ssl_cli.c 127 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914
  1. /*
  2. * SSLv3/TLSv1 client-side functions
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  6. *
  7. * This file is provided under the Apache License 2.0, or the
  8. * GNU General Public License v2.0 or later.
  9. *
  10. * **********
  11. * Apache License 2.0:
  12. *
  13. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  14. * not use this file except in compliance with the License.
  15. * You may obtain a copy of the License at
  16. *
  17. * http://www.apache.org/licenses/LICENSE-2.0
  18. *
  19. * Unless required by applicable law or agreed to in writing, software
  20. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  21. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  22. * See the License for the specific language governing permissions and
  23. * limitations under the License.
  24. *
  25. * **********
  26. *
  27. * **********
  28. * GNU General Public License v2.0 or later:
  29. *
  30. * This program is free software; you can redistribute it and/or modify
  31. * it under the terms of the GNU General Public License as published by
  32. * the Free Software Foundation; either version 2 of the License, or
  33. * (at your option) any later version.
  34. *
  35. * This program is distributed in the hope that it will be useful,
  36. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  37. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  38. * GNU General Public License for more details.
  39. *
  40. * You should have received a copy of the GNU General Public License along
  41. * with this program; if not, write to the Free Software Foundation, Inc.,
  42. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  43. *
  44. * **********
  45. */
  46. #if !defined(MBEDTLS_CONFIG_FILE)
  47. #include "mbedtls/config.h"
  48. #else
  49. #include MBEDTLS_CONFIG_FILE
  50. #endif
  51. #if defined(MBEDTLS_SSL_CLI_C)
  52. #if defined(MBEDTLS_PLATFORM_C)
  53. #include "mbedtls/platform.h"
  54. #else
  55. #include <stdlib.h>
  56. #define mbedtls_calloc calloc
  57. #define mbedtls_free free
  58. #endif
  59. #include "mbedtls/debug.h"
  60. #include "mbedtls/ssl.h"
  61. #include "mbedtls/ssl_internal.h"
  62. #include <string.h>
  63. #include <stdint.h>
  64. #if defined(MBEDTLS_HAVE_TIME)
  65. #include "mbedtls/platform_time.h"
  66. #endif
  67. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  68. #include "mbedtls/platform_util.h"
  69. #endif
  70. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  71. static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
  72. unsigned char *buf,
  73. const unsigned char *end,
  74. size_t *olen )
  75. {
  76. unsigned char *p = buf;
  77. size_t hostname_len;
  78. *olen = 0;
  79. if( ssl->hostname == NULL )
  80. return( 0 );
  81. MBEDTLS_SSL_DEBUG_MSG( 3,
  82. ( "client hello, adding server name extension: %s",
  83. ssl->hostname ) );
  84. hostname_len = strlen( ssl->hostname );
  85. MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
  86. /*
  87. * Sect. 3, RFC 6066 (TLS Extensions Definitions)
  88. *
  89. * In order to provide any of the server names, clients MAY include an
  90. * extension of type "server_name" in the (extended) client hello. The
  91. * "extension_data" field of this extension SHALL contain
  92. * "ServerNameList" where:
  93. *
  94. * struct {
  95. * NameType name_type;
  96. * select (name_type) {
  97. * case host_name: HostName;
  98. * } name;
  99. * } ServerName;
  100. *
  101. * enum {
  102. * host_name(0), (255)
  103. * } NameType;
  104. *
  105. * opaque HostName<1..2^16-1>;
  106. *
  107. * struct {
  108. * ServerName server_name_list<1..2^16-1>
  109. * } ServerNameList;
  110. *
  111. */
  112. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
  113. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
  114. *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
  115. *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
  116. *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
  117. *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
  118. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
  119. *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
  120. *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
  121. memcpy( p, ssl->hostname, hostname_len );
  122. *olen = hostname_len + 9;
  123. return( 0 );
  124. }
  125. #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
  126. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  127. static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
  128. unsigned char *buf,
  129. const unsigned char *end,
  130. size_t *olen )
  131. {
  132. unsigned char *p = buf;
  133. *olen = 0;
  134. /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
  135. * initial ClientHello, in which case also adding the renegotiation
  136. * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
  137. if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
  138. return( 0 );
  139. MBEDTLS_SSL_DEBUG_MSG( 3,
  140. ( "client hello, adding renegotiation extension" ) );
  141. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
  142. /*
  143. * Secure renegotiation
  144. */
  145. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
  146. & 0xFF );
  147. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
  148. & 0xFF );
  149. *p++ = 0x00;
  150. *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
  151. *p++ = ssl->verify_data_len & 0xFF;
  152. memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
  153. *olen = 5 + ssl->verify_data_len;
  154. return( 0 );
  155. }
  156. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  157. /*
  158. * Only if we handle at least one key exchange that needs signatures.
  159. */
  160. #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
  161. defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
  162. static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
  163. unsigned char *buf,
  164. const unsigned char *end,
  165. size_t *olen )
  166. {
  167. unsigned char *p = buf;
  168. size_t sig_alg_len = 0;
  169. const int *md;
  170. #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
  171. unsigned char *sig_alg_list = buf + 6;
  172. #endif
  173. *olen = 0;
  174. if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
  175. return( 0 );
  176. MBEDTLS_SSL_DEBUG_MSG( 3,
  177. ( "client hello, adding signature_algorithms extension" ) );
  178. if( ssl->conf->sig_hashes == NULL )
  179. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  180. for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
  181. {
  182. #if defined(MBEDTLS_ECDSA_C)
  183. sig_alg_len += 2;
  184. #endif
  185. #if defined(MBEDTLS_RSA_C)
  186. sig_alg_len += 2;
  187. #endif
  188. if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
  189. {
  190. MBEDTLS_SSL_DEBUG_MSG( 3,
  191. ( "length in bytes of sig-hash-alg extension too big" ) );
  192. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  193. }
  194. }
  195. /* Empty signature algorithms list, this is a configuration error. */
  196. if( sig_alg_len == 0 )
  197. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  198. MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
  199. /*
  200. * Prepare signature_algorithms extension (TLS 1.2)
  201. */
  202. sig_alg_len = 0;
  203. for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
  204. {
  205. #if defined(MBEDTLS_ECDSA_C)
  206. sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
  207. sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
  208. #endif
  209. #if defined(MBEDTLS_RSA_C)
  210. sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
  211. sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
  212. #endif
  213. }
  214. /*
  215. * enum {
  216. * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
  217. * sha512(6), (255)
  218. * } HashAlgorithm;
  219. *
  220. * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
  221. * SignatureAlgorithm;
  222. *
  223. * struct {
  224. * HashAlgorithm hash;
  225. * SignatureAlgorithm signature;
  226. * } SignatureAndHashAlgorithm;
  227. *
  228. * SignatureAndHashAlgorithm
  229. * supported_signature_algorithms<2..2^16-2>;
  230. */
  231. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
  232. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
  233. *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
  234. *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
  235. *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
  236. *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
  237. *olen = 6 + sig_alg_len;
  238. return( 0 );
  239. }
  240. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
  241. MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
  242. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  243. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  244. static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
  245. unsigned char *buf,
  246. const unsigned char *end,
  247. size_t *olen )
  248. {
  249. unsigned char *p = buf;
  250. unsigned char *elliptic_curve_list = p + 6;
  251. size_t elliptic_curve_len = 0;
  252. const mbedtls_ecp_curve_info *info;
  253. const mbedtls_ecp_group_id *grp_id;
  254. *olen = 0;
  255. MBEDTLS_SSL_DEBUG_MSG( 3,
  256. ( "client hello, adding supported_elliptic_curves extension" ) );
  257. if( ssl->conf->curve_list == NULL )
  258. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  259. for( grp_id = ssl->conf->curve_list;
  260. *grp_id != MBEDTLS_ECP_DP_NONE;
  261. grp_id++ )
  262. {
  263. info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
  264. if( info == NULL )
  265. {
  266. MBEDTLS_SSL_DEBUG_MSG( 1,
  267. ( "invalid curve in ssl configuration" ) );
  268. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  269. }
  270. elliptic_curve_len += 2;
  271. if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
  272. {
  273. MBEDTLS_SSL_DEBUG_MSG( 3,
  274. ( "malformed supported_elliptic_curves extension in config" ) );
  275. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  276. }
  277. }
  278. /* Empty elliptic curve list, this is a configuration error. */
  279. if( elliptic_curve_len == 0 )
  280. return( MBEDTLS_ERR_SSL_BAD_CONFIG );
  281. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
  282. elliptic_curve_len = 0;
  283. for( grp_id = ssl->conf->curve_list;
  284. *grp_id != MBEDTLS_ECP_DP_NONE;
  285. grp_id++ )
  286. {
  287. info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
  288. elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
  289. elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
  290. }
  291. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
  292. & 0xFF );
  293. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
  294. & 0xFF );
  295. *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
  296. *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
  297. *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
  298. *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
  299. *olen = 6 + elliptic_curve_len;
  300. return( 0 );
  301. }
  302. static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
  303. unsigned char *buf,
  304. const unsigned char *end,
  305. size_t *olen )
  306. {
  307. unsigned char *p = buf;
  308. (void) ssl; /* ssl used for debugging only */
  309. *olen = 0;
  310. MBEDTLS_SSL_DEBUG_MSG( 3,
  311. ( "client hello, adding supported_point_formats extension" ) );
  312. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
  313. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
  314. & 0xFF );
  315. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
  316. & 0xFF );
  317. *p++ = 0x00;
  318. *p++ = 2;
  319. *p++ = 1;
  320. *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
  321. *olen = 6;
  322. return( 0 );
  323. }
  324. #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
  325. MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  326. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  327. static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
  328. unsigned char *buf,
  329. const unsigned char *end,
  330. size_t *olen )
  331. {
  332. int ret;
  333. unsigned char *p = buf;
  334. size_t kkpp_len;
  335. *olen = 0;
  336. /* Skip costly extension if we can't use EC J-PAKE anyway */
  337. if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
  338. return( 0 );
  339. MBEDTLS_SSL_DEBUG_MSG( 3,
  340. ( "client hello, adding ecjpake_kkpp extension" ) );
  341. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
  342. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
  343. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
  344. /*
  345. * We may need to send ClientHello multiple times for Hello verification.
  346. * We don't want to compute fresh values every time (both for performance
  347. * and consistency reasons), so cache the extension content.
  348. */
  349. if( ssl->handshake->ecjpake_cache == NULL ||
  350. ssl->handshake->ecjpake_cache_len == 0 )
  351. {
  352. MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
  353. ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
  354. p + 2, end - p - 2, &kkpp_len,
  355. ssl->conf->f_rng, ssl->conf->p_rng );
  356. if( ret != 0 )
  357. {
  358. MBEDTLS_SSL_DEBUG_RET( 1 ,
  359. "mbedtls_ecjpake_write_round_one", ret );
  360. return( ret );
  361. }
  362. ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
  363. if( ssl->handshake->ecjpake_cache == NULL )
  364. {
  365. MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
  366. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  367. }
  368. memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
  369. ssl->handshake->ecjpake_cache_len = kkpp_len;
  370. }
  371. else
  372. {
  373. MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
  374. kkpp_len = ssl->handshake->ecjpake_cache_len;
  375. MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
  376. memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
  377. }
  378. *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
  379. *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
  380. *olen = kkpp_len + 4;
  381. return( 0 );
  382. }
  383. #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  384. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  385. static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
  386. unsigned char *buf,
  387. const unsigned char *end,
  388. size_t *olen )
  389. {
  390. unsigned char *p = buf;
  391. *olen = 0;
  392. if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
  393. return( 0 );
  394. MBEDTLS_SSL_DEBUG_MSG( 3,
  395. ( "client hello, adding max_fragment_length extension" ) );
  396. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
  397. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
  398. & 0xFF );
  399. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
  400. & 0xFF );
  401. *p++ = 0x00;
  402. *p++ = 1;
  403. *p++ = ssl->conf->mfl_code;
  404. *olen = 5;
  405. return( 0 );
  406. }
  407. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  408. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  409. static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
  410. unsigned char *buf,
  411. const unsigned char *end,
  412. size_t *olen )
  413. {
  414. unsigned char *p = buf;
  415. *olen = 0;
  416. if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
  417. return( 0 );
  418. MBEDTLS_SSL_DEBUG_MSG( 3,
  419. ( "client hello, adding truncated_hmac extension" ) );
  420. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
  421. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
  422. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
  423. *p++ = 0x00;
  424. *p++ = 0x00;
  425. *olen = 4;
  426. return( 0 );
  427. }
  428. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  429. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  430. static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
  431. unsigned char *buf,
  432. const unsigned char *end,
  433. size_t *olen )
  434. {
  435. unsigned char *p = buf;
  436. *olen = 0;
  437. if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
  438. ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  439. return( 0 );
  440. MBEDTLS_SSL_DEBUG_MSG( 3,
  441. ( "client hello, adding encrypt_then_mac extension" ) );
  442. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
  443. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
  444. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
  445. *p++ = 0x00;
  446. *p++ = 0x00;
  447. *olen = 4;
  448. return( 0 );
  449. }
  450. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  451. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  452. static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
  453. unsigned char *buf,
  454. const unsigned char *end,
  455. size_t *olen )
  456. {
  457. unsigned char *p = buf;
  458. *olen = 0;
  459. if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
  460. ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  461. return( 0 );
  462. MBEDTLS_SSL_DEBUG_MSG( 3,
  463. ( "client hello, adding extended_master_secret extension" ) );
  464. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
  465. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
  466. & 0xFF );
  467. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
  468. & 0xFF );
  469. *p++ = 0x00;
  470. *p++ = 0x00;
  471. *olen = 4;
  472. return( 0 );
  473. }
  474. #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
  475. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  476. static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
  477. unsigned char *buf,
  478. const unsigned char *end,
  479. size_t *olen )
  480. {
  481. unsigned char *p = buf;
  482. size_t tlen = ssl->session_negotiate->ticket_len;
  483. *olen = 0;
  484. if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
  485. return( 0 );
  486. MBEDTLS_SSL_DEBUG_MSG( 3,
  487. ( "client hello, adding session ticket extension" ) );
  488. /* The addition is safe here since the ticket length is 16 bit. */
  489. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
  490. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
  491. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
  492. *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
  493. *p++ = (unsigned char)( ( tlen ) & 0xFF );
  494. *olen = 4;
  495. if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
  496. return( 0 );
  497. MBEDTLS_SSL_DEBUG_MSG( 3,
  498. ( "sending session ticket of length %d", tlen ) );
  499. memcpy( p, ssl->session_negotiate->ticket, tlen );
  500. *olen += tlen;
  501. return( 0 );
  502. }
  503. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  504. #if defined(MBEDTLS_SSL_ALPN)
  505. static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
  506. unsigned char *buf,
  507. const unsigned char *end,
  508. size_t *olen )
  509. {
  510. unsigned char *p = buf;
  511. size_t alpnlen = 0;
  512. const char **cur;
  513. *olen = 0;
  514. if( ssl->conf->alpn_list == NULL )
  515. return( 0 );
  516. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
  517. for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
  518. alpnlen += strlen( *cur ) + 1;
  519. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
  520. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
  521. *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
  522. /*
  523. * opaque ProtocolName<1..2^8-1>;
  524. *
  525. * struct {
  526. * ProtocolName protocol_name_list<2..2^16-1>
  527. * } ProtocolNameList;
  528. */
  529. /* Skip writing extension and list length for now */
  530. p += 4;
  531. for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
  532. {
  533. /*
  534. * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
  535. * protocol names is less than 255.
  536. */
  537. *p = (unsigned char)strlen( *cur );
  538. memcpy( p + 1, *cur, *p );
  539. p += 1 + *p;
  540. }
  541. *olen = p - buf;
  542. /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
  543. buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
  544. buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
  545. /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
  546. buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
  547. buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
  548. return( 0 );
  549. }
  550. #endif /* MBEDTLS_SSL_ALPN */
  551. /*
  552. * Generate random bytes for ClientHello
  553. */
  554. static int ssl_generate_random( mbedtls_ssl_context *ssl )
  555. {
  556. int ret;
  557. unsigned char *p = ssl->handshake->randbytes;
  558. #if defined(MBEDTLS_HAVE_TIME)
  559. mbedtls_time_t t;
  560. #endif
  561. /*
  562. * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
  563. */
  564. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  565. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  566. ssl->handshake->verify_cookie != NULL )
  567. {
  568. return( 0 );
  569. }
  570. #endif
  571. #if defined(MBEDTLS_HAVE_TIME)
  572. t = mbedtls_time( NULL );
  573. *p++ = (unsigned char)( t >> 24 );
  574. *p++ = (unsigned char)( t >> 16 );
  575. *p++ = (unsigned char)( t >> 8 );
  576. *p++ = (unsigned char)( t );
  577. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
  578. #else
  579. if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
  580. return( ret );
  581. p += 4;
  582. #endif /* MBEDTLS_HAVE_TIME */
  583. if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
  584. return( ret );
  585. return( 0 );
  586. }
  587. /**
  588. * \brief Validate cipher suite against config in SSL context.
  589. *
  590. * \param suite_info cipher suite to validate
  591. * \param ssl SSL context
  592. * \param min_minor_ver Minimal minor version to accept a cipher suite
  593. * \param max_minor_ver Maximal minor version to accept a cipher suite
  594. *
  595. * \return 0 if valid, else 1
  596. */
  597. static int ssl_validate_ciphersuite(
  598. const mbedtls_ssl_ciphersuite_t * suite_info,
  599. const mbedtls_ssl_context * ssl,
  600. int min_minor_ver, int max_minor_ver )
  601. {
  602. (void) ssl;
  603. if( suite_info == NULL )
  604. return( 1 );
  605. if( suite_info->min_minor_ver > max_minor_ver ||
  606. suite_info->max_minor_ver < min_minor_ver )
  607. return( 1 );
  608. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  609. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  610. ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
  611. return( 1 );
  612. #endif
  613. #if defined(MBEDTLS_ARC4_C)
  614. if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
  615. suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
  616. return( 1 );
  617. #endif
  618. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  619. if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
  620. mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
  621. return( 1 );
  622. #endif
  623. return( 0 );
  624. }
  625. static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
  626. {
  627. int ret;
  628. size_t i, n, olen, ext_len = 0;
  629. unsigned char *buf;
  630. unsigned char *p, *q;
  631. const unsigned char *end;
  632. unsigned char offer_compress;
  633. const int *ciphersuites;
  634. const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
  635. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  636. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  637. int uses_ec = 0;
  638. #endif
  639. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
  640. if( ssl->conf->f_rng == NULL )
  641. {
  642. MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
  643. return( MBEDTLS_ERR_SSL_NO_RNG );
  644. }
  645. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  646. if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
  647. #endif
  648. {
  649. ssl->major_ver = ssl->conf->min_major_ver;
  650. ssl->minor_ver = ssl->conf->min_minor_ver;
  651. }
  652. if( ssl->conf->max_major_ver == 0 )
  653. {
  654. MBEDTLS_SSL_DEBUG_MSG( 1,
  655. ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
  656. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  657. }
  658. buf = ssl->out_msg;
  659. end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
  660. /*
  661. * Check if there's enough space for the first part of the ClientHello
  662. * consisting of the 38 bytes described below, the session identifier (at
  663. * most 32 bytes) and its length (1 byte).
  664. *
  665. * Use static upper bounds instead of the actual values
  666. * to allow the compiler to optimize this away.
  667. */
  668. MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
  669. /*
  670. * The 38 first bytes of the ClientHello:
  671. * 0 . 0 handshake type (written later)
  672. * 1 . 3 handshake length (written later)
  673. * 4 . 5 highest version supported
  674. * 6 . 9 current UNIX time
  675. * 10 . 37 random bytes
  676. *
  677. * The current UNIX time (4 bytes) and following 28 random bytes are written
  678. * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
  679. * copied from there into the output buffer.
  680. */
  681. p = buf + 4;
  682. mbedtls_ssl_write_version( ssl->conf->max_major_ver,
  683. ssl->conf->max_minor_ver,
  684. ssl->conf->transport, p );
  685. p += 2;
  686. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
  687. buf[4], buf[5] ) );
  688. if( ( ret = ssl_generate_random( ssl ) ) != 0 )
  689. {
  690. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
  691. return( ret );
  692. }
  693. memcpy( p, ssl->handshake->randbytes, 32 );
  694. MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
  695. p += 32;
  696. /*
  697. * 38 . 38 session id length
  698. * 39 . 39+n session id
  699. * 39+n . 39+n DTLS only: cookie length (1 byte)
  700. * 40+n . .. DTLS only: cookie
  701. * .. . .. ciphersuitelist length (2 bytes)
  702. * .. . .. ciphersuitelist
  703. * .. . .. compression methods length (1 byte)
  704. * .. . .. compression methods
  705. * .. . .. extensions length (2 bytes)
  706. * .. . .. extensions
  707. */
  708. n = ssl->session_negotiate->id_len;
  709. if( n < 16 || n > 32 ||
  710. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  711. ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
  712. #endif
  713. ssl->handshake->resume == 0 )
  714. {
  715. n = 0;
  716. }
  717. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  718. /*
  719. * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
  720. * generate and include a Session ID in the TLS ClientHello."
  721. */
  722. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  723. if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
  724. #endif
  725. {
  726. if( ssl->session_negotiate->ticket != NULL &&
  727. ssl->session_negotiate->ticket_len != 0 )
  728. {
  729. ret = ssl->conf->f_rng( ssl->conf->p_rng,
  730. ssl->session_negotiate->id, 32 );
  731. if( ret != 0 )
  732. return( ret );
  733. ssl->session_negotiate->id_len = n = 32;
  734. }
  735. }
  736. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  737. /*
  738. * The first check of the output buffer size above (
  739. * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
  740. * has checked that there is enough space in the output buffer for the
  741. * session identifier length byte and the session identifier (n <= 32).
  742. */
  743. *p++ = (unsigned char) n;
  744. for( i = 0; i < n; i++ )
  745. *p++ = ssl->session_negotiate->id[i];
  746. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
  747. MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
  748. /*
  749. * With 'n' being the length of the session identifier
  750. *
  751. * 39+n . 39+n DTLS only: cookie length (1 byte)
  752. * 40+n . .. DTLS only: cookie
  753. * .. . .. ciphersuitelist length (2 bytes)
  754. * .. . .. ciphersuitelist
  755. * .. . .. compression methods length (1 byte)
  756. * .. . .. compression methods
  757. * .. . .. extensions length (2 bytes)
  758. * .. . .. extensions
  759. */
  760. /*
  761. * DTLS cookie
  762. */
  763. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  764. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  765. {
  766. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
  767. if( ssl->handshake->verify_cookie == NULL )
  768. {
  769. MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
  770. *p++ = 0;
  771. }
  772. else
  773. {
  774. MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
  775. ssl->handshake->verify_cookie,
  776. ssl->handshake->verify_cookie_len );
  777. *p++ = ssl->handshake->verify_cookie_len;
  778. MBEDTLS_SSL_CHK_BUF_PTR( p, end,
  779. ssl->handshake->verify_cookie_len );
  780. memcpy( p, ssl->handshake->verify_cookie,
  781. ssl->handshake->verify_cookie_len );
  782. p += ssl->handshake->verify_cookie_len;
  783. }
  784. }
  785. #endif
  786. /*
  787. * Ciphersuite list
  788. */
  789. ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
  790. /* Skip writing ciphersuite length for now */
  791. n = 0;
  792. q = p;
  793. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  794. p += 2;
  795. for( i = 0; ciphersuites[i] != 0; i++ )
  796. {
  797. ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
  798. if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
  799. ssl->conf->min_minor_ver,
  800. ssl->conf->max_minor_ver ) != 0 )
  801. continue;
  802. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
  803. ciphersuites[i] ) );
  804. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  805. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  806. uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
  807. #endif
  808. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  809. n++;
  810. *p++ = (unsigned char)( ciphersuites[i] >> 8 );
  811. *p++ = (unsigned char)( ciphersuites[i] );
  812. }
  813. MBEDTLS_SSL_DEBUG_MSG( 3,
  814. ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
  815. /*
  816. * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  817. */
  818. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  819. if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
  820. #endif
  821. {
  822. MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
  823. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  824. *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
  825. *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
  826. n++;
  827. }
  828. /* Some versions of OpenSSL don't handle it correctly if not at end */
  829. #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
  830. if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
  831. {
  832. MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
  833. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  834. *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
  835. *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
  836. n++;
  837. }
  838. #endif
  839. *q++ = (unsigned char)( n >> 7 );
  840. *q++ = (unsigned char)( n << 1 );
  841. #if defined(MBEDTLS_ZLIB_SUPPORT)
  842. offer_compress = 1;
  843. #else
  844. offer_compress = 0;
  845. #endif
  846. /*
  847. * We don't support compression with DTLS right now: if many records come
  848. * in the same datagram, uncompressing one could overwrite the next one.
  849. * We don't want to add complexity for handling that case unless there is
  850. * an actual need for it.
  851. */
  852. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  853. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  854. offer_compress = 0;
  855. #endif
  856. if( offer_compress )
  857. {
  858. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
  859. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
  860. MBEDTLS_SSL_COMPRESS_DEFLATE,
  861. MBEDTLS_SSL_COMPRESS_NULL ) );
  862. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
  863. *p++ = 2;
  864. *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
  865. *p++ = MBEDTLS_SSL_COMPRESS_NULL;
  866. }
  867. else
  868. {
  869. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
  870. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
  871. MBEDTLS_SSL_COMPRESS_NULL ) );
  872. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  873. *p++ = 1;
  874. *p++ = MBEDTLS_SSL_COMPRESS_NULL;
  875. }
  876. /* First write extensions, then the total length */
  877. MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
  878. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  879. if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
  880. end, &olen ) ) != 0 )
  881. {
  882. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
  883. return( ret );
  884. }
  885. ext_len += olen;
  886. #endif
  887. /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
  888. * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
  889. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  890. if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
  891. end, &olen ) ) != 0 )
  892. {
  893. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
  894. return( ret );
  895. }
  896. ext_len += olen;
  897. #endif
  898. #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
  899. defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
  900. if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
  901. end, &olen ) ) != 0 )
  902. {
  903. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
  904. return( ret );
  905. }
  906. ext_len += olen;
  907. #endif
  908. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  909. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  910. if( uses_ec )
  911. {
  912. if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
  913. end, &olen ) ) != 0 )
  914. {
  915. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
  916. return( ret );
  917. }
  918. ext_len += olen;
  919. if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
  920. end, &olen ) ) != 0 )
  921. {
  922. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
  923. return( ret );
  924. }
  925. ext_len += olen;
  926. }
  927. #endif
  928. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  929. if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
  930. end, &olen ) ) != 0 )
  931. {
  932. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
  933. return( ret );
  934. }
  935. ext_len += olen;
  936. #endif
  937. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  938. if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
  939. end, &olen ) ) != 0 )
  940. {
  941. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
  942. return( ret );
  943. }
  944. ext_len += olen;
  945. #endif
  946. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  947. if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
  948. end, &olen ) ) != 0 )
  949. {
  950. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
  951. return( ret );
  952. }
  953. ext_len += olen;
  954. #endif
  955. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  956. if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
  957. end, &olen ) ) != 0 )
  958. {
  959. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
  960. return( ret );
  961. }
  962. ext_len += olen;
  963. #endif
  964. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  965. if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
  966. end, &olen ) ) != 0 )
  967. {
  968. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
  969. return( ret );
  970. }
  971. ext_len += olen;
  972. #endif
  973. #if defined(MBEDTLS_SSL_ALPN)
  974. if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
  975. end, &olen ) ) != 0 )
  976. {
  977. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
  978. return( ret );
  979. }
  980. ext_len += olen;
  981. #endif
  982. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  983. if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
  984. end, &olen ) ) != 0 )
  985. {
  986. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
  987. return( ret );
  988. }
  989. ext_len += olen;
  990. #endif
  991. /* olen unused if all extensions are disabled */
  992. ((void) olen);
  993. MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
  994. ext_len ) );
  995. if( ext_len > 0 )
  996. {
  997. /* No need to check for space here, because the extension
  998. * writing functions already took care of that. */
  999. *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
  1000. *p++ = (unsigned char)( ( ext_len ) & 0xFF );
  1001. p += ext_len;
  1002. }
  1003. ssl->out_msglen = p - buf;
  1004. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  1005. ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
  1006. ssl->state++;
  1007. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1008. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  1009. mbedtls_ssl_send_flight_completed( ssl );
  1010. #endif
  1011. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  1012. {
  1013. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  1014. return( ret );
  1015. }
  1016. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1017. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  1018. ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
  1019. {
  1020. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
  1021. return( ret );
  1022. }
  1023. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  1024. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
  1025. return( 0 );
  1026. }
  1027. static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
  1028. const unsigned char *buf,
  1029. size_t len )
  1030. {
  1031. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1032. if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
  1033. {
  1034. /* Check verify-data in constant-time. The length OTOH is no secret */
  1035. if( len != 1 + ssl->verify_data_len * 2 ||
  1036. buf[0] != ssl->verify_data_len * 2 ||
  1037. mbedtls_ssl_safer_memcmp( buf + 1,
  1038. ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
  1039. mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
  1040. ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
  1041. {
  1042. MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
  1043. mbedtls_ssl_send_alert_message(
  1044. ssl,
  1045. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1046. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1047. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1048. }
  1049. }
  1050. else
  1051. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  1052. {
  1053. if( len != 1 || buf[0] != 0x00 )
  1054. {
  1055. MBEDTLS_SSL_DEBUG_MSG( 1,
  1056. ( "non-zero length renegotiation info" ) );
  1057. mbedtls_ssl_send_alert_message(
  1058. ssl,
  1059. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1060. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1061. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1062. }
  1063. ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
  1064. }
  1065. return( 0 );
  1066. }
  1067. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  1068. static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
  1069. const unsigned char *buf,
  1070. size_t len )
  1071. {
  1072. /*
  1073. * server should use the extension only if we did,
  1074. * and if so the server's value should match ours (and len is always 1)
  1075. */
  1076. if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
  1077. len != 1 ||
  1078. buf[0] != ssl->conf->mfl_code )
  1079. {
  1080. MBEDTLS_SSL_DEBUG_MSG( 1,
  1081. ( "non-matching max fragment length extension" ) );
  1082. mbedtls_ssl_send_alert_message(
  1083. ssl,
  1084. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1085. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1086. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1087. }
  1088. return( 0 );
  1089. }
  1090. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  1091. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  1092. static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
  1093. const unsigned char *buf,
  1094. size_t len )
  1095. {
  1096. if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
  1097. len != 0 )
  1098. {
  1099. MBEDTLS_SSL_DEBUG_MSG( 1,
  1100. ( "non-matching truncated HMAC extension" ) );
  1101. mbedtls_ssl_send_alert_message(
  1102. ssl,
  1103. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1104. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1105. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1106. }
  1107. ((void) buf);
  1108. ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
  1109. return( 0 );
  1110. }
  1111. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  1112. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  1113. static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
  1114. const unsigned char *buf,
  1115. size_t len )
  1116. {
  1117. if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
  1118. ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
  1119. len != 0 )
  1120. {
  1121. MBEDTLS_SSL_DEBUG_MSG( 1,
  1122. ( "non-matching encrypt-then-MAC extension" ) );
  1123. mbedtls_ssl_send_alert_message(
  1124. ssl,
  1125. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1126. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1127. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1128. }
  1129. ((void) buf);
  1130. ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
  1131. return( 0 );
  1132. }
  1133. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  1134. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  1135. static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
  1136. const unsigned char *buf,
  1137. size_t len )
  1138. {
  1139. if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
  1140. ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
  1141. len != 0 )
  1142. {
  1143. MBEDTLS_SSL_DEBUG_MSG( 1,
  1144. ( "non-matching extended master secret extension" ) );
  1145. mbedtls_ssl_send_alert_message(
  1146. ssl,
  1147. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1148. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1149. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1150. }
  1151. ((void) buf);
  1152. ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
  1153. return( 0 );
  1154. }
  1155. #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
  1156. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  1157. static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
  1158. const unsigned char *buf,
  1159. size_t len )
  1160. {
  1161. if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
  1162. len != 0 )
  1163. {
  1164. MBEDTLS_SSL_DEBUG_MSG( 1,
  1165. ( "non-matching session ticket extension" ) );
  1166. mbedtls_ssl_send_alert_message(
  1167. ssl,
  1168. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1169. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1170. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1171. }
  1172. ((void) buf);
  1173. ssl->handshake->new_session_ticket = 1;
  1174. return( 0 );
  1175. }
  1176. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  1177. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  1178. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  1179. static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
  1180. const unsigned char *buf,
  1181. size_t len )
  1182. {
  1183. size_t list_size;
  1184. const unsigned char *p;
  1185. if( len == 0 || (size_t)( buf[0] + 1 ) != len )
  1186. {
  1187. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1188. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1189. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1190. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1191. }
  1192. list_size = buf[0];
  1193. p = buf + 1;
  1194. while( list_size > 0 )
  1195. {
  1196. if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
  1197. p[0] == MBEDTLS_ECP_PF_COMPRESSED )
  1198. {
  1199. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
  1200. ssl->handshake->ecdh_ctx.point_format = p[0];
  1201. #endif
  1202. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  1203. ssl->handshake->ecjpake_ctx.point_format = p[0];
  1204. #endif
  1205. MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
  1206. return( 0 );
  1207. }
  1208. list_size--;
  1209. p++;
  1210. }
  1211. MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
  1212. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1213. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1214. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1215. }
  1216. #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
  1217. MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  1218. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  1219. static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
  1220. const unsigned char *buf,
  1221. size_t len )
  1222. {
  1223. int ret;
  1224. if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
  1225. MBEDTLS_KEY_EXCHANGE_ECJPAKE )
  1226. {
  1227. MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
  1228. return( 0 );
  1229. }
  1230. /* If we got here, we no longer need our cached extension */
  1231. mbedtls_free( ssl->handshake->ecjpake_cache );
  1232. ssl->handshake->ecjpake_cache = NULL;
  1233. ssl->handshake->ecjpake_cache_len = 0;
  1234. if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
  1235. buf, len ) ) != 0 )
  1236. {
  1237. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
  1238. mbedtls_ssl_send_alert_message(
  1239. ssl,
  1240. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1241. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1242. return( ret );
  1243. }
  1244. return( 0 );
  1245. }
  1246. #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  1247. #if defined(MBEDTLS_SSL_ALPN)
  1248. static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
  1249. const unsigned char *buf, size_t len )
  1250. {
  1251. size_t list_len, name_len;
  1252. const char **p;
  1253. /* If we didn't send it, the server shouldn't send it */
  1254. if( ssl->conf->alpn_list == NULL )
  1255. {
  1256. MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
  1257. mbedtls_ssl_send_alert_message(
  1258. ssl,
  1259. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1260. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1261. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1262. }
  1263. /*
  1264. * opaque ProtocolName<1..2^8-1>;
  1265. *
  1266. * struct {
  1267. * ProtocolName protocol_name_list<2..2^16-1>
  1268. * } ProtocolNameList;
  1269. *
  1270. * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
  1271. */
  1272. /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
  1273. if( len < 4 )
  1274. {
  1275. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1276. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1277. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1278. }
  1279. list_len = ( buf[0] << 8 ) | buf[1];
  1280. if( list_len != len - 2 )
  1281. {
  1282. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1283. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1284. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1285. }
  1286. name_len = buf[2];
  1287. if( name_len != list_len - 1 )
  1288. {
  1289. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1290. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1291. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1292. }
  1293. /* Check that the server chosen protocol was in our list and save it */
  1294. for( p = ssl->conf->alpn_list; *p != NULL; p++ )
  1295. {
  1296. if( name_len == strlen( *p ) &&
  1297. memcmp( buf + 3, *p, name_len ) == 0 )
  1298. {
  1299. ssl->alpn_chosen = *p;
  1300. return( 0 );
  1301. }
  1302. }
  1303. MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
  1304. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1305. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1306. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1307. }
  1308. #endif /* MBEDTLS_SSL_ALPN */
  1309. /*
  1310. * Parse HelloVerifyRequest. Only called after verifying the HS type.
  1311. */
  1312. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1313. static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
  1314. {
  1315. const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
  1316. int major_ver, minor_ver;
  1317. unsigned char cookie_len;
  1318. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
  1319. /* Check that there is enough room for:
  1320. * - 2 bytes of version
  1321. * - 1 byte of cookie_len
  1322. */
  1323. if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
  1324. {
  1325. MBEDTLS_SSL_DEBUG_MSG( 1,
  1326. ( "incoming HelloVerifyRequest message is too short" ) );
  1327. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1328. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1329. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1330. }
  1331. /*
  1332. * struct {
  1333. * ProtocolVersion server_version;
  1334. * opaque cookie<0..2^8-1>;
  1335. * } HelloVerifyRequest;
  1336. */
  1337. MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
  1338. mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
  1339. p += 2;
  1340. /*
  1341. * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
  1342. * even is lower than our min version.
  1343. */
  1344. if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
  1345. minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
  1346. major_ver > ssl->conf->max_major_ver ||
  1347. minor_ver > ssl->conf->max_minor_ver )
  1348. {
  1349. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
  1350. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1351. MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
  1352. return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
  1353. }
  1354. cookie_len = *p++;
  1355. if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
  1356. {
  1357. MBEDTLS_SSL_DEBUG_MSG( 1,
  1358. ( "cookie length does not match incoming message size" ) );
  1359. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1360. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1361. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1362. }
  1363. MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
  1364. mbedtls_free( ssl->handshake->verify_cookie );
  1365. ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
  1366. if( ssl->handshake->verify_cookie == NULL )
  1367. {
  1368. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
  1369. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  1370. }
  1371. memcpy( ssl->handshake->verify_cookie, p, cookie_len );
  1372. ssl->handshake->verify_cookie_len = cookie_len;
  1373. /* Start over at ClientHello */
  1374. ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
  1375. mbedtls_ssl_reset_checksum( ssl );
  1376. mbedtls_ssl_recv_flight_completed( ssl );
  1377. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
  1378. return( 0 );
  1379. }
  1380. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  1381. static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
  1382. {
  1383. int ret, i;
  1384. size_t n;
  1385. size_t ext_len;
  1386. unsigned char *buf, *ext;
  1387. unsigned char comp;
  1388. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1389. int accept_comp;
  1390. #endif
  1391. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1392. int renegotiation_info_seen = 0;
  1393. #endif
  1394. int handshake_failure = 0;
  1395. const mbedtls_ssl_ciphersuite_t *suite_info;
  1396. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
  1397. buf = ssl->in_msg;
  1398. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  1399. {
  1400. /* No alert on a read error. */
  1401. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  1402. return( ret );
  1403. }
  1404. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  1405. {
  1406. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1407. if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
  1408. {
  1409. ssl->renego_records_seen++;
  1410. if( ssl->conf->renego_max_records >= 0 &&
  1411. ssl->renego_records_seen > ssl->conf->renego_max_records )
  1412. {
  1413. MBEDTLS_SSL_DEBUG_MSG( 1,
  1414. ( "renegotiation requested, but not honored by server" ) );
  1415. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  1416. }
  1417. MBEDTLS_SSL_DEBUG_MSG( 1,
  1418. ( "non-handshake message during renegotiation" ) );
  1419. ssl->keep_current_message = 1;
  1420. return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
  1421. }
  1422. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  1423. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1424. mbedtls_ssl_send_alert_message(
  1425. ssl,
  1426. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1427. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  1428. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  1429. }
  1430. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1431. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  1432. {
  1433. if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
  1434. {
  1435. MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
  1436. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
  1437. return( ssl_parse_hello_verify_request( ssl ) );
  1438. }
  1439. else
  1440. {
  1441. /* We made it through the verification process */
  1442. mbedtls_free( ssl->handshake->verify_cookie );
  1443. ssl->handshake->verify_cookie = NULL;
  1444. ssl->handshake->verify_cookie_len = 0;
  1445. }
  1446. }
  1447. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  1448. if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
  1449. buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
  1450. {
  1451. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1452. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1453. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1454. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1455. }
  1456. /*
  1457. * 0 . 1 server_version
  1458. * 2 . 33 random (maybe including 4 bytes of Unix time)
  1459. * 34 . 34 session_id length = n
  1460. * 35 . 34+n session_id
  1461. * 35+n . 36+n cipher_suite
  1462. * 37+n . 37+n compression_method
  1463. *
  1464. * 38+n . 39+n extensions length (optional)
  1465. * 40+n . .. extensions
  1466. */
  1467. buf += mbedtls_ssl_hs_hdr_len( ssl );
  1468. MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
  1469. mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
  1470. ssl->conf->transport, buf + 0 );
  1471. if( ssl->major_ver < ssl->conf->min_major_ver ||
  1472. ssl->minor_ver < ssl->conf->min_minor_ver ||
  1473. ssl->major_ver > ssl->conf->max_major_ver ||
  1474. ssl->minor_ver > ssl->conf->max_minor_ver )
  1475. {
  1476. MBEDTLS_SSL_DEBUG_MSG( 1,
  1477. ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
  1478. ssl->conf->min_major_ver,
  1479. ssl->conf->min_minor_ver,
  1480. ssl->major_ver, ssl->minor_ver,
  1481. ssl->conf->max_major_ver,
  1482. ssl->conf->max_minor_ver ) );
  1483. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1484. MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
  1485. return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
  1486. }
  1487. MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
  1488. ( (uint32_t) buf[2] << 24 ) |
  1489. ( (uint32_t) buf[3] << 16 ) |
  1490. ( (uint32_t) buf[4] << 8 ) |
  1491. ( (uint32_t) buf[5] ) ) );
  1492. memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
  1493. n = buf[34];
  1494. MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
  1495. if( n > 32 )
  1496. {
  1497. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1498. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1499. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1500. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1501. }
  1502. if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
  1503. {
  1504. ext_len = ( ( buf[38 + n] << 8 )
  1505. | ( buf[39 + n] ) );
  1506. if( ( ext_len > 0 && ext_len < 4 ) ||
  1507. ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
  1508. {
  1509. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1510. mbedtls_ssl_send_alert_message(
  1511. ssl,
  1512. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1513. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1514. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1515. }
  1516. }
  1517. else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
  1518. {
  1519. ext_len = 0;
  1520. }
  1521. else
  1522. {
  1523. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1524. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1525. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1526. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1527. }
  1528. /* ciphersuite (used later) */
  1529. i = ( buf[35 + n] << 8 ) | buf[36 + n];
  1530. /*
  1531. * Read and check compression
  1532. */
  1533. comp = buf[37 + n];
  1534. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1535. /* See comments in ssl_write_client_hello() */
  1536. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1537. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  1538. accept_comp = 0;
  1539. else
  1540. #endif
  1541. accept_comp = 1;
  1542. if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
  1543. ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
  1544. #else /* MBEDTLS_ZLIB_SUPPORT */
  1545. if( comp != MBEDTLS_SSL_COMPRESS_NULL )
  1546. #endif/* MBEDTLS_ZLIB_SUPPORT */
  1547. {
  1548. MBEDTLS_SSL_DEBUG_MSG( 1,
  1549. ( "server hello, bad compression: %d", comp ) );
  1550. mbedtls_ssl_send_alert_message(
  1551. ssl,
  1552. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1553. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  1554. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  1555. }
  1556. /*
  1557. * Initialize update checksum functions
  1558. */
  1559. ssl->transform_negotiate->ciphersuite_info =
  1560. mbedtls_ssl_ciphersuite_from_id( i );
  1561. if( ssl->transform_negotiate->ciphersuite_info == NULL )
  1562. {
  1563. MBEDTLS_SSL_DEBUG_MSG( 1,
  1564. ( "ciphersuite info for %04x not found", i ) );
  1565. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1566. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  1567. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1568. }
  1569. mbedtls_ssl_optimize_checksum( ssl,
  1570. ssl->transform_negotiate->ciphersuite_info );
  1571. MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
  1572. MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
  1573. /*
  1574. * Check if the session can be resumed
  1575. */
  1576. if( ssl->handshake->resume == 0 || n == 0 ||
  1577. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1578. ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
  1579. #endif
  1580. ssl->session_negotiate->ciphersuite != i ||
  1581. ssl->session_negotiate->compression != comp ||
  1582. ssl->session_negotiate->id_len != n ||
  1583. memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
  1584. {
  1585. ssl->state++;
  1586. ssl->handshake->resume = 0;
  1587. #if defined(MBEDTLS_HAVE_TIME)
  1588. ssl->session_negotiate->start = mbedtls_time( NULL );
  1589. #endif
  1590. ssl->session_negotiate->ciphersuite = i;
  1591. ssl->session_negotiate->compression = comp;
  1592. ssl->session_negotiate->id_len = n;
  1593. memcpy( ssl->session_negotiate->id, buf + 35, n );
  1594. }
  1595. else
  1596. {
  1597. ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
  1598. if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
  1599. {
  1600. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
  1601. mbedtls_ssl_send_alert_message(
  1602. ssl,
  1603. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1604. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  1605. return( ret );
  1606. }
  1607. }
  1608. MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
  1609. ssl->handshake->resume ? "a" : "no" ) );
  1610. MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
  1611. MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
  1612. buf[37 + n] ) );
  1613. /*
  1614. * Perform cipher suite validation in same way as in ssl_write_client_hello.
  1615. */
  1616. i = 0;
  1617. while( 1 )
  1618. {
  1619. if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
  1620. {
  1621. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1622. mbedtls_ssl_send_alert_message(
  1623. ssl,
  1624. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1625. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  1626. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1627. }
  1628. if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
  1629. ssl->session_negotiate->ciphersuite )
  1630. {
  1631. break;
  1632. }
  1633. }
  1634. suite_info = mbedtls_ssl_ciphersuite_from_id(
  1635. ssl->session_negotiate->ciphersuite );
  1636. if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
  1637. ssl->minor_ver ) != 0 )
  1638. {
  1639. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1640. mbedtls_ssl_send_alert_message(
  1641. ssl,
  1642. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1643. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  1644. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1645. }
  1646. MBEDTLS_SSL_DEBUG_MSG( 3,
  1647. ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
  1648. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  1649. if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
  1650. ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  1651. {
  1652. ssl->handshake->ecrs_enabled = 1;
  1653. }
  1654. #endif
  1655. if( comp != MBEDTLS_SSL_COMPRESS_NULL
  1656. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1657. && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
  1658. #endif
  1659. )
  1660. {
  1661. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1662. mbedtls_ssl_send_alert_message(
  1663. ssl,
  1664. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1665. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  1666. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1667. }
  1668. ssl->session_negotiate->compression = comp;
  1669. ext = buf + 40 + n;
  1670. MBEDTLS_SSL_DEBUG_MSG( 2,
  1671. ( "server hello, total extension length: %d", ext_len ) );
  1672. while( ext_len )
  1673. {
  1674. unsigned int ext_id = ( ( ext[0] << 8 )
  1675. | ( ext[1] ) );
  1676. unsigned int ext_size = ( ( ext[2] << 8 )
  1677. | ( ext[3] ) );
  1678. if( ext_size + 4 > ext_len )
  1679. {
  1680. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1681. mbedtls_ssl_send_alert_message(
  1682. ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1683. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  1684. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1685. }
  1686. switch( ext_id )
  1687. {
  1688. case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
  1689. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
  1690. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1691. renegotiation_info_seen = 1;
  1692. #endif
  1693. if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
  1694. ext_size ) ) != 0 )
  1695. return( ret );
  1696. break;
  1697. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  1698. case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
  1699. MBEDTLS_SSL_DEBUG_MSG( 3,
  1700. ( "found max_fragment_length extension" ) );
  1701. if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
  1702. ext + 4, ext_size ) ) != 0 )
  1703. {
  1704. return( ret );
  1705. }
  1706. break;
  1707. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  1708. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  1709. case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
  1710. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
  1711. if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
  1712. ext + 4, ext_size ) ) != 0 )
  1713. {
  1714. return( ret );
  1715. }
  1716. break;
  1717. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  1718. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  1719. case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
  1720. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
  1721. if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
  1722. ext + 4, ext_size ) ) != 0 )
  1723. {
  1724. return( ret );
  1725. }
  1726. break;
  1727. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  1728. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  1729. case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
  1730. MBEDTLS_SSL_DEBUG_MSG( 3,
  1731. ( "found extended_master_secret extension" ) );
  1732. if( ( ret = ssl_parse_extended_ms_ext( ssl,
  1733. ext + 4, ext_size ) ) != 0 )
  1734. {
  1735. return( ret );
  1736. }
  1737. break;
  1738. #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
  1739. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  1740. case MBEDTLS_TLS_EXT_SESSION_TICKET:
  1741. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
  1742. if( ( ret = ssl_parse_session_ticket_ext( ssl,
  1743. ext + 4, ext_size ) ) != 0 )
  1744. {
  1745. return( ret );
  1746. }
  1747. break;
  1748. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  1749. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  1750. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  1751. case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
  1752. MBEDTLS_SSL_DEBUG_MSG( 3,
  1753. ( "found supported_point_formats extension" ) );
  1754. if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
  1755. ext + 4, ext_size ) ) != 0 )
  1756. {
  1757. return( ret );
  1758. }
  1759. break;
  1760. #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
  1761. MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  1762. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  1763. case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
  1764. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
  1765. if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
  1766. ext + 4, ext_size ) ) != 0 )
  1767. {
  1768. return( ret );
  1769. }
  1770. break;
  1771. #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  1772. #if defined(MBEDTLS_SSL_ALPN)
  1773. case MBEDTLS_TLS_EXT_ALPN:
  1774. MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
  1775. if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
  1776. return( ret );
  1777. break;
  1778. #endif /* MBEDTLS_SSL_ALPN */
  1779. default:
  1780. MBEDTLS_SSL_DEBUG_MSG( 3,
  1781. ( "unknown extension found: %d (ignoring)", ext_id ) );
  1782. }
  1783. ext_len -= 4 + ext_size;
  1784. ext += 4 + ext_size;
  1785. if( ext_len > 0 && ext_len < 4 )
  1786. {
  1787. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
  1788. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1789. }
  1790. }
  1791. /*
  1792. * Renegotiation security checks
  1793. */
  1794. if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
  1795. ssl->conf->allow_legacy_renegotiation ==
  1796. MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
  1797. {
  1798. MBEDTLS_SSL_DEBUG_MSG( 1,
  1799. ( "legacy renegotiation, breaking off handshake" ) );
  1800. handshake_failure = 1;
  1801. }
  1802. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  1803. else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
  1804. ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
  1805. renegotiation_info_seen == 0 )
  1806. {
  1807. MBEDTLS_SSL_DEBUG_MSG( 1,
  1808. ( "renegotiation_info extension missing (secure)" ) );
  1809. handshake_failure = 1;
  1810. }
  1811. else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
  1812. ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
  1813. ssl->conf->allow_legacy_renegotiation ==
  1814. MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
  1815. {
  1816. MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
  1817. handshake_failure = 1;
  1818. }
  1819. else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
  1820. ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
  1821. renegotiation_info_seen == 1 )
  1822. {
  1823. MBEDTLS_SSL_DEBUG_MSG( 1,
  1824. ( "renegotiation_info extension present (legacy)" ) );
  1825. handshake_failure = 1;
  1826. }
  1827. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  1828. if( handshake_failure == 1 )
  1829. {
  1830. mbedtls_ssl_send_alert_message(
  1831. ssl,
  1832. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  1833. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  1834. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
  1835. }
  1836. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
  1837. return( 0 );
  1838. }
  1839. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
  1840. defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
  1841. static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
  1842. unsigned char **p,
  1843. unsigned char *end )
  1844. {
  1845. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  1846. size_t dhm_actual_bitlen;
  1847. /*
  1848. * Ephemeral DH parameters:
  1849. *
  1850. * struct {
  1851. * opaque dh_p<1..2^16-1>;
  1852. * opaque dh_g<1..2^16-1>;
  1853. * opaque dh_Ys<1..2^16-1>;
  1854. * } ServerDHParams;
  1855. */
  1856. if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
  1857. p, end ) ) != 0 )
  1858. {
  1859. MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
  1860. return( ret );
  1861. }
  1862. dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
  1863. if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
  1864. {
  1865. MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
  1866. (unsigned) dhm_actual_bitlen,
  1867. ssl->conf->dhm_min_bitlen ) );
  1868. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  1869. }
  1870. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
  1871. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
  1872. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
  1873. return( ret );
  1874. }
  1875. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
  1876. MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
  1877. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
  1878. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
  1879. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
  1880. defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
  1881. defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
  1882. static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
  1883. {
  1884. const mbedtls_ecp_curve_info *curve_info;
  1885. mbedtls_ecp_group_id grp_id;
  1886. #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
  1887. grp_id = ssl->handshake->ecdh_ctx.grp.id;
  1888. #else
  1889. grp_id = ssl->handshake->ecdh_ctx.grp_id;
  1890. #endif
  1891. curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
  1892. if( curve_info == NULL )
  1893. {
  1894. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1895. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1896. }
  1897. MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
  1898. #if defined(MBEDTLS_ECP_C)
  1899. if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
  1900. #else
  1901. if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
  1902. ssl->handshake->ecdh_ctx.grp.nbits > 521 )
  1903. #endif
  1904. return( -1 );
  1905. MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
  1906. MBEDTLS_DEBUG_ECDH_QP );
  1907. return( 0 );
  1908. }
  1909. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
  1910. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
  1911. MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
  1912. MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
  1913. MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
  1914. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
  1915. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
  1916. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
  1917. static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
  1918. unsigned char **p,
  1919. unsigned char *end )
  1920. {
  1921. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  1922. /*
  1923. * Ephemeral ECDH parameters:
  1924. *
  1925. * struct {
  1926. * ECParameters curve_params;
  1927. * ECPoint public;
  1928. * } ServerECDHParams;
  1929. */
  1930. if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
  1931. (const unsigned char **) p, end ) ) != 0 )
  1932. {
  1933. MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
  1934. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  1935. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  1936. ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
  1937. #endif
  1938. return( ret );
  1939. }
  1940. if( ssl_check_server_ecdh_params( ssl ) != 0 )
  1941. {
  1942. MBEDTLS_SSL_DEBUG_MSG( 1,
  1943. ( "bad server key exchange message (ECDHE curve)" ) );
  1944. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  1945. }
  1946. return( ret );
  1947. }
  1948. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
  1949. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
  1950. MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
  1951. #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
  1952. static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
  1953. unsigned char **p,
  1954. unsigned char *end )
  1955. {
  1956. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  1957. size_t len;
  1958. ((void) ssl);
  1959. /*
  1960. * PSK parameters:
  1961. *
  1962. * opaque psk_identity_hint<0..2^16-1>;
  1963. */
  1964. if( end - (*p) < 2 )
  1965. {
  1966. MBEDTLS_SSL_DEBUG_MSG( 1,
  1967. ( "bad server key exchange message (psk_identity_hint length)" ) );
  1968. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  1969. }
  1970. len = (*p)[0] << 8 | (*p)[1];
  1971. *p += 2;
  1972. if( end - (*p) < (int) len )
  1973. {
  1974. MBEDTLS_SSL_DEBUG_MSG( 1,
  1975. ( "bad server key exchange message (psk_identity_hint length)" ) );
  1976. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  1977. }
  1978. /*
  1979. * Note: we currently ignore the PKS identity hint, as we only allow one
  1980. * PSK to be provisionned on the client. This could be changed later if
  1981. * someone needs that feature.
  1982. */
  1983. *p += len;
  1984. ret = 0;
  1985. return( ret );
  1986. }
  1987. #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
  1988. #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
  1989. defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
  1990. /*
  1991. * Generate a pre-master secret and encrypt it with the server's RSA key
  1992. */
  1993. static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
  1994. size_t offset, size_t *olen,
  1995. size_t pms_offset )
  1996. {
  1997. int ret;
  1998. size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
  1999. unsigned char *p = ssl->handshake->premaster + pms_offset;
  2000. if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
  2001. {
  2002. MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
  2003. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  2004. }
  2005. /*
  2006. * Generate (part of) the pre-master as
  2007. * struct {
  2008. * ProtocolVersion client_version;
  2009. * opaque random[46];
  2010. * } PreMasterSecret;
  2011. */
  2012. mbedtls_ssl_write_version( ssl->conf->max_major_ver,
  2013. ssl->conf->max_minor_ver,
  2014. ssl->conf->transport, p );
  2015. if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
  2016. {
  2017. MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
  2018. return( ret );
  2019. }
  2020. ssl->handshake->pmslen = 48;
  2021. if( ssl->session_negotiate->peer_cert == NULL )
  2022. {
  2023. MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
  2024. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2025. }
  2026. /*
  2027. * Now write it out, encrypted
  2028. */
  2029. if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
  2030. MBEDTLS_PK_RSA ) )
  2031. {
  2032. MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
  2033. return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
  2034. }
  2035. if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
  2036. p, ssl->handshake->pmslen,
  2037. ssl->out_msg + offset + len_bytes, olen,
  2038. MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
  2039. ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
  2040. {
  2041. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
  2042. return( ret );
  2043. }
  2044. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
  2045. defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2046. if( len_bytes == 2 )
  2047. {
  2048. ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
  2049. ssl->out_msg[offset+1] = (unsigned char)( *olen );
  2050. *olen += 2;
  2051. }
  2052. #endif
  2053. return( 0 );
  2054. }
  2055. #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
  2056. MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
  2057. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2058. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
  2059. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
  2060. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
  2061. static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
  2062. unsigned char **p,
  2063. unsigned char *end,
  2064. mbedtls_md_type_t *md_alg,
  2065. mbedtls_pk_type_t *pk_alg )
  2066. {
  2067. ((void) ssl);
  2068. *md_alg = MBEDTLS_MD_NONE;
  2069. *pk_alg = MBEDTLS_PK_NONE;
  2070. /* Only in TLS 1.2 */
  2071. if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
  2072. {
  2073. return( 0 );
  2074. }
  2075. if( (*p) + 2 > end )
  2076. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2077. /*
  2078. * Get hash algorithm
  2079. */
  2080. if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
  2081. == MBEDTLS_MD_NONE )
  2082. {
  2083. MBEDTLS_SSL_DEBUG_MSG( 1,
  2084. ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
  2085. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2086. }
  2087. /*
  2088. * Get signature algorithm
  2089. */
  2090. if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
  2091. == MBEDTLS_PK_NONE )
  2092. {
  2093. MBEDTLS_SSL_DEBUG_MSG( 1,
  2094. ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
  2095. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2096. }
  2097. /*
  2098. * Check if the hash is acceptable
  2099. */
  2100. if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
  2101. {
  2102. MBEDTLS_SSL_DEBUG_MSG( 1,
  2103. ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
  2104. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2105. }
  2106. MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
  2107. (*p)[1] ) );
  2108. MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
  2109. (*p)[0] ) );
  2110. *p += 2;
  2111. return( 0 );
  2112. }
  2113. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
  2114. MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
  2115. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
  2116. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2117. #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
  2118. defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
  2119. static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
  2120. {
  2121. int ret;
  2122. const mbedtls_ecp_keypair *peer_key;
  2123. if( ssl->session_negotiate->peer_cert == NULL )
  2124. {
  2125. MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
  2126. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2127. }
  2128. if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
  2129. MBEDTLS_PK_ECKEY ) )
  2130. {
  2131. MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
  2132. return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
  2133. }
  2134. peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
  2135. if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
  2136. MBEDTLS_ECDH_THEIRS ) ) != 0 )
  2137. {
  2138. MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
  2139. return( ret );
  2140. }
  2141. if( ssl_check_server_ecdh_params( ssl ) != 0 )
  2142. {
  2143. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
  2144. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2145. }
  2146. return( ret );
  2147. }
  2148. #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
  2149. MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
  2150. static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
  2151. {
  2152. int ret;
  2153. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2154. ssl->transform_negotiate->ciphersuite_info;
  2155. unsigned char *p = NULL, *end = NULL;
  2156. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
  2157. #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
  2158. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
  2159. {
  2160. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
  2161. ssl->state++;
  2162. return( 0 );
  2163. }
  2164. ((void) p);
  2165. ((void) end);
  2166. #endif
  2167. #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
  2168. defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
  2169. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
  2170. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
  2171. {
  2172. if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
  2173. {
  2174. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
  2175. mbedtls_ssl_send_alert_message(
  2176. ssl,
  2177. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2178. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  2179. return( ret );
  2180. }
  2181. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
  2182. ssl->state++;
  2183. return( 0 );
  2184. }
  2185. ((void) p);
  2186. ((void) end);
  2187. #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
  2188. MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
  2189. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2190. if( ssl->handshake->ecrs_enabled &&
  2191. ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
  2192. {
  2193. goto start_processing;
  2194. }
  2195. #endif
  2196. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  2197. {
  2198. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  2199. return( ret );
  2200. }
  2201. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  2202. {
  2203. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2204. mbedtls_ssl_send_alert_message(
  2205. ssl,
  2206. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2207. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  2208. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2209. }
  2210. /*
  2211. * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
  2212. * doesn't use a psk_identity_hint
  2213. */
  2214. if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
  2215. {
  2216. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
  2217. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
  2218. {
  2219. /* Current message is probably either
  2220. * CertificateRequest or ServerHelloDone */
  2221. ssl->keep_current_message = 1;
  2222. goto exit;
  2223. }
  2224. MBEDTLS_SSL_DEBUG_MSG( 1,
  2225. ( "server key exchange message must not be skipped" ) );
  2226. mbedtls_ssl_send_alert_message(
  2227. ssl,
  2228. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2229. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  2230. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2231. }
  2232. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2233. if( ssl->handshake->ecrs_enabled )
  2234. ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
  2235. start_processing:
  2236. #endif
  2237. p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
  2238. end = ssl->in_msg + ssl->in_hslen;
  2239. MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
  2240. #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
  2241. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
  2242. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
  2243. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
  2244. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
  2245. {
  2246. if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
  2247. {
  2248. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2249. mbedtls_ssl_send_alert_message(
  2250. ssl,
  2251. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2252. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2253. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2254. }
  2255. } /* FALLTROUGH */
  2256. #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
  2257. #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
  2258. defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
  2259. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
  2260. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
  2261. ; /* nothing more to do */
  2262. else
  2263. #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
  2264. MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
  2265. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
  2266. defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
  2267. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
  2268. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
  2269. {
  2270. if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
  2271. {
  2272. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2273. mbedtls_ssl_send_alert_message(
  2274. ssl,
  2275. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2276. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2277. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2278. }
  2279. }
  2280. else
  2281. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
  2282. MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
  2283. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
  2284. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
  2285. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
  2286. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
  2287. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
  2288. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
  2289. {
  2290. if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
  2291. {
  2292. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2293. mbedtls_ssl_send_alert_message(
  2294. ssl,
  2295. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2296. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2297. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2298. }
  2299. }
  2300. else
  2301. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
  2302. MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
  2303. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
  2304. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  2305. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
  2306. {
  2307. ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
  2308. p, end - p );
  2309. if( ret != 0 )
  2310. {
  2311. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
  2312. mbedtls_ssl_send_alert_message(
  2313. ssl,
  2314. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2315. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2316. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2317. }
  2318. }
  2319. else
  2320. #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  2321. {
  2322. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2323. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2324. }
  2325. #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
  2326. if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
  2327. {
  2328. size_t sig_len, hashlen;
  2329. unsigned char hash[64];
  2330. mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
  2331. mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
  2332. unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
  2333. size_t params_len = p - params;
  2334. void *rs_ctx = NULL;
  2335. /*
  2336. * Handle the digitally-signed structure
  2337. */
  2338. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2339. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  2340. {
  2341. if( ssl_parse_signature_algorithm( ssl, &p, end,
  2342. &md_alg, &pk_alg ) != 0 )
  2343. {
  2344. MBEDTLS_SSL_DEBUG_MSG( 1,
  2345. ( "bad server key exchange message" ) );
  2346. mbedtls_ssl_send_alert_message(
  2347. ssl,
  2348. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2349. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2350. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2351. }
  2352. if( pk_alg !=
  2353. mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
  2354. {
  2355. MBEDTLS_SSL_DEBUG_MSG( 1,
  2356. ( "bad server key exchange message" ) );
  2357. mbedtls_ssl_send_alert_message(
  2358. ssl,
  2359. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2360. MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
  2361. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2362. }
  2363. }
  2364. else
  2365. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2366. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2367. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2368. if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
  2369. {
  2370. pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
  2371. /* Default hash for ECDSA is SHA-1 */
  2372. if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
  2373. md_alg = MBEDTLS_MD_SHA1;
  2374. }
  2375. else
  2376. #endif
  2377. {
  2378. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2379. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2380. }
  2381. /*
  2382. * Read signature
  2383. */
  2384. if( p > end - 2 )
  2385. {
  2386. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2387. mbedtls_ssl_send_alert_message(
  2388. ssl,
  2389. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2390. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2391. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2392. }
  2393. sig_len = ( p[0] << 8 ) | p[1];
  2394. p += 2;
  2395. if( p != end - sig_len )
  2396. {
  2397. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2398. mbedtls_ssl_send_alert_message(
  2399. ssl,
  2400. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2401. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2402. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
  2403. }
  2404. MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
  2405. /*
  2406. * Compute the hash that has been signed
  2407. */
  2408. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2409. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2410. if( md_alg == MBEDTLS_MD_NONE )
  2411. {
  2412. hashlen = 36;
  2413. ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
  2414. params_len );
  2415. if( ret != 0 )
  2416. return( ret );
  2417. }
  2418. else
  2419. #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
  2420. MBEDTLS_SSL_PROTO_TLS1_1 */
  2421. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
  2422. defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2423. if( md_alg != MBEDTLS_MD_NONE )
  2424. {
  2425. ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
  2426. params, params_len,
  2427. md_alg );
  2428. if( ret != 0 )
  2429. return( ret );
  2430. }
  2431. else
  2432. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
  2433. MBEDTLS_SSL_PROTO_TLS1_2 */
  2434. {
  2435. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2436. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2437. }
  2438. MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
  2439. if( ssl->session_negotiate->peer_cert == NULL )
  2440. {
  2441. MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
  2442. mbedtls_ssl_send_alert_message(
  2443. ssl,
  2444. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2445. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  2446. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2447. }
  2448. /*
  2449. * Verify signature
  2450. */
  2451. if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
  2452. pk_alg ) )
  2453. {
  2454. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
  2455. mbedtls_ssl_send_alert_message(
  2456. ssl,
  2457. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2458. MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
  2459. return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
  2460. }
  2461. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2462. if( ssl->handshake->ecrs_enabled )
  2463. rs_ctx = &ssl->handshake->ecrs_ctx.pk;
  2464. #endif
  2465. if( ( ret = mbedtls_pk_verify_restartable(
  2466. &ssl->session_negotiate->peer_cert->pk,
  2467. md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
  2468. {
  2469. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2470. if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
  2471. #endif
  2472. mbedtls_ssl_send_alert_message(
  2473. ssl,
  2474. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2475. MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
  2476. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
  2477. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2478. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  2479. ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
  2480. #endif
  2481. return( ret );
  2482. }
  2483. }
  2484. #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
  2485. exit:
  2486. ssl->state++;
  2487. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
  2488. return( 0 );
  2489. }
  2490. #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
  2491. static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
  2492. {
  2493. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2494. ssl->transform_negotiate->ciphersuite_info;
  2495. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
  2496. if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
  2497. {
  2498. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
  2499. ssl->state++;
  2500. return( 0 );
  2501. }
  2502. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2503. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2504. }
  2505. #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
  2506. static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
  2507. {
  2508. int ret;
  2509. unsigned char *buf;
  2510. size_t n = 0;
  2511. size_t cert_type_len = 0, dn_len = 0;
  2512. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2513. ssl->transform_negotiate->ciphersuite_info;
  2514. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
  2515. if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
  2516. {
  2517. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
  2518. ssl->state++;
  2519. return( 0 );
  2520. }
  2521. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  2522. {
  2523. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  2524. return( ret );
  2525. }
  2526. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  2527. {
  2528. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
  2529. mbedtls_ssl_send_alert_message(
  2530. ssl,
  2531. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2532. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  2533. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2534. }
  2535. ssl->state++;
  2536. ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
  2537. MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
  2538. ssl->client_auth ? "a" : "no" ) );
  2539. if( ssl->client_auth == 0 )
  2540. {
  2541. /* Current message is probably the ServerHelloDone */
  2542. ssl->keep_current_message = 1;
  2543. goto exit;
  2544. }
  2545. /*
  2546. * struct {
  2547. * ClientCertificateType certificate_types<1..2^8-1>;
  2548. * SignatureAndHashAlgorithm
  2549. * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
  2550. * DistinguishedName certificate_authorities<0..2^16-1>;
  2551. * } CertificateRequest;
  2552. *
  2553. * Since we only support a single certificate on clients, let's just
  2554. * ignore all the information that's supposed to help us pick a
  2555. * certificate.
  2556. *
  2557. * We could check that our certificate matches the request, and bail out
  2558. * if it doesn't, but it's simpler to just send the certificate anyway,
  2559. * and give the server the opportunity to decide if it should terminate
  2560. * the connection when it doesn't like our certificate.
  2561. *
  2562. * Same goes for the hash in TLS 1.2's signature_algorithms: at this
  2563. * point we only have one hash available (see comments in
  2564. * write_certificate_verify), so let's just use what we have.
  2565. *
  2566. * However, we still minimally parse the message to check it is at least
  2567. * superficially sane.
  2568. */
  2569. buf = ssl->in_msg;
  2570. /* certificate_types */
  2571. if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
  2572. {
  2573. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
  2574. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2575. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2576. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
  2577. }
  2578. cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
  2579. n = cert_type_len;
  2580. /*
  2581. * In the subsequent code there are two paths that read from buf:
  2582. * * the length of the signature algorithms field (if minor version of
  2583. * SSL is 3),
  2584. * * distinguished name length otherwise.
  2585. * Both reach at most the index:
  2586. * ...hdr_len + 2 + n,
  2587. * therefore the buffer length at this point must be greater than that
  2588. * regardless of the actual code path.
  2589. */
  2590. if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
  2591. {
  2592. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
  2593. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2594. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2595. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
  2596. }
  2597. /* supported_signature_algorithms */
  2598. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2599. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  2600. {
  2601. size_t sig_alg_len =
  2602. ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
  2603. | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
  2604. #if defined(MBEDTLS_DEBUG_C)
  2605. unsigned char* sig_alg;
  2606. size_t i;
  2607. #endif
  2608. /*
  2609. * The furthest access in buf is in the loop few lines below:
  2610. * sig_alg[i + 1],
  2611. * where:
  2612. * sig_alg = buf + ...hdr_len + 3 + n,
  2613. * max(i) = sig_alg_len - 1.
  2614. * Therefore the furthest access is:
  2615. * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
  2616. * which reduces to:
  2617. * buf[...hdr_len + 3 + n + sig_alg_len],
  2618. * which is one less than we need the buf to be.
  2619. */
  2620. if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
  2621. + 3 + n + sig_alg_len )
  2622. {
  2623. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
  2624. mbedtls_ssl_send_alert_message(
  2625. ssl,
  2626. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2627. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2628. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
  2629. }
  2630. #if defined(MBEDTLS_DEBUG_C)
  2631. sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
  2632. for( i = 0; i < sig_alg_len; i += 2 )
  2633. {
  2634. MBEDTLS_SSL_DEBUG_MSG( 3,
  2635. ( "Supported Signature Algorithm found: %d,%d",
  2636. sig_alg[i], sig_alg[i + 1] ) );
  2637. }
  2638. #endif
  2639. n += 2 + sig_alg_len;
  2640. }
  2641. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2642. /* certificate_authorities */
  2643. dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
  2644. | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
  2645. n += dn_len;
  2646. if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
  2647. {
  2648. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
  2649. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2650. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2651. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
  2652. }
  2653. exit:
  2654. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
  2655. return( 0 );
  2656. }
  2657. #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
  2658. static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
  2659. {
  2660. int ret;
  2661. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
  2662. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  2663. {
  2664. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  2665. return( ret );
  2666. }
  2667. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  2668. {
  2669. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
  2670. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2671. }
  2672. if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
  2673. ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
  2674. {
  2675. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
  2676. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2677. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2678. return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
  2679. }
  2680. ssl->state++;
  2681. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  2682. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  2683. mbedtls_ssl_recv_flight_completed( ssl );
  2684. #endif
  2685. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
  2686. return( 0 );
  2687. }
  2688. static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
  2689. {
  2690. int ret;
  2691. size_t i, n;
  2692. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2693. ssl->transform_negotiate->ciphersuite_info;
  2694. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
  2695. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
  2696. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
  2697. {
  2698. /*
  2699. * DHM key exchange -- send G^X mod P
  2700. */
  2701. n = ssl->handshake->dhm_ctx.len;
  2702. ssl->out_msg[4] = (unsigned char)( n >> 8 );
  2703. ssl->out_msg[5] = (unsigned char)( n );
  2704. i = 6;
  2705. ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
  2706. (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
  2707. &ssl->out_msg[i], n,
  2708. ssl->conf->f_rng, ssl->conf->p_rng );
  2709. if( ret != 0 )
  2710. {
  2711. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
  2712. return( ret );
  2713. }
  2714. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
  2715. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
  2716. if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
  2717. ssl->handshake->premaster,
  2718. MBEDTLS_PREMASTER_SIZE,
  2719. &ssl->handshake->pmslen,
  2720. ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
  2721. {
  2722. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
  2723. return( ret );
  2724. }
  2725. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
  2726. }
  2727. else
  2728. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
  2729. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
  2730. defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
  2731. defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
  2732. defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
  2733. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
  2734. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
  2735. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
  2736. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
  2737. {
  2738. /*
  2739. * ECDH key exchange -- send client public value
  2740. */
  2741. i = 4;
  2742. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2743. if( ssl->handshake->ecrs_enabled )
  2744. {
  2745. if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
  2746. goto ecdh_calc_secret;
  2747. mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
  2748. }
  2749. #endif
  2750. ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
  2751. &n,
  2752. &ssl->out_msg[i], 1000,
  2753. ssl->conf->f_rng, ssl->conf->p_rng );
  2754. if( ret != 0 )
  2755. {
  2756. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
  2757. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2758. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  2759. ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
  2760. #endif
  2761. return( ret );
  2762. }
  2763. MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
  2764. MBEDTLS_DEBUG_ECDH_Q );
  2765. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2766. if( ssl->handshake->ecrs_enabled )
  2767. {
  2768. ssl->handshake->ecrs_n = n;
  2769. ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
  2770. }
  2771. ecdh_calc_secret:
  2772. if( ssl->handshake->ecrs_enabled )
  2773. n = ssl->handshake->ecrs_n;
  2774. #endif
  2775. if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
  2776. &ssl->handshake->pmslen,
  2777. ssl->handshake->premaster,
  2778. MBEDTLS_MPI_MAX_SIZE,
  2779. ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
  2780. {
  2781. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
  2782. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2783. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  2784. ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
  2785. #endif
  2786. return( ret );
  2787. }
  2788. MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
  2789. MBEDTLS_DEBUG_ECDH_Z );
  2790. }
  2791. else
  2792. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
  2793. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
  2794. MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
  2795. MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
  2796. #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
  2797. if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
  2798. {
  2799. /*
  2800. * opaque psk_identity<0..2^16-1>;
  2801. */
  2802. if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
  2803. {
  2804. MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
  2805. return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
  2806. }
  2807. i = 4;
  2808. n = ssl->conf->psk_identity_len;
  2809. if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
  2810. {
  2811. MBEDTLS_SSL_DEBUG_MSG( 1,
  2812. ( "psk identity too long or SSL buffer too short" ) );
  2813. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  2814. }
  2815. ssl->out_msg[i++] = (unsigned char)( n >> 8 );
  2816. ssl->out_msg[i++] = (unsigned char)( n );
  2817. memcpy( ssl->out_msg + i,
  2818. ssl->conf->psk_identity,
  2819. ssl->conf->psk_identity_len );
  2820. i += ssl->conf->psk_identity_len;
  2821. #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
  2822. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
  2823. {
  2824. n = 0;
  2825. }
  2826. else
  2827. #endif
  2828. #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
  2829. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
  2830. {
  2831. if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
  2832. return( ret );
  2833. }
  2834. else
  2835. #endif
  2836. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
  2837. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
  2838. {
  2839. /*
  2840. * ClientDiffieHellmanPublic public (DHM send G^X mod P)
  2841. */
  2842. n = ssl->handshake->dhm_ctx.len;
  2843. if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
  2844. {
  2845. MBEDTLS_SSL_DEBUG_MSG( 1,
  2846. ( "psk identity or DHM size too long or SSL buffer too short" ) );
  2847. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  2848. }
  2849. ssl->out_msg[i++] = (unsigned char)( n >> 8 );
  2850. ssl->out_msg[i++] = (unsigned char)( n );
  2851. ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
  2852. (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
  2853. &ssl->out_msg[i], n,
  2854. ssl->conf->f_rng, ssl->conf->p_rng );
  2855. if( ret != 0 )
  2856. {
  2857. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
  2858. return( ret );
  2859. }
  2860. }
  2861. else
  2862. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
  2863. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
  2864. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
  2865. {
  2866. /*
  2867. * ClientECDiffieHellmanPublic public;
  2868. */
  2869. ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
  2870. &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
  2871. ssl->conf->f_rng, ssl->conf->p_rng );
  2872. if( ret != 0 )
  2873. {
  2874. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
  2875. return( ret );
  2876. }
  2877. MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
  2878. MBEDTLS_DEBUG_ECDH_Q );
  2879. }
  2880. else
  2881. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
  2882. {
  2883. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2884. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2885. }
  2886. if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
  2887. ciphersuite_info->key_exchange ) ) != 0 )
  2888. {
  2889. MBEDTLS_SSL_DEBUG_RET( 1,
  2890. "mbedtls_ssl_psk_derive_premaster", ret );
  2891. return( ret );
  2892. }
  2893. }
  2894. else
  2895. #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
  2896. #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
  2897. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
  2898. {
  2899. i = 4;
  2900. if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
  2901. return( ret );
  2902. }
  2903. else
  2904. #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
  2905. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  2906. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
  2907. {
  2908. i = 4;
  2909. ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
  2910. ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
  2911. ssl->conf->f_rng, ssl->conf->p_rng );
  2912. if( ret != 0 )
  2913. {
  2914. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
  2915. return( ret );
  2916. }
  2917. ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
  2918. ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
  2919. ssl->conf->f_rng, ssl->conf->p_rng );
  2920. if( ret != 0 )
  2921. {
  2922. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
  2923. return( ret );
  2924. }
  2925. }
  2926. else
  2927. #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
  2928. {
  2929. ((void) ciphersuite_info);
  2930. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2931. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2932. }
  2933. ssl->out_msglen = i + n;
  2934. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  2935. ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
  2936. ssl->state++;
  2937. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  2938. {
  2939. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  2940. return( ret );
  2941. }
  2942. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
  2943. return( 0 );
  2944. }
  2945. #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
  2946. !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
  2947. !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
  2948. !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
  2949. !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
  2950. !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
  2951. static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
  2952. {
  2953. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2954. ssl->transform_negotiate->ciphersuite_info;
  2955. int ret;
  2956. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
  2957. if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
  2958. {
  2959. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
  2960. return( ret );
  2961. }
  2962. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
  2963. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
  2964. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
  2965. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
  2966. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
  2967. {
  2968. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
  2969. ssl->state++;
  2970. return( 0 );
  2971. }
  2972. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2973. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2974. }
  2975. #else
  2976. static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
  2977. {
  2978. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  2979. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2980. ssl->transform_negotiate->ciphersuite_info;
  2981. size_t n = 0, offset = 0;
  2982. unsigned char hash[48];
  2983. unsigned char *hash_start = hash;
  2984. mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
  2985. unsigned int hashlen;
  2986. void *rs_ctx = NULL;
  2987. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
  2988. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  2989. if( ssl->handshake->ecrs_enabled &&
  2990. ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
  2991. {
  2992. goto sign;
  2993. }
  2994. #endif
  2995. if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
  2996. {
  2997. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
  2998. return( ret );
  2999. }
  3000. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
  3001. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
  3002. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
  3003. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
  3004. ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
  3005. {
  3006. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
  3007. ssl->state++;
  3008. return( 0 );
  3009. }
  3010. if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
  3011. {
  3012. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
  3013. ssl->state++;
  3014. return( 0 );
  3015. }
  3016. if( mbedtls_ssl_own_key( ssl ) == NULL )
  3017. {
  3018. MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
  3019. return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
  3020. }
  3021. /*
  3022. * Make a signature of the handshake digests
  3023. */
  3024. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  3025. if( ssl->handshake->ecrs_enabled )
  3026. ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
  3027. sign:
  3028. #endif
  3029. ssl->handshake->calc_verify( ssl, hash );
  3030. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  3031. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  3032. if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
  3033. {
  3034. /*
  3035. * digitally-signed struct {
  3036. * opaque md5_hash[16];
  3037. * opaque sha_hash[20];
  3038. * };
  3039. *
  3040. * md5_hash
  3041. * MD5(handshake_messages);
  3042. *
  3043. * sha_hash
  3044. * SHA(handshake_messages);
  3045. */
  3046. hashlen = 36;
  3047. md_alg = MBEDTLS_MD_NONE;
  3048. /*
  3049. * For ECDSA, default hash is SHA-1 only
  3050. */
  3051. if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
  3052. {
  3053. hash_start += 16;
  3054. hashlen -= 16;
  3055. md_alg = MBEDTLS_MD_SHA1;
  3056. }
  3057. }
  3058. else
  3059. #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
  3060. MBEDTLS_SSL_PROTO_TLS1_1 */
  3061. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  3062. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  3063. {
  3064. /*
  3065. * digitally-signed struct {
  3066. * opaque handshake_messages[handshake_messages_length];
  3067. * };
  3068. *
  3069. * Taking shortcut here. We assume that the server always allows the
  3070. * PRF Hash function and has sent it in the allowed signature
  3071. * algorithms list received in the Certificate Request message.
  3072. *
  3073. * Until we encounter a server that does not, we will take this
  3074. * shortcut.
  3075. *
  3076. * Reason: Otherwise we should have running hashes for SHA512 and
  3077. * SHA224 in order to satisfy 'weird' needs from the server
  3078. * side.
  3079. */
  3080. if( ssl->transform_negotiate->ciphersuite_info->mac ==
  3081. MBEDTLS_MD_SHA384 )
  3082. {
  3083. md_alg = MBEDTLS_MD_SHA384;
  3084. ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
  3085. }
  3086. else
  3087. {
  3088. md_alg = MBEDTLS_MD_SHA256;
  3089. ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
  3090. }
  3091. ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
  3092. /* Info from md_alg will be used instead */
  3093. hashlen = 0;
  3094. offset = 2;
  3095. }
  3096. else
  3097. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  3098. {
  3099. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  3100. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  3101. }
  3102. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  3103. if( ssl->handshake->ecrs_enabled )
  3104. rs_ctx = &ssl->handshake->ecrs_ctx.pk;
  3105. #endif
  3106. if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
  3107. md_alg, hash_start, hashlen,
  3108. ssl->out_msg + 6 + offset, &n,
  3109. ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
  3110. {
  3111. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
  3112. #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
  3113. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  3114. ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
  3115. #endif
  3116. return( ret );
  3117. }
  3118. ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
  3119. ssl->out_msg[5 + offset] = (unsigned char)( n );
  3120. ssl->out_msglen = 6 + n + offset;
  3121. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  3122. ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
  3123. ssl->state++;
  3124. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  3125. {
  3126. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  3127. return( ret );
  3128. }
  3129. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
  3130. return( ret );
  3131. }
  3132. #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
  3133. !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
  3134. !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
  3135. !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
  3136. !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
  3137. !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
  3138. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  3139. static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
  3140. {
  3141. int ret;
  3142. uint32_t lifetime;
  3143. size_t ticket_len;
  3144. unsigned char *ticket;
  3145. const unsigned char *msg;
  3146. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
  3147. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  3148. {
  3149. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  3150. return( ret );
  3151. }
  3152. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  3153. {
  3154. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
  3155. mbedtls_ssl_send_alert_message(
  3156. ssl,
  3157. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3158. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  3159. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  3160. }
  3161. /*
  3162. * struct {
  3163. * uint32 ticket_lifetime_hint;
  3164. * opaque ticket<0..2^16-1>;
  3165. * } NewSessionTicket;
  3166. *
  3167. * 0 . 3 ticket_lifetime_hint
  3168. * 4 . 5 ticket_len (n)
  3169. * 6 . 5+n ticket content
  3170. */
  3171. if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
  3172. ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
  3173. {
  3174. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
  3175. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3176. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  3177. return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
  3178. }
  3179. msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
  3180. lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
  3181. ( msg[2] << 8 ) | ( msg[3] );
  3182. ticket_len = ( msg[4] << 8 ) | ( msg[5] );
  3183. if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
  3184. {
  3185. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
  3186. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3187. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  3188. return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
  3189. }
  3190. MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
  3191. /* We're not waiting for a NewSessionTicket message any more */
  3192. ssl->handshake->new_session_ticket = 0;
  3193. ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
  3194. /*
  3195. * Zero-length ticket means the server changed his mind and doesn't want
  3196. * to send a ticket after all, so just forget it
  3197. */
  3198. if( ticket_len == 0 )
  3199. return( 0 );
  3200. mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
  3201. ssl->session_negotiate->ticket_len );
  3202. mbedtls_free( ssl->session_negotiate->ticket );
  3203. ssl->session_negotiate->ticket = NULL;
  3204. ssl->session_negotiate->ticket_len = 0;
  3205. if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
  3206. {
  3207. MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
  3208. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3209. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  3210. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3211. }
  3212. memcpy( ticket, msg + 6, ticket_len );
  3213. ssl->session_negotiate->ticket = ticket;
  3214. ssl->session_negotiate->ticket_len = ticket_len;
  3215. ssl->session_negotiate->ticket_lifetime = lifetime;
  3216. /*
  3217. * RFC 5077 section 3.4:
  3218. * "If the client receives a session ticket from the server, then it
  3219. * discards any Session ID that was sent in the ServerHello."
  3220. */
  3221. MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
  3222. ssl->session_negotiate->id_len = 0;
  3223. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
  3224. return( 0 );
  3225. }
  3226. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  3227. /*
  3228. * SSL handshake -- client side -- single step
  3229. */
  3230. int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
  3231. {
  3232. int ret = 0;
  3233. if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
  3234. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3235. MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
  3236. if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
  3237. return( ret );
  3238. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3239. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  3240. ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
  3241. {
  3242. if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
  3243. return( ret );
  3244. }
  3245. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  3246. /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
  3247. * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
  3248. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  3249. if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
  3250. ssl->handshake->new_session_ticket != 0 )
  3251. {
  3252. ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
  3253. }
  3254. #endif
  3255. switch( ssl->state )
  3256. {
  3257. case MBEDTLS_SSL_HELLO_REQUEST:
  3258. ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
  3259. break;
  3260. /*
  3261. * ==> ClientHello
  3262. */
  3263. case MBEDTLS_SSL_CLIENT_HELLO:
  3264. ret = ssl_write_client_hello( ssl );
  3265. break;
  3266. /*
  3267. * <== ServerHello
  3268. * Certificate
  3269. * ( ServerKeyExchange )
  3270. * ( CertificateRequest )
  3271. * ServerHelloDone
  3272. */
  3273. case MBEDTLS_SSL_SERVER_HELLO:
  3274. ret = ssl_parse_server_hello( ssl );
  3275. break;
  3276. case MBEDTLS_SSL_SERVER_CERTIFICATE:
  3277. ret = mbedtls_ssl_parse_certificate( ssl );
  3278. break;
  3279. case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
  3280. ret = ssl_parse_server_key_exchange( ssl );
  3281. break;
  3282. case MBEDTLS_SSL_CERTIFICATE_REQUEST:
  3283. ret = ssl_parse_certificate_request( ssl );
  3284. break;
  3285. case MBEDTLS_SSL_SERVER_HELLO_DONE:
  3286. ret = ssl_parse_server_hello_done( ssl );
  3287. break;
  3288. /*
  3289. * ==> ( Certificate/Alert )
  3290. * ClientKeyExchange
  3291. * ( CertificateVerify )
  3292. * ChangeCipherSpec
  3293. * Finished
  3294. */
  3295. case MBEDTLS_SSL_CLIENT_CERTIFICATE:
  3296. ret = mbedtls_ssl_write_certificate( ssl );
  3297. break;
  3298. case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
  3299. ret = ssl_write_client_key_exchange( ssl );
  3300. break;
  3301. case MBEDTLS_SSL_CERTIFICATE_VERIFY:
  3302. ret = ssl_write_certificate_verify( ssl );
  3303. break;
  3304. case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
  3305. ret = mbedtls_ssl_write_change_cipher_spec( ssl );
  3306. break;
  3307. case MBEDTLS_SSL_CLIENT_FINISHED:
  3308. ret = mbedtls_ssl_write_finished( ssl );
  3309. break;
  3310. /*
  3311. * <== ( NewSessionTicket )
  3312. * ChangeCipherSpec
  3313. * Finished
  3314. */
  3315. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  3316. case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
  3317. ret = ssl_parse_new_session_ticket( ssl );
  3318. break;
  3319. #endif
  3320. case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
  3321. ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
  3322. break;
  3323. case MBEDTLS_SSL_SERVER_FINISHED:
  3324. ret = mbedtls_ssl_parse_finished( ssl );
  3325. break;
  3326. case MBEDTLS_SSL_FLUSH_BUFFERS:
  3327. MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
  3328. ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
  3329. break;
  3330. case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
  3331. mbedtls_ssl_handshake_wrapup( ssl );
  3332. break;
  3333. default:
  3334. MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
  3335. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3336. }
  3337. return( ret );
  3338. }
  3339. #endif /* MBEDTLS_SSL_CLI_C */