
481 *p++ = 0x00;
482
483 *olen = 4;
484}
485#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
486
487#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
488static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
489 unsigned char *buf, size_t *olen )
490{
491 unsigned char *p = buf;
492 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
493
494 *olen = 0;
495
496 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
497 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
498 {
499 return;
500 }
501
502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
503 "extension" ) );
504
505 if( end < p || (size_t)( end - p ) < 4 )
506 {
507 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
508 return;
509 }
510
511 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
512 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
513
514 *p++ = 0x00;
515 *p++ = 0x00;
516
517 *olen = 4;
518}
519#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
520
521#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
522static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
523 unsigned char *buf, size_t *olen )
524{
525 unsigned char *p = buf;
526 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
527
528 *olen = 0;
529
530 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
531 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
532 {
533 return;
534 }
535
536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
537 "extension" ) );
538
539 if( end < p || (size_t)( end - p ) < 4 )
540 {
541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
542 return;
543 }
544
545 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
546 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
547
548 *p++ = 0x00;
549 *p++ = 0x00;
550
551 *olen = 4;
552}
553#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
554
555#if defined(MBEDTLS_SSL_SESSION_TICKETS)
556static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
557 unsigned char *buf, size_t *olen )
558{
559 unsigned char *p = buf;
560 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
561 size_t tlen = ssl->session_negotiate->ticket_len;
562
563 *olen = 0;
564
565 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
566 {
567 return;
568 }
569
570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
571
572 if( end < p || (size_t)( end - p ) < 4 + tlen )
573 {
574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
575 return;
576 }
577
578 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
579 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
580
581 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
582 *p++ = (unsigned char)( ( tlen ) & 0xFF );
583
584 *olen = 4;
585
586 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
587 {
588 return;
589 }
590
591 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
592
593 memcpy( p, ssl->session_negotiate->ticket, tlen );
594
595 *olen += tlen;
596}
597#endif /* MBEDTLS_SSL_SESSION_TICKETS */
598
599#if defined(MBEDTLS_SSL_ALPN)
600static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
601 unsigned char *buf, size_t *olen )
602{
603 unsigned char *p = buf;
604 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
605 size_t alpnlen = 0;
606 const char **cur;
607
608 *olen = 0;
609
610 if( ssl->conf->alpn_list == NULL )
611 {
612 return;
613 }
614
615 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
616
617 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
618 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
619
620 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
621 {
622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
623 return;
624 }
625
626 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
627 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
628
629 /*
630 * opaque ProtocolName<1..2^8-1>;
631 *
632 * struct {
633 * ProtocolName protocol_name_list<2..2^16-1>
634 * } ProtocolNameList;
635 */
636
637 /* Skip writing extension and list length for now */
638 p += 4;
639
640 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
641 {
642 *p = (unsigned char)( strlen( *cur ) & 0xFF );
643 memcpy( p + 1, *cur, *p );
644 p += 1 + *p;
645 }
646
647 *olen = p - buf;
648
649 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
650 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
651 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
652
653 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
654 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
655 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
656}
657#endif /* MBEDTLS_SSL_ALPN */
658
659/*
660 * Generate random bytes for ClientHello
661 */
662static int ssl_generate_random( mbedtls_ssl_context *ssl )
663{
664 int ret;
665 unsigned char *p = ssl->handshake->randbytes;
666#if defined(MBEDTLS_HAVE_TIME)
667 time_t t;
668#endif
669
670 /*
671 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
672 */
673#if defined(MBEDTLS_SSL_PROTO_DTLS)
674 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
675 ssl->handshake->verify_cookie != NULL )
676 {
677 return( 0 );
678 }
679#endif
680
681#if defined(MBEDTLS_HAVE_TIME)
682 t = time( NULL );
683 *p++ = (unsigned char)( t >> 24 );
684 *p++ = (unsigned char)( t >> 16 );
685 *p++ = (unsigned char)( t >> 8 );
686 *p++ = (unsigned char)( t );
687
688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
689#else
690 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
691 return( ret );
692
693 p += 4;
694#endif /* MBEDTLS_HAVE_TIME */
695
696 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
697 return( ret );
698
699 return( 0 );
700}
701
702static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
703{
704 int ret;
705 size_t i, n, olen, ext_len = 0;
706 unsigned char *buf;
707 unsigned char *p, *q;
708 unsigned char offer_compress;
709 const int *ciphersuites;
710 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
711
712 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
713
714 if( ssl->conf->f_rng == NULL )
715 {
716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
717 return( MBEDTLS_ERR_SSL_NO_RNG );
718 }
719
720#if defined(MBEDTLS_SSL_RENEGOTIATION)
721 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
722#endif
723 {
724 ssl->major_ver = ssl->conf->min_major_ver;
725 ssl->minor_ver = ssl->conf->min_minor_ver;
726 }
727
728 if( ssl->conf->max_major_ver == 0 )
729 {
730 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
731 "consider using mbedtls_ssl_config_defaults()" ) );
732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
733 }
734
735 /*
736 * 0 . 0 handshake type
737 * 1 . 3 handshake length
738 * 4 . 5 highest version supported
739 * 6 . 9 current UNIX time
740 * 10 . 37 random bytes
741 */
742 buf = ssl->out_msg;
743 p = buf + 4;
744
745 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
746 ssl->conf->transport, p );
747 p += 2;
748
749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
750 buf[4], buf[5] ) );
751
752 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
753 {
754 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
755 return( ret );
756 }
757
758 memcpy( p, ssl->handshake->randbytes, 32 );
759 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
760 p += 32;
761
762 /*
763 * 38 . 38 session id length
764 * 39 . 39+n session id
765 * 39+n . 39+n DTLS only: cookie length (1 byte)
766 * 40+n . .. DTSL only: cookie
767 * .. . .. ciphersuitelist length (2 bytes)
768 * .. . .. ciphersuitelist
769 * .. . .. compression methods length (1 byte)
770 * .. . .. compression methods
771 * .. . .. extensions length (2 bytes)
772 * .. . .. extensions
773 */
774 n = ssl->session_negotiate->id_len;
775
776 if( n < 16 || n > 32 ||
777#if defined(MBEDTLS_SSL_RENEGOTIATION)
778 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
779#endif
780 ssl->handshake->resume == 0 )
781 {
782 n = 0;
783 }
784
785#if defined(MBEDTLS_SSL_SESSION_TICKETS)
786 /*
787 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
788 * generate and include a Session ID in the TLS ClientHello."
789 */
790#if defined(MBEDTLS_SSL_RENEGOTIATION)
791 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
792#endif
793 {
794 if( ssl->session_negotiate->ticket != NULL &&
795 ssl->session_negotiate->ticket_len != 0 )
796 {
797 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
798
799 if( ret != 0 )
800 return( ret );
801
802 ssl->session_negotiate->id_len = n = 32;
803 }
804 }
805#endif /* MBEDTLS_SSL_SESSION_TICKETS */
806
807 *p++ = (unsigned char) n;
808
809 for( i = 0; i < n; i++ )
810 *p++ = ssl->session_negotiate->id[i];
811
812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
813 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
814
815 /*
816 * DTLS cookie
817 */
818#if defined(MBEDTLS_SSL_PROTO_DTLS)
819 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
820 {
821 if( ssl->handshake->verify_cookie == NULL )
822 {
823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
824 *p++ = 0;
825 }
826 else
827 {
828 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
829 ssl->handshake->verify_cookie,
830 ssl->handshake->verify_cookie_len );
831
832 *p++ = ssl->handshake->verify_cookie_len;
833 memcpy( p, ssl->handshake->verify_cookie,
834 ssl->handshake->verify_cookie_len );
835 p += ssl->handshake->verify_cookie_len;
836 }
837 }
838#endif
839
840 /*
841 * Ciphersuite list
842 */
843 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
844
845 /* Skip writing ciphersuite length for now */
846 n = 0;
847 q = p;
848 p += 2;
849
850 for( i = 0; ciphersuites[i] != 0; i++ )
851 {
852 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
853
854 if( ciphersuite_info == NULL )
855 continue;
856
857 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
858 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
859 continue;
860
861#if defined(MBEDTLS_SSL_PROTO_DTLS)
862 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
863 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
864 continue;
865#endif
866
867#if defined(MBEDTLS_ARC4_C)
868 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
869 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
870 continue;
871#endif
872
873#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
874 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
875 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
876 continue;
877#endif
878
879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
880 ciphersuites[i] ) );
881
882 n++;
883 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
884 *p++ = (unsigned char)( ciphersuites[i] );
885 }
886
887 /*
888 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
889 */
890#if defined(MBEDTLS_SSL_RENEGOTIATION)
891 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
892#endif
893 {
894 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
895 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
896 n++;
897 }
898
899 /* Some versions of OpenSSL don't handle it correctly if not at end */
900#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
901 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
902 {
903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
904 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
905 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
906 n++;
907 }
908#endif
909
910 *q++ = (unsigned char)( n >> 7 );
911 *q++ = (unsigned char)( n << 1 );
912
913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
914
915#if defined(MBEDTLS_ZLIB_SUPPORT)
916 offer_compress = 1;
917#else
918 offer_compress = 0;
919#endif
920
921 /*
922 * We don't support compression with DTLS right now: is many records come
923 * in the same datagram, uncompressing one could overwrite the next one.
924 * We don't want to add complexity for handling that case unless there is
925 * an actual need for it.
926 */
927#if defined(MBEDTLS_SSL_PROTO_DTLS)
928 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
929 offer_compress = 0;
930#endif
931
932 if( offer_compress )
933 {
934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
936 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
937
938 *p++ = 2;
939 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
940 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
941 }
942 else
943 {
944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
946 MBEDTLS_SSL_COMPRESS_NULL ) );
947
948 *p++ = 1;
949 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
950 }
951
952 // First write extensions, then the total length
953 //
954#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
955 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
956 ext_len += olen;
957#endif
958
959#if defined(MBEDTLS_SSL_RENEGOTIATION)
960 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
961 ext_len += olen;
962#endif
963
964#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
965 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
966 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
967 ext_len += olen;
968#endif
969
970#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
971 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
972 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
973 ext_len += olen;
974
975 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
976 ext_len += olen;
977#endif
978
979#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
980 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
981 ext_len += olen;
982#endif
983
984#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
985 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
986 ext_len += olen;
987#endif
988
989#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
990 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
991 ext_len += olen;
992#endif
993
994#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
995 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
996 ext_len += olen;
997#endif
998
999#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1000 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1001 ext_len += olen;
1002#endif
1003
1004#if defined(MBEDTLS_SSL_ALPN)
1005 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1006 ext_len += olen;
1007#endif
1008
1009#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1010 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1011 ext_len += olen;
1012#endif
1013
1014 /* olen unused if all extensions are disabled */
1015 ((void) olen);
1016
1017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1018 ext_len ) );
1019
1020 if( ext_len > 0 )
1021 {
1022 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1023 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1024 p += ext_len;
1025 }
1026
1027 ssl->out_msglen = p - buf;
1028 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1029 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1030
1031 ssl->state++;
1032
1033#if defined(MBEDTLS_SSL_PROTO_DTLS)
1034 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1035 mbedtls_ssl_send_flight_completed( ssl );
1036#endif
1037
1038 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
1039 {
1040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
1041 return( ret );
1042 }
1043
1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1045
1046 return( 0 );
1047}
1048
1049static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1050 const unsigned char *buf,
1051 size_t len )
1052{
1053 int ret;
1054
1055#if defined(MBEDTLS_SSL_RENEGOTIATION)
1056 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1057 {
1058 /* Check verify-data in constant-time. The length OTOH is no secret */
1059 if( len != 1 + ssl->verify_data_len * 2 ||
1060 buf[0] != ssl->verify_data_len * 2 ||
1061 mbedtls_ssl_safer_memcmp( buf + 1,
1062 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1063 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1064 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1065 {
1066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1067
1068 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1069 return( ret );
1070
1071 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1072 }
1073 }
1074 else
1075#endif /* MBEDTLS_SSL_RENEGOTIATION */
1076 {
1077 if( len != 1 || buf[0] != 0x00 )
1078 {
1079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
1080
1081 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1082 return( ret );
1083
1084 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1085 }
1086
1087 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1088 }
1089
1090 return( 0 );
1091}
1092
1093#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1094static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1095 const unsigned char *buf,
1096 size_t len )
1097{
1098 /*
1099 * server should use the extension only if we did,
1100 * and if so the server's value should match ours (and len is always 1)
1101 */
1102 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1103 len != 1 ||
1104 buf[0] != ssl->conf->mfl_code )
1105 {
1106 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1107 }
1108
1109 return( 0 );
1110}
1111#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1112
1113#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1114static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1115 const unsigned char *buf,
1116 size_t len )
1117{
1118 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1119 len != 0 )
1120 {
1121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1122 }
1123
1124 ((void) buf);
1125
1126 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1127
1128 return( 0 );
1129}
1130#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1131
1132#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1133static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1134 const unsigned char *buf,
1135 size_t len )
1136{
1137 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1138 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1139 len != 0 )
1140 {
1141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1142 }
1143
1144 ((void) buf);
1145
1146 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1147
1148 return( 0 );
1149}
1150#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1151
1152#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1153static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1154 const unsigned char *buf,
1155 size_t len )
1156{
1157 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1159 len != 0 )
1160 {
1161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1162 }
1163
1164 ((void) buf);
1165
1166 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1167
1168 return( 0 );
1169}
1170#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1171
1172#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1173static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1174 const unsigned char *buf,
1175 size_t len )
1176{
1177 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1178 len != 0 )
1179 {
1180 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1181 }
1182
1183 ((void) buf);
1184
1185 ssl->handshake->new_session_ticket = 1;
1186
1187 return( 0 );
1188}
1189#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1190
1191#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1192 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1193static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1194 const unsigned char *buf,
1195 size_t len )
1196{
1197 size_t list_size;
1198 const unsigned char *p;
1199
1200 list_size = buf[0];
1201 if( list_size + 1 != len )
1202 {
1203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1204 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1205 }
1206
1207 p = buf + 1;
1208 while( list_size > 0 )
1209 {
1210 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1211 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1212 {
1213#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1214 ssl->handshake->ecdh_ctx.point_format = p[0];
1215#endif
1216#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1217 ssl->handshake->ecjpake_ctx.point_format = p[0];
1218#endif
1219 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1220 return( 0 );
1221 }
1222
1223 list_size--;
1224 p++;
1225 }
1226
1227 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1228 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1229}
1230#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1231 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1232
1233#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1234static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1235 const unsigned char *buf,
1236 size_t len )
1237{
1238 int ret;
1239
1240 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1241 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1242 {
1243 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1244 return( 0 );
1245 }
1246
1247 /* If we got here, we no longer need our cached extension */
1248 mbedtls_free( ssl->handshake->ecjpake_cache );
1249 ssl->handshake->ecjpake_cache = NULL;
1250 ssl->handshake->ecjpake_cache_len = 0;
1251
1252 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1253 buf, len ) ) != 0 )
1254 {
1255 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1256 return( ret );
1257 }
1258
1259 return( 0 );
1260}
1261#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1262
1263#if defined(MBEDTLS_SSL_ALPN)
1264static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1265 const unsigned char *buf, size_t len )
1266{
1267 size_t list_len, name_len;
1268 const char **p;
1269
1270 /* If we didn't send it, the server shouldn't send it */
1271 if( ssl->conf->alpn_list == NULL )
1272 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1273
1274 /*
1275 * opaque ProtocolName<1..2^8-1>;
1276 *
1277 * struct {
1278 * ProtocolName protocol_name_list<2..2^16-1>
1279 * } ProtocolNameList;
1280 *
1281 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1282 */
1283
1284 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1285 if( len < 4 )
1286 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1287
1288 list_len = ( buf[0] << 8 ) | buf[1];
1289 if( list_len != len - 2 )
1290 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1291
1292 name_len = buf[2];
1293 if( name_len != list_len - 1 )
1294 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1295
1296 /* Check that the server chosen protocol was in our list and save it */
1297 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1298 {
1299 if( name_len == strlen( *p ) &&
1300 memcmp( buf + 3, *p, name_len ) == 0 )
1301 {
1302 ssl->alpn_chosen = *p;
1303 return( 0 );
1304 }
1305 }
1306
1307 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1308}
1309#endif /* MBEDTLS_SSL_ALPN */
1310
1311/*
1312 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1313 */
1314#if defined(MBEDTLS_SSL_PROTO_DTLS)
1315static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1316{
1317 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1318 int major_ver, minor_ver;
1319 unsigned char cookie_len;
1320
1321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1322
1323 /*
1324 * struct {
1325 * ProtocolVersion server_version;
1326 * opaque cookie<0..2^8-1>;
1327 * } HelloVerifyRequest;
1328 */
1329 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1330 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1331 p += 2;
1332
1333 /*
1334 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1335 * even is lower than our min version.
1336 */
1337 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1338 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1339 major_ver > ssl->conf->max_major_ver ||
1340 minor_ver > ssl->conf->max_minor_ver )
1341 {
1342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1343
1344 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1345 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1346
1347 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1348 }
1349
1350 cookie_len = *p++;
1351 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1352
1353 mbedtls_free( ssl->handshake->verify_cookie );
1354
1355 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1356 if( ssl->handshake->verify_cookie == NULL )
1357 {
1358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1359 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1360 }
1361
1362 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1363 ssl->handshake->verify_cookie_len = cookie_len;
1364
1365 /* Start over at ClientHello */
1366 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1367 mbedtls_ssl_reset_checksum( ssl );
1368
1369 mbedtls_ssl_recv_flight_completed( ssl );
1370
1371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1372
1373 return( 0 );
1374}
1375#endif /* MBEDTLS_SSL_PROTO_DTLS */
1376
1377static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1378{
1379 int ret, i;
1380 size_t n;
1381 size_t ext_len;
1382 unsigned char *buf, *ext;
1383 unsigned char comp;
1384#if defined(MBEDTLS_ZLIB_SUPPORT)
1385 int accept_comp;
1386#endif
1387#if defined(MBEDTLS_SSL_RENEGOTIATION)
1388 int renegotiation_info_seen = 0;
1389#endif
1390 int handshake_failure = 0;
1391 const mbedtls_ssl_ciphersuite_t *suite_info;
1392#if defined(MBEDTLS_DEBUG_C)
1393 uint32_t t;
1394#endif
1395
1396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1397
1398 buf = ssl->in_msg;
1399
1400 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
1401 {
1402 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1403 return( ret );
1404 }
1405
1406 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1407 {
1408#if defined(MBEDTLS_SSL_RENEGOTIATION)
1409 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1410 {
1411 ssl->renego_records_seen++;
1412
1413 if( ssl->conf->renego_max_records >= 0 &&
1414 ssl->renego_records_seen > ssl->conf->renego_max_records )
1415 {
1416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1417 "but not honored by server" ) );
1418 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1419 }
1420
1421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1422 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1423 }
1424#endif /* MBEDTLS_SSL_RENEGOTIATION */
1425
1426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1427 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1428 }
1429
1430#if defined(MBEDTLS_SSL_PROTO_DTLS)
1431 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1432 {
1433 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1434 {
1435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1437 return( ssl_parse_hello_verify_request( ssl ) );
1438 }
1439 else
1440 {
1441 /* We made it through the verification process */
1442 mbedtls_free( ssl->handshake->verify_cookie );
1443 ssl->handshake->verify_cookie = NULL;
1444 ssl->handshake->verify_cookie_len = 0;
1445 }
1446 }
1447#endif /* MBEDTLS_SSL_PROTO_DTLS */
1448
1449 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1450 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1451 {
1452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1453 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1454 }
1455
1456 /*
1457 * 0 . 1 server_version
1458 * 2 . 33 random (maybe including 4 bytes of Unix time)
1459 * 34 . 34 session_id length = n
1460 * 35 . 34+n session_id
1461 * 35+n . 36+n cipher_suite
1462 * 37+n . 37+n compression_method
1463 *
1464 * 38+n . 39+n extensions length (optional)
1465 * 40+n . .. extensions
1466 */
1467 buf += mbedtls_ssl_hs_hdr_len( ssl );
1468
1469 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1470 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1471 ssl->conf->transport, buf + 0 );
1472
1473 if( ssl->major_ver < ssl->conf->min_major_ver ||
1474 ssl->minor_ver < ssl->conf->min_minor_ver ||
1475 ssl->major_ver > ssl->conf->max_major_ver ||
1476 ssl->minor_ver > ssl->conf->max_minor_ver )
1477 {
1478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1479 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1480 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1481 ssl->major_ver, ssl->minor_ver,
1482 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1483
1484 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1485 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1486
1487 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1488 }
1489
1490#if defined(MBEDTLS_DEBUG_C)
1491 t = ( (uint32_t) buf[2] << 24 )
1492 | ( (uint32_t) buf[3] << 16 )
1493 | ( (uint32_t) buf[4] << 8 )
1494 | ( (uint32_t) buf[5] );
1495 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1496#endif
1497
1498 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1499
1500 n = buf[34];
1501
1502 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1503
1504 if( n > 32 )
1505 {
1506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1508 }
1509
1510 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1511 {
1512 ext_len = ( ( buf[38 + n] << 8 )
1513 | ( buf[39 + n] ) );
1514
1515 if( ( ext_len > 0 && ext_len < 4 ) ||
1516 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1517 {
1518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1519 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1520 }
1521 }
1522 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1523 {
1524 ext_len = 0;
1525 }
1526 else
1527 {
1528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1529 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1530 }
1531
1532 /* ciphersuite (used later) */
1533 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1534
1535 /*
1536 * Read and check compression
1537 */
1538 comp = buf[37 + n];
1539
1540#if defined(MBEDTLS_ZLIB_SUPPORT)
1541 /* See comments in ssl_write_client_hello() */
1542#if defined(MBEDTLS_SSL_PROTO_DTLS)
1543 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1544 accept_comp = 0;
1545 else
1546#endif
1547 accept_comp = 1;
1548
1549 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1550 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1551#else /* MBEDTLS_ZLIB_SUPPORT */
1552 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1553#endif/* MBEDTLS_ZLIB_SUPPORT */
1554 {
1555 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1556 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1557 }
1558
1559 /*
1560 * Initialize update checksum functions
1561 */
1562 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1563
1564 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1565 {
1566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1567 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1568 }
1569
1570 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1571
1572 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1573 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1574
1575 /*
1576 * Check if the session can be resumed
1577 */
1578 if( ssl->handshake->resume == 0 || n == 0 ||
1579#if defined(MBEDTLS_SSL_RENEGOTIATION)
1580 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1581#endif
1582 ssl->session_negotiate->ciphersuite != i ||
1583 ssl->session_negotiate->compression != comp ||
1584 ssl->session_negotiate->id_len != n ||
1585 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1586 {
1587 ssl->state++;
1588 ssl->handshake->resume = 0;
1589#if defined(MBEDTLS_HAVE_TIME)
1590 ssl->session_negotiate->start = time( NULL );
1591#endif
1592 ssl->session_negotiate->ciphersuite = i;
1593 ssl->session_negotiate->compression = comp;
1594 ssl->session_negotiate->id_len = n;
1595 memcpy( ssl->session_negotiate->id, buf + 35, n );
1596 }
1597 else
1598 {
1599 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1600
1601 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1602 {
1603 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1604 return( ret );
1605 }
1606 }
1607
1608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1609 ssl->handshake->resume ? "a" : "no" ) );
1610
1611 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1613
1614 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1615 if( suite_info == NULL
1616#if defined(MBEDTLS_ARC4_C)
1617 || ( ssl->conf->arc4_disabled &&
1618 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
1619#endif
1620 )
1621 {
1622 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1623 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1624 }
1625
1626 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1627
1628 i = 0;
1629 while( 1 )
1630 {
1631 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1632 {
1633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1634 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1635 }
1636
1637 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1638 ssl->session_negotiate->ciphersuite )
1639 {
1640 break;
1641 }
1642 }
1643
1644 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1645#if defined(MBEDTLS_ZLIB_SUPPORT)
1646 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1647#endif
1648 )
1649 {
1650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1651 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1652 }
1653 ssl->session_negotiate->compression = comp;
1654
1655 ext = buf + 40 + n;
1656
1657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1658
1659 while( ext_len )
1660 {
1661 unsigned int ext_id = ( ( ext[0] << 8 )
1662 | ( ext[1] ) );
1663 unsigned int ext_size = ( ( ext[2] << 8 )
1664 | ( ext[3] ) );
1665
1666 if( ext_size + 4 > ext_len )
1667 {
1668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1669 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1670 }
1671
1672 switch( ext_id )
1673 {
1674 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1676#if defined(MBEDTLS_SSL_RENEGOTIATION)
1677 renegotiation_info_seen = 1;
1678#endif
1679
1680 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1681 ext_size ) ) != 0 )
1682 return( ret );
1683
1684 break;
1685
1686#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1687 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1688 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1689
1690 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1691 ext + 4, ext_size ) ) != 0 )
1692 {
1693 return( ret );
1694 }
1695
1696 break;
1697#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1698
1699#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1700 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1702
1703 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1704 ext + 4, ext_size ) ) != 0 )
1705 {
1706 return( ret );
1707 }
1708
1709 break;
1710#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1711
1712#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1713 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
1715
1716 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1717 ext + 4, ext_size ) ) != 0 )
1718 {
1719 return( ret );
1720 }
1721
1722 break;
1723#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1724
1725#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1726 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
1728
1729 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1730 ext + 4, ext_size ) ) != 0 )
1731 {
1732 return( ret );
1733 }
1734
1735 break;
1736#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1737
1738#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1739 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1740 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1741
1742 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1743 ext + 4, ext_size ) ) != 0 )
1744 {
1745 return( ret );
1746 }
1747
1748 break;
1749#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1750
1751#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1752 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1753 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1755
1756 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1757 ext + 4, ext_size ) ) != 0 )
1758 {
1759 return( ret );
1760 }
1761
1762 break;
1763#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1764 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1765
1766#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1767 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1769
1770 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1771 ext + 4, ext_size ) ) != 0 )
1772 {
1773 return( ret );
1774 }
1775
1776 break;
1777#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1778
1779#if defined(MBEDTLS_SSL_ALPN)
1780 case MBEDTLS_TLS_EXT_ALPN:
1781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1782
1783 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1784 return( ret );
1785
1786 break;
1787#endif /* MBEDTLS_SSL_ALPN */
1788
1789 default:
1790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1791 ext_id ) );
1792 }
1793
1794 ext_len -= 4 + ext_size;
1795 ext += 4 + ext_size;
1796
1797 if( ext_len > 0 && ext_len < 4 )
1798 {
1799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1800 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1801 }
1802 }
1803
1804 /*
1805 * Renegotiation security checks
1806 */
1807 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1808 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1809 {
1810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1811 handshake_failure = 1;
1812 }
1813#if defined(MBEDTLS_SSL_RENEGOTIATION)
1814 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1815 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1816 renegotiation_info_seen == 0 )
1817 {
1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1819 handshake_failure = 1;
1820 }
1821 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1822 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1823 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1824 {
1825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1826 handshake_failure = 1;
1827 }
1828 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1829 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1830 renegotiation_info_seen == 1 )
1831 {
1832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1833 handshake_failure = 1;
1834 }
1835#endif /* MBEDTLS_SSL_RENEGOTIATION */
1836
1837 if( handshake_failure == 1 )
1838 {
1839 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1840 return( ret );
1841
1842 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1843 }
1844
1845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1846
1847 return( 0 );
1848}
1849
1850#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1851 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1852static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
1853 unsigned char *end )
1854{
1855 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1856
1857 /*
1858 * Ephemeral DH parameters:
1859 *
1860 * struct {
1861 * opaque dh_p<1..2^16-1>;
1862 * opaque dh_g<1..2^16-1>;
1863 * opaque dh_Ys<1..2^16-1>;
1864 * } ServerDHParams;
1865 */
1866 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1867 {
1868 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
1869 return( ret );
1870 }
1871
1872 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
1873 {
1874 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
1875 ssl->handshake->dhm_ctx.len * 8,
1876 ssl->conf->dhm_min_bitlen ) );
1877 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1878 }
1879
1880 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1881 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1882 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1883
1884 return( ret );
1885}
1886#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1887 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1888
1889#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1890 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1891 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1892 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1893 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1894static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
1895{
1896 const mbedtls_ecp_curve_info *curve_info;
1897
1898 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
1899 if( curve_info == NULL )
1900 {
1901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1902 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1903 }
1904
1905 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
1906
1907#if defined(MBEDTLS_ECP_C)
1908 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
1909#else
1910 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1911 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1912#endif
1913 return( -1 );
1914
1915 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1916
1917 return( 0 );
1918}
1919#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1920 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1921 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1922 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1923 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1924
1925#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1926 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1927 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1928static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
1929 unsigned char **p,
1930 unsigned char *end )
1931{
1932 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1933
1934 /*
1935 * Ephemeral ECDH parameters:
1936 *
1937 * struct {
1938 * ECParameters curve_params;
1939 * ECPoint public;
1940 * } ServerECDHParams;
1941 */
1942 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
1943 (const unsigned char **) p, end ) ) != 0 )
1944 {
1945 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
1946 return( ret );
1947 }
1948
1949 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1950 {
1951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1952 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1953 }
1954
1955 return( ret );
1956}
1957#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1958 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1959 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1960
1961#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1962static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
1963 unsigned char **p,
1964 unsigned char *end )
1965{
1966 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1967 size_t len;
1968 ((void) ssl);
1969
1970 /*
1971 * PSK parameters:
1972 *
1973 * opaque psk_identity_hint<0..2^16-1>;
1974 */
1975 len = (*p)[0] << 8 | (*p)[1];
1976 *p += 2;
1977
1978 if( (*p) + len > end )
1979 {
1980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1981 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1982 }
1983
1984 // TODO: Retrieve PSK identity hint and callback to app
1985 //
1986 *p += len;
1987 ret = 0;
1988
1989 return( ret );
1990}
1991#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1992
1993#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1994 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1995/*
1996 * Generate a pre-master secret and encrypt it with the server's RSA key
1997 */
1998static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
1999 size_t offset, size_t *olen,
2000 size_t pms_offset )
2001{
2002 int ret;
2003 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2004 unsigned char *p = ssl->handshake->premaster + pms_offset;
2005
2006 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
2007 {
2008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2009 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2010 }
2011
2012 /*
2013 * Generate (part of) the pre-master as
2014 * struct {
2015 * ProtocolVersion client_version;
2016 * opaque random[46];
2017 * } PreMasterSecret;
2018 */
2019 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2020 ssl->conf->transport, p );
2021
2022 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2023 {
2024 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2025 return( ret );
2026 }
2027
2028 ssl->handshake->pmslen = 48;
2029
2030 if( ssl->session_negotiate->peer_cert == NULL )
2031 {
2032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2033 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2034 }
2035
2036 /*
2037 * Now write it out, encrypted
2038 */
2039 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2040 MBEDTLS_PK_RSA ) )
2041 {
2042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2043 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2044 }
2045
2046 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
2047 p, ssl->handshake->pmslen,
2048 ssl->out_msg + offset + len_bytes, olen,
2049 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
2050 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2051 {
2052 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2053 return( ret );
2054 }
2055
2056#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2057 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2058 if( len_bytes == 2 )
2059 {
2060 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2061 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2062 *olen += 2;
2063 }
2064#endif
2065
2066 return( 0 );
2067}
2068#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2069 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2070
2071#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2072#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2073 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2074 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2075static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2076 unsigned char **p,
2077 unsigned char *end,
2078 mbedtls_md_type_t *md_alg,
2079 mbedtls_pk_type_t *pk_alg )
2080{
2081 ((void) ssl);
2082 *md_alg = MBEDTLS_MD_NONE;
2083 *pk_alg = MBEDTLS_PK_NONE;
2084
2085 /* Only in TLS 1.2 */
2086 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2087 {
2088 return( 0 );
2089 }
2090
2091 if( (*p) + 2 > end )
2092 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2093
2094 /*
2095 * Get hash algorithm
2096 */
2097 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
2098 {
2099 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
2100 "HashAlgorithm %d", *(p)[0] ) );
2101 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2102 }
2103
2104 /*
2105 * Get signature algorithm
2106 */
2107 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
2108 {
2109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
2110 "SignatureAlgorithm %d", (*p)[1] ) );
2111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2112 }
2113
2114 /*
2115 * Check if the hash is acceptable
2116 */
2117 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2118 {
2119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm "
2120 "that was not offered" ) );
2121 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2122 }
2123
2124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2125 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
2126 *p += 2;
2127
2128 return( 0 );
2129}
2130#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2131 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2132 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2133#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2134
2135#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2136 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2137static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2138{
2139 int ret;
2140 const mbedtls_ecp_keypair *peer_key;
2141
2142 if( ssl->session_negotiate->peer_cert == NULL )
2143 {
2144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2145 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2146 }
2147
2148 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2149 MBEDTLS_PK_ECKEY ) )
2150 {
2151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2152 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2153 }
2154
2155 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2156
2157 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2158 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2159 {
2160 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2161 return( ret );
2162 }
2163
2164 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2165 {
2166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2167 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2168 }
2169
2170 return( ret );
2171}
2172#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2173 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2174
2175static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2176{
2177 int ret;
2178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2179 unsigned char *p, *end;
2180
2181 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2182
2183#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2184 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2185 {
2186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2187 ssl->state++;
2188 return( 0 );
2189 }
2190 ((void) p);
2191 ((void) end);
2192#endif
2193
2194#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2195 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2196 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2197 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2198 {
2199 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2200 {
2201 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2202 return( ret );
2203 }
2204
2205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2206 ssl->state++;
2207 return( 0 );
2208 }
2209 ((void) p);
2210 ((void) end);
2211#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2212 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2213
2214 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2215 {
2216 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2217 return( ret );
2218 }
2219
2220 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2221 {
2222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2223 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2224 }
2225
2226 /*
2227 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2228 * doesn't use a psk_identity_hint
2229 */
2230 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2231 {
2232 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2233 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2234 {
2235 ssl->record_read = 1;
2236 goto exit;
2237 }
2238
2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2240 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2241 }
2242
2243 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2244 end = ssl->in_msg + ssl->in_hslen;
2245 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2246
2247#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2248 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2249 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2250 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2251 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2252 {
2253 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2254 {
2255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2256 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2257 }
2258 } /* FALLTROUGH */
2259#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2260
2261#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2262 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2263 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2264 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2265 ; /* nothing more to do */
2266 else
2267#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2268 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2269#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2270 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2271 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2272 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2273 {
2274 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2275 {
2276 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2277 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2278 }
2279 }
2280 else
2281#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2282 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2283#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2284 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2285 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2288 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2289 {
2290 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2291 {
2292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2293 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2294 }
2295 }
2296 else
2297#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2298 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2299 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2300#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2301 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2302 {
2303 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2304 p, end - p );
2305 if( ret != 0 )
2306 {
2307 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2308 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2309 }
2310 }
2311 else
2312#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2313 {
2314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2315 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2316 }
2317
2318#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2319 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2320 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2321 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2322 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2323 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2324 {
2325 size_t sig_len, hashlen;
2326 unsigned char hash[64];
2327 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2328 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2329 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2330 size_t params_len = p - params;
2331
2332 /*
2333 * Handle the digitally-signed structure
2334 */
2335#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2336 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2337 {
2338 if( ssl_parse_signature_algorithm( ssl, &p, end,
2339 &md_alg, &pk_alg ) != 0 )
2340 {
2341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2342 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2343 }
2344
2345 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2346 {
2347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2348 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2349 }
2350 }
2351 else
2352#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2353#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2354 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2355 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2356 {
2357 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2358
2359 /* Default hash for ECDSA is SHA-1 */
2360 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2361 md_alg = MBEDTLS_MD_SHA1;
2362 }
2363 else
2364#endif
2365 {
2366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2367 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2368 }
2369
2370 /*
2371 * Read signature
2372 */
2373 sig_len = ( p[0] << 8 ) | p[1];
2374 p += 2;
2375
2376 if( end != p + sig_len )
2377 {
2378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2380 }
2381
2382 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2383
2384 /*
2385 * Compute the hash that has been signed
2386 */
2387#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2388 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2389 if( md_alg == MBEDTLS_MD_NONE )
2390 {
2391 mbedtls_md5_context mbedtls_md5;
2392 mbedtls_sha1_context mbedtls_sha1;
2393
2394 mbedtls_md5_init( &mbedtls_md5 );
2395 mbedtls_sha1_init( &mbedtls_sha1 );
2396
2397 hashlen = 36;
2398
2399 /*
2400 * digitally-signed struct {
2401 * opaque md5_hash[16];
2402 * opaque sha_hash[20];
2403 * };
2404 *
2405 * md5_hash
2406 * MD5(ClientHello.random + ServerHello.random
2407 * + ServerParams);
2408 * sha_hash
2409 * SHA(ClientHello.random + ServerHello.random
2410 * + ServerParams);
2411 */
2412 mbedtls_md5_starts( &mbedtls_md5 );
2413 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
2414 mbedtls_md5_update( &mbedtls_md5, params, params_len );
2415 mbedtls_md5_finish( &mbedtls_md5, hash );
2416
2417 mbedtls_sha1_starts( &mbedtls_sha1 );
2418 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
2419 mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
2420 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
2421
2422 mbedtls_md5_free( &mbedtls_md5 );
2423 mbedtls_sha1_free( &mbedtls_sha1 );
2424 }
2425 else
2426#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2427 MBEDTLS_SSL_PROTO_TLS1_1 */
2428#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2429 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2430 if( md_alg != MBEDTLS_MD_NONE )
2431 {
2432 mbedtls_md_context_t ctx;
2433
2434 mbedtls_md_init( &ctx );
2435
2436 /* Info from md_alg will be used instead */
2437 hashlen = 0;
2438
2439 /*
2440 * digitally-signed struct {
2441 * opaque client_random[32];
2442 * opaque server_random[32];
2443 * ServerDHParams params;
2444 * };
2445 */
2446 if( ( ret = mbedtls_md_setup( &ctx,
2447 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
2448 {
2449 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
2450 return( ret );
2451 }
2452
2453 mbedtls_md_starts( &ctx );
2454 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
2455 mbedtls_md_update( &ctx, params, params_len );
2456 mbedtls_md_finish( &ctx, hash );
2457 mbedtls_md_free( &ctx );
2458 }
2459 else
2460#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2461 MBEDTLS_SSL_PROTO_TLS1_2 */
2462 {
2463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2464 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2465 }
2466
2467 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2468 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
2469
2470 if( ssl->session_negotiate->peer_cert == NULL )
2471 {
2472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2473 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2474 }
2475
2476 /*
2477 * Verify signature
2478 */
2479 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2480 {
2481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2482 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2483 }
2484
2485 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
2486 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
2487 {
2488 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2489 return( ret );
2490 }
2491 }
2492#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2493 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2494 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2495
2496exit:
2497 ssl->state++;
2498
2499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2500
2501 return( 0 );
2502}
2503
2504#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2505 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2506 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2507 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2508static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2509{
2510 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2511
2512 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2513
2514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2519 {
2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2521 ssl->state++;
2522 return( 0 );
2523 }
2524
2525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2527}
2528#else
2529static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2530{
2531 int ret;
2532 unsigned char *buf, *p;
2533 size_t n = 0, m = 0;
2534 size_t cert_type_len = 0, dn_len = 0;
2535 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2536
2537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2538
2539 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2540 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2543 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2544 {
2545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2546 ssl->state++;
2547 return( 0 );
2548 }
2549
2550 if( ssl->record_read == 0 )
2551 {
2552 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2553 {
2554 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2555 return( ret );
2556 }
2557
2558 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2559 {
2560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2561 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2562 }
2563
2564 ssl->record_read = 1;
2565 }
2566
2567 ssl->client_auth = 0;
2568 ssl->state++;
2569
2570 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
2571 ssl->client_auth++;
2572
2573 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2574 ssl->client_auth ? "a" : "no" ) );
2575
2576 if( ssl->client_auth == 0 )
2577 goto exit;
2578
2579 ssl->record_read = 0;
2580
2581 // TODO: handshake_failure alert for an anonymous server to request
2582 // client authentication
2583
2584 /*
2585 * struct {
2586 * ClientCertificateType certificate_types<1..2^8-1>;
2587 * SignatureAndHashAlgorithm
2588 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2589 * DistinguishedName certificate_authorities<0..2^16-1>;
2590 * } CertificateRequest;
2591 */
2592 buf = ssl->in_msg;
2593
2594 // Retrieve cert types
2595 //
2596 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
2597 n = cert_type_len;
2598
2599 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2600 {
2601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2602 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2603 }
2604
2605 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
2606 while( cert_type_len > 0 )
2607 {
2608#if defined(MBEDTLS_RSA_C)
2609 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
2610 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
2611 {
2612 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2613 break;
2614 }
2615 else
2616#endif
2617#if defined(MBEDTLS_ECDSA_C)
2618 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
2619 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
2620 {
2621 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2622 break;
2623 }
2624 else
2625#endif
2626 {
2627 ; /* Unsupported cert type, ignore */
2628 }
2629
2630 cert_type_len--;
2631 p++;
2632 }
2633
2634#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2635 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2636 {
2637 /* Ignored, see comments about hash in write_certificate_verify */
2638 // TODO: should check the signature part against our pk_key though
2639 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2640 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2641
2642 m += 2;
2643 n += sig_alg_len;
2644
2645 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2646 {
2647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2648 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2649 }
2650 }
2651#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2652
2653 /* Ignore certificate_authorities, we only have one cert anyway */
2654 // TODO: should not send cert if no CA matches
2655 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
2656 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
2657
2658 n += dn_len;
2659 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
2660 {
2661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2662 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2663 }
2664
2665exit:
2666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2667
2668 return( 0 );
2669}
2670#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2671 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2672 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2673 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2674
2675static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
2676{
2677 int ret;
2678
2679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
2680
2681 if( ssl->record_read == 0 )
2682 {
2683 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2684 {
2685 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2686 return( ret );
2687 }
2688
2689 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2690 {
2691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2692 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2693 }
2694 }
2695 ssl->record_read = 0;
2696
2697 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
2698 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
2699 {
2700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2701 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
2702 }
2703
2704 ssl->state++;
2705
2706#if defined(MBEDTLS_SSL_PROTO_DTLS)
2707 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2708 mbedtls_ssl_recv_flight_completed( ssl );
2709#endif
2710
2711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2712
2713 return( 0 );
2714}
2715
2716static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
2717{
2718 int ret;
2719 size_t i, n;
2720 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2721
2722 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2723
2724#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2725 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
2726 {
2727 /*
2728 * DHM key exchange -- send G^X mod P
2729 */
2730 n = ssl->handshake->dhm_ctx.len;
2731
2732 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2733 ssl->out_msg[5] = (unsigned char)( n );
2734 i = 6;
2735
2736 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2737 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2738 &ssl->out_msg[i], n,
2739 ssl->conf->f_rng, ssl->conf->p_rng );
2740 if( ret != 0 )
2741 {
2742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
2743 return( ret );
2744 }
2745
2746 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2747 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2748
2749 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
2750 ssl->handshake->premaster,
2751 MBEDTLS_PREMASTER_SIZE,
2752 &ssl->handshake->pmslen,
2753 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2754 {
2755 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
2756 return( ret );
2757 }
2758
2759 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2760 }
2761 else
2762#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2763#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2764 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2765 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2766 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2767 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2768 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2771 {
2772 /*
2773 * ECDH key exchange -- send client public value
2774 */
2775 i = 4;
2776
2777 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
2778 &n,
2779 &ssl->out_msg[i], 1000,
2780 ssl->conf->f_rng, ssl->conf->p_rng );
2781 if( ret != 0 )
2782 {
2783 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
2784 return( ret );
2785 }
2786
2787 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2788
2789 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2790 &ssl->handshake->pmslen,
2791 ssl->handshake->premaster,
2792 MBEDTLS_MPI_MAX_SIZE,
2793 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2794 {
2795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
2796 return( ret );
2797 }
2798
2799 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
2800 }
2801 else
2802#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2803 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2804 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2805 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2806#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2807 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2808 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2809 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2810 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2811 {
2812 /*
2813 * opaque psk_identity<0..2^16-1>;
2814 */
2815 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
2816 {
2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
2818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
2819 }
2820
2821 i = 4;
2822 n = ssl->conf->psk_identity_len;
2823
2824 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2825 {
2826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
2827 "SSL buffer too short" ) );
2828 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2829 }
2830
2831 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2832 ssl->out_msg[i++] = (unsigned char)( n );
2833
2834 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
2835 i += ssl->conf->psk_identity_len;
2836
2837#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
2838 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
2839 {
2840 n = 0;
2841 }
2842 else
2843#endif
2844#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2845 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2846 {
2847 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2848 return( ret );
2849 }
2850 else
2851#endif
2852#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2853 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2854 {
2855 /*
2856 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2857 */
2858 n = ssl->handshake->dhm_ctx.len;
2859
2860 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2861 {
2862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
2863 " or SSL buffer too short" ) );
2864 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2865 }
2866
2867 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2868 ssl->out_msg[i++] = (unsigned char)( n );
2869
2870 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2871 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2872 &ssl->out_msg[i], n,
2873 ssl->conf->f_rng, ssl->conf->p_rng );
2874 if( ret != 0 )
2875 {
2876 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
2877 return( ret );
2878 }
2879 }
2880 else
2881#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2882#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2883 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2884 {
2885 /*
2886 * ClientECDiffieHellmanPublic public;
2887 */
2888 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2889 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
2890 ssl->conf->f_rng, ssl->conf->p_rng );
2891 if( ret != 0 )
2892 {
2893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
2894 return( ret );
2895 }
2896
2897 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2898 }
2899 else
2900#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2901 {
2902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2904 }
2905
2906 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
2907 ciphersuite_info->key_exchange ) ) != 0 )
2908 {
2909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
2910 return( ret );
2911 }
2912 }
2913 else
2914#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2915#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2917 {
2918 i = 4;
2919 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2920 return( ret );
2921 }
2922 else
2923#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
2924#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2926 {
2927 i = 4;
2928
2929 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
2930 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n,
2931 ssl->conf->f_rng, ssl->conf->p_rng );
2932 if( ret != 0 )
2933 {
2934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2935 return( ret );
2936 }
2937
2938 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
2939 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
2940 ssl->conf->f_rng, ssl->conf->p_rng );
2941 if( ret != 0 )
2942 {
2943 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
2944 return( ret );
2945 }
2946 }
2947 else
2948#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
2949 {
2950 ((void) ciphersuite_info);
2951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2952 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2953 }
2954
2955 ssl->out_msglen = i + n;
2956 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2957 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
2958
2959 ssl->state++;
2960
2961 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
2962 {
2963 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2964 return( ret );
2965 }
2966
2967 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2968
2969 return( 0 );
2970}
2971
2972#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2973 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2974 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2975 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2976static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
2977{
2978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2979 int ret;
2980
2981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2982
2983 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2984 {
2985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2986 return( ret );
2987 }
2988
2989 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2990 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2991 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2992 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2993 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2994 {
2995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2996 ssl->state++;
2997 return( 0 );
2998 }
2999
3000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3001 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3002}
3003#else
3004static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3005{
3006 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3007 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3008 size_t n = 0, offset = 0;
3009 unsigned char hash[48];
3010 unsigned char *hash_start = hash;
3011 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3012 unsigned int hashlen;
3013
3014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3015
3016 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3017 {
3018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3019 return( ret );
3020 }
3021
3022 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3023 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3024 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3025 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3026 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3027 {
3028 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3029 ssl->state++;
3030 return( 0 );
3031 }
3032
3033 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3034 {
3035 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3036 ssl->state++;
3037 return( 0 );
3038 }
3039
3040 if( mbedtls_ssl_own_key( ssl ) == NULL )
3041 {
3042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3043 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3044 }
3045
3046 /*
3047 * Make an RSA signature of the handshake digests
3048 */
3049 ssl->handshake->calc_verify( ssl, hash );
3050
3051#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3052 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3053 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3054 {
3055 /*
3056 * digitally-signed struct {
3057 * opaque md5_hash[16];
3058 * opaque sha_hash[20];
3059 * };
3060 *
3061 * md5_hash
3062 * MD5(handshake_messages);
3063 *
3064 * sha_hash
3065 * SHA(handshake_messages);
3066 */
3067 hashlen = 36;
3068 md_alg = MBEDTLS_MD_NONE;
3069
3070 /*
3071 * For ECDSA, default hash is SHA-1 only
3072 */
3073 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3074 {
3075 hash_start += 16;
3076 hashlen -= 16;
3077 md_alg = MBEDTLS_MD_SHA1;
3078 }
3079 }
3080 else
3081#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3082 MBEDTLS_SSL_PROTO_TLS1_1 */
3083#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3084 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3085 {
3086 /*
3087 * digitally-signed struct {
3088 * opaque handshake_messages[handshake_messages_length];
3089 * };
3090 *
3091 * Taking shortcut here. We assume that the server always allows the
3092 * PRF Hash function and has sent it in the allowed signature
3093 * algorithms list received in the Certificate Request message.
3094 *
3095 * Until we encounter a server that does not, we will take this
3096 * shortcut.
3097 *
3098 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3099 * in order to satisfy 'weird' needs from the server side.
3100 */
3101 if( ssl->transform_negotiate->ciphersuite_info->mac ==
3102 MBEDTLS_MD_SHA384 )
3103 {
3104 md_alg = MBEDTLS_MD_SHA384;
3105 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3106 }
3107 else
3108 {
3109 md_alg = MBEDTLS_MD_SHA256;
3110 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3111 }
3112 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3113
3114 /* Info from md_alg will be used instead */
3115 hashlen = 0;
3116 offset = 2;
3117 }
3118 else
3119#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3120 {
3121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3122 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3123 }
3124
3125 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
3126 ssl->out_msg + 6 + offset, &n,
3127 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3128 {
3129 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3130 return( ret );
3131 }
3132
3133 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3134 ssl->out_msg[5 + offset] = (unsigned char)( n );
3135
3136 ssl->out_msglen = 6 + n + offset;
3137 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3138 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3139
3140 ssl->state++;
3141
3142 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3143 {
3144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3145 return( ret );
3146 }
3147
3148 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3149
3150 return( ret );
3151}
3152#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3153 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3154 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3155
3156#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3157static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3158{
3159 int ret;
3160 uint32_t lifetime;
3161 size_t ticket_len;
3162 unsigned char *ticket;
3163 const unsigned char *msg;
3164
3165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3166
3167 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
3168 {
3169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3170 return( ret );
3171 }
3172
3173 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3174 {
3175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3176 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3177 }
3178
3179 /*
3180 * struct {
3181 * uint32 ticket_lifetime_hint;
3182 * opaque ticket<0..2^16-1>;
3183 * } NewSessionTicket;
3184 *
3185 * 0 . 3 ticket_lifetime_hint
3186 * 4 . 5 ticket_len (n)
3187 * 6 . 5+n ticket content
3188 */
3189 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3190 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3191 {
3192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3193 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3194 }
3195
3196 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3197
3198 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) |
3199 ( msg[2] << 8 ) | ( msg[3] );
3200
3201 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3202
3203 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3204 {
3205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3206 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3207 }
3208
3209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3210
3211 /* We're not waiting for a NewSessionTicket message any more */
3212 ssl->handshake->new_session_ticket = 0;
3213 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3214
3215 /*
3216 * Zero-length ticket means the server changed his mind and doesn't want
3217 * to send a ticket after all, so just forget it
3218 */
3219 if( ticket_len == 0 )
3220 return( 0 );
3221
3222 mbedtls_zeroize( ssl->session_negotiate->ticket,
3223 ssl->session_negotiate->ticket_len );
3224 mbedtls_free( ssl->session_negotiate->ticket );
3225 ssl->session_negotiate->ticket = NULL;
3226 ssl->session_negotiate->ticket_len = 0;
3227
3228 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3229 {
3230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3231 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3232 }
3233
3234 memcpy( ticket, msg + 6, ticket_len );
3235
3236 ssl->session_negotiate->ticket = ticket;
3237 ssl->session_negotiate->ticket_len = ticket_len;
3238 ssl->session_negotiate->ticket_lifetime = lifetime;
3239
3240 /*
3241 * RFC 5077 section 3.4:
3242 * "If the client receives a session ticket from the server, then it
3243 * discards any Session ID that was sent in the ServerHello."
3244 */
3245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3246 ssl->session_negotiate->id_len = 0;
3247
3248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3249
3250 return( 0 );
3251}
3252#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3253
3254/*
3255 * SSL handshake -- client side -- single step
3256 */
3257int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3258{
3259 int ret = 0;
3260
3261 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3262 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3263
3264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3265
3266 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3267 return( ret );
3268
3269#if defined(MBEDTLS_SSL_PROTO_DTLS)
3270 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3271 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3272 {
3273 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3274 return( ret );
3275 }
3276#endif
3277
3278 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3279 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3280#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3281 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3282 ssl->handshake->new_session_ticket != 0 )
3283 {
3284 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3285 }
3286#endif
3287
3288 switch( ssl->state )
3289 {
3290 case MBEDTLS_SSL_HELLO_REQUEST:
3291 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3292 break;
3293
3294 /*
3295 * ==> ClientHello
3296 */
3297 case MBEDTLS_SSL_CLIENT_HELLO:
3298 ret = ssl_write_client_hello( ssl );
3299 break;
3300
3301 /*
3302 * <== ServerHello
3303 * Certificate
3304 * ( ServerKeyExchange )
3305 * ( CertificateRequest )
3306 * ServerHelloDone
3307 */
3308 case MBEDTLS_SSL_SERVER_HELLO:
3309 ret = ssl_parse_server_hello( ssl );
3310 break;
3311
3312 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3313 ret = mbedtls_ssl_parse_certificate( ssl );
3314 break;
3315
3316 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3317 ret = ssl_parse_server_key_exchange( ssl );
3318 break;
3319
3320 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3321 ret = ssl_parse_certificate_request( ssl );
3322 break;
3323
3324 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3325 ret = ssl_parse_server_hello_done( ssl );
3326 break;
3327
3328 /*
3329 * ==> ( Certificate/Alert )
3330 * ClientKeyExchange
3331 * ( CertificateVerify )
3332 * ChangeCipherSpec
3333 * Finished
3334 */
3335 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3336 ret = mbedtls_ssl_write_certificate( ssl );
3337 break;
3338
3339 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3340 ret = ssl_write_client_key_exchange( ssl );
3341 break;
3342
3343 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3344 ret = ssl_write_certificate_verify( ssl );
3345 break;
3346
3347 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3348 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3349 break;
3350
3351 case MBEDTLS_SSL_CLIENT_FINISHED:
3352 ret = mbedtls_ssl_write_finished( ssl );
3353 break;
3354
3355 /*
3356 * <== ( NewSessionTicket )
3357 * ChangeCipherSpec
3358 * Finished
3359 */
3360#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3361 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
3362 ret = ssl_parse_new_session_ticket( ssl );
3363 break;
3364#endif
3365
3366 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3367 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3368 break;
3369
3370 case MBEDTLS_SSL_SERVER_FINISHED:
3371 ret = mbedtls_ssl_parse_finished( ssl );
3372 break;
3373
3374 case MBEDTLS_SSL_FLUSH_BUFFERS:
3375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3376 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3377 break;
3378
3379 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3380 mbedtls_ssl_handshake_wrapup( ssl );
3381 break;
3382
3383 default:
3384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3385 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3386 }
3387
3388 return( ret );
3389}
3390#endif /* MBEDTLS_SSL_CLI_C */
Note: See TracBrowser for help on using the repository browser.