2 * SSLv3/TLSv1 server-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 #if !defined(MBEDTLS_CONFIG_FILE)
25 #include "mbedtls/config.h"
27 #include MBEDTLS_CONFIG_FILE
30 #if defined(MBEDTLS_SSL_SRV_C)
32 #if defined(MBEDTLS_PLATFORM_C)
33 #include "mbedtls/platform.h"
36 #define mbedtls_calloc calloc
37 #define mbedtls_free free
40 #include "mbedtls/debug.h"
41 #include "mbedtls/ssl.h"
42 #include "mbedtls/ssl_internal.h"
46 #if defined(MBEDTLS_ECP_C)
47 #include "mbedtls/ecp.h"
50 #if defined(MBEDTLS_HAVE_TIME)
51 #include "mbedtls/platform_time.h"
54 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
55 /* Implementation that should never be optimized out by the compiler */
56 static void mbedtls_zeroize( void *v
, size_t n
) {
57 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
61 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
62 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context
*ssl
,
63 const unsigned char *info
,
66 if( ssl
->conf
->endpoint
!= MBEDTLS_SSL_IS_SERVER
)
67 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
69 mbedtls_free( ssl
->cli_id
);
71 if( ( ssl
->cli_id
= mbedtls_calloc( 1, ilen
) ) == NULL
)
72 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
74 memcpy( ssl
->cli_id
, info
, ilen
);
75 ssl
->cli_id_len
= ilen
;
80 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config
*conf
,
81 mbedtls_ssl_cookie_write_t
*f_cookie_write
,
82 mbedtls_ssl_cookie_check_t
*f_cookie_check
,
85 conf
->f_cookie_write
= f_cookie_write
;
86 conf
->f_cookie_check
= f_cookie_check
;
87 conf
->p_cookie
= p_cookie
;
89 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
91 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
92 static int ssl_parse_servername_ext( mbedtls_ssl_context
*ssl
,
93 const unsigned char *buf
,
97 size_t servername_list_size
, hostname_len
;
98 const unsigned char *p
;
100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
105 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
107 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
109 servername_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
110 if( servername_list_size
+ 2 != len
)
112 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
113 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
114 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
115 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
119 while( servername_list_size
> 2 )
121 hostname_len
= ( ( p
[1] << 8 ) | p
[2] );
122 if( hostname_len
+ 3 > servername_list_size
)
124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
125 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
126 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
127 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
130 if( p
[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
)
132 ret
= ssl
->conf
->f_sni( ssl
->conf
->p_sni
,
133 ssl
, p
+ 3, hostname_len
);
136 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret
);
137 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
138 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
);
139 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
144 servername_list_size
-= hostname_len
+ 3;
145 p
+= hostname_len
+ 3;
148 if( servername_list_size
!= 0 )
150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
151 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
152 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
);
153 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
158 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
160 static int ssl_parse_renegotiation_info( mbedtls_ssl_context
*ssl
,
161 const unsigned char *buf
,
164 #if defined(MBEDTLS_SSL_RENEGOTIATION)
165 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
167 /* Check verify-data in constant-time. The length OTOH is no secret */
168 if( len
!= 1 + ssl
->verify_data_len
||
169 buf
[0] != ssl
->verify_data_len
||
170 mbedtls_ssl_safer_memcmp( buf
+ 1, ssl
->peer_verify_data
,
171 ssl
->verify_data_len
) != 0 )
173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
174 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
175 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
176 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
180 #endif /* MBEDTLS_SSL_RENEGOTIATION */
182 if( len
!= 1 || buf
[0] != 0x0 )
184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
185 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
186 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
187 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
190 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
196 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
197 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
200 * Status of the implementation of signature-algorithms extension:
202 * Currently, we are only considering the signature-algorithm extension
203 * to pick a ciphersuite which allows us to send the ServerKeyExchange
204 * message with a signature-hash combination that the user allows.
206 * We do *not* check whether all certificates in our certificate
207 * chain are signed with an allowed signature-hash pair.
208 * This needs to be done at a later stage.
211 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context
*ssl
,
212 const unsigned char *buf
,
215 size_t sig_alg_list_size
;
217 const unsigned char *p
;
218 const unsigned char *end
= buf
+ len
;
220 mbedtls_md_type_t md_cur
;
221 mbedtls_pk_type_t sig_cur
;
224 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
225 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
226 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
227 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
229 sig_alg_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
230 if( sig_alg_list_size
+ 2 != len
||
231 sig_alg_list_size
% 2 != 0 )
233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
234 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
235 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
236 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
239 /* Currently we only guarantee signing the ServerKeyExchange message according
240 * to the constraints specified in this extension (see above), so it suffices
241 * to remember only one suitable hash for each possible signature algorithm.
243 * This will change when we also consider certificate signatures,
244 * in which case we will need to remember the whole signature-hash
245 * pair list from the extension.
248 for( p
= buf
+ 2; p
< end
; p
+= 2 )
250 /* Silently ignore unknown signature or hash algorithms. */
252 if( ( sig_cur
= mbedtls_ssl_pk_alg_from_sig( p
[1] ) ) == MBEDTLS_PK_NONE
)
254 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
255 " unknown sig alg encoding %d", p
[1] ) );
259 /* Check if we support the hash the user proposes */
260 md_cur
= mbedtls_ssl_md_alg_from_hash( p
[0] );
261 if( md_cur
== MBEDTLS_MD_NONE
)
263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
264 " unknown hash alg encoding %d", p
[0] ) );
268 if( mbedtls_ssl_check_sig_hash( ssl
, md_cur
) == 0 )
270 mbedtls_ssl_sig_hash_set_add( &ssl
->handshake
->hash_algs
, sig_cur
, md_cur
);
271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
272 " match sig %d and hash %d",
277 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
278 "hash alg %d not supported", md_cur
) );
284 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
285 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
287 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
288 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
289 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context
*ssl
,
290 const unsigned char *buf
,
293 size_t list_size
, our_size
;
294 const unsigned char *p
;
295 const mbedtls_ecp_curve_info
*curve_info
, **curves
;
298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
299 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
300 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
301 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
303 list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
304 if( list_size
+ 2 != len
||
307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
308 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
309 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
310 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
313 /* Should never happen unless client duplicates the extension */
314 if( ssl
->handshake
->curves
!= NULL
)
316 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
317 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
318 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
319 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
322 /* Don't allow our peer to make us allocate too much memory,
323 * and leave room for a final 0 */
324 our_size
= list_size
/ 2 + 1;
325 if( our_size
> MBEDTLS_ECP_DP_MAX
)
326 our_size
= MBEDTLS_ECP_DP_MAX
;
328 if( ( curves
= mbedtls_calloc( our_size
, sizeof( *curves
) ) ) == NULL
)
330 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
331 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
);
332 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
335 ssl
->handshake
->curves
= curves
;
338 while( list_size
> 0 && our_size
> 1 )
340 curve_info
= mbedtls_ecp_curve_info_from_tls_id( ( p
[0] << 8 ) | p
[1] );
342 if( curve_info
!= NULL
)
344 *curves
++ = curve_info
;
355 static int ssl_parse_supported_point_formats( mbedtls_ssl_context
*ssl
,
356 const unsigned char *buf
,
360 const unsigned char *p
;
362 if( len
== 0 || (size_t)( buf
[0] + 1 ) != len
)
364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
365 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
366 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
367 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
372 while( list_size
> 0 )
374 if( p
[0] == MBEDTLS_ECP_PF_UNCOMPRESSED
||
375 p
[0] == MBEDTLS_ECP_PF_COMPRESSED
)
377 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
378 ssl
->handshake
->ecdh_ctx
.point_format
= p
[0];
380 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
381 ssl
->handshake
->ecjpake_ctx
.point_format
= p
[0];
383 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p
[0] ) );
393 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
394 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
396 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
397 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context
*ssl
,
398 const unsigned char *buf
,
403 if( mbedtls_ecjpake_check( &ssl
->handshake
->ecjpake_ctx
) != 0 )
405 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
409 if( ( ret
= mbedtls_ecjpake_read_round_one( &ssl
->handshake
->ecjpake_ctx
,
412 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret
);
413 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
414 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
);
418 /* Only mark the extension as OK when we're sure it is */
419 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
;
423 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
425 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
426 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
427 const unsigned char *buf
,
430 if( len
!= 1 || buf
[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
)
432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
433 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
434 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
);
435 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
438 ssl
->session_negotiate
->mfl_code
= buf
[0];
442 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
444 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
445 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
446 const unsigned char *buf
,
451 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
452 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
453 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
454 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
459 if( ssl
->conf
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_ENABLED
)
460 ssl
->session_negotiate
->trunc_hmac
= MBEDTLS_SSL_TRUNC_HMAC_ENABLED
;
464 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
466 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
467 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
468 const unsigned char *buf
,
473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
474 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
475 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
476 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
481 if( ssl
->conf
->encrypt_then_mac
== MBEDTLS_SSL_ETM_ENABLED
&&
482 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
484 ssl
->session_negotiate
->encrypt_then_mac
= MBEDTLS_SSL_ETM_ENABLED
;
489 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
491 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
492 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context
*ssl
,
493 const unsigned char *buf
,
498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
499 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
500 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
501 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
506 if( ssl
->conf
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_ENABLED
&&
507 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
509 ssl
->handshake
->extended_ms
= MBEDTLS_SSL_EXTENDED_MS_ENABLED
;
514 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
516 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
517 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context
*ssl
,
522 mbedtls_ssl_session session
;
524 mbedtls_ssl_session_init( &session
);
526 if( ssl
->conf
->f_ticket_parse
== NULL
||
527 ssl
->conf
->f_ticket_write
== NULL
)
532 /* Remember the client asked us to send a new ticket */
533 ssl
->handshake
->new_session_ticket
= 1;
535 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len
) );
540 #if defined(MBEDTLS_SSL_RENEGOTIATION)
541 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
546 #endif /* MBEDTLS_SSL_RENEGOTIATION */
549 * Failures are ok: just ignore the ticket and proceed.
551 if( ( ret
= ssl
->conf
->f_ticket_parse( ssl
->conf
->p_ticket
, &session
,
554 mbedtls_ssl_session_free( &session
);
556 if( ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
558 else if( ret
== MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
)
559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
561 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret
);
567 * Keep the session ID sent by the client, since we MUST send it back to
568 * inform them we're accepting the ticket (RFC 5077 section 3.4)
570 session
.id_len
= ssl
->session_negotiate
->id_len
;
571 memcpy( &session
.id
, ssl
->session_negotiate
->id
, session
.id_len
);
573 mbedtls_ssl_session_free( ssl
->session_negotiate
);
574 memcpy( ssl
->session_negotiate
, &session
, sizeof( mbedtls_ssl_session
) );
576 /* Zeroize instead of free as we copied the content */
577 mbedtls_zeroize( &session
, sizeof( mbedtls_ssl_session
) );
579 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
581 ssl
->handshake
->resume
= 1;
583 /* Don't send a new ticket after all, this one is OK */
584 ssl
->handshake
->new_session_ticket
= 0;
588 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
590 #if defined(MBEDTLS_SSL_ALPN)
591 static int ssl_parse_alpn_ext( mbedtls_ssl_context
*ssl
,
592 const unsigned char *buf
, size_t len
)
594 size_t list_len
, cur_len
, ours_len
;
595 const unsigned char *theirs
, *start
, *end
;
598 /* If ALPN not configured, just ignore the extension */
599 if( ssl
->conf
->alpn_list
== NULL
)
603 * opaque ProtocolName<1..2^8-1>;
606 * ProtocolName protocol_name_list<2..2^16-1>
607 * } ProtocolNameList;
610 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
613 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
614 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
615 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
618 list_len
= ( buf
[0] << 8 ) | buf
[1];
619 if( list_len
!= len
- 2 )
621 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
627 * Validate peer's list (lengths)
631 for( theirs
= start
; theirs
!= end
; theirs
+= cur_len
)
635 /* Current identifier must fit in list */
636 if( cur_len
> (size_t)( end
- theirs
) )
638 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
639 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
640 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
643 /* Empty strings MUST NOT be included */
646 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
647 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
);
648 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
653 * Use our order of preference
655 for( ours
= ssl
->conf
->alpn_list
; *ours
!= NULL
; ours
++ )
657 ours_len
= strlen( *ours
);
658 for( theirs
= start
; theirs
!= end
; theirs
+= cur_len
)
662 if( cur_len
== ours_len
&&
663 memcmp( theirs
, *ours
, cur_len
) == 0 )
665 ssl
->alpn_chosen
= *ours
;
671 /* If we get there, no match was found */
672 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
673 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
);
674 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
676 #endif /* MBEDTLS_SSL_ALPN */
679 * Auxiliary functions for ServerHello parsing and related actions
682 #if defined(MBEDTLS_X509_CRT_PARSE_C)
684 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
686 #if defined(MBEDTLS_ECDSA_C)
687 static int ssl_check_key_curve( mbedtls_pk_context
*pk
,
688 const mbedtls_ecp_curve_info
**curves
)
690 const mbedtls_ecp_curve_info
**crv
= curves
;
691 mbedtls_ecp_group_id grp_id
= mbedtls_pk_ec( *pk
)->grp
.id
;
693 while( *crv
!= NULL
)
695 if( (*crv
)->grp_id
== grp_id
)
702 #endif /* MBEDTLS_ECDSA_C */
705 * Try picking a certificate for this ciphersuite,
706 * return 0 on success and -1 on failure.
708 static int ssl_pick_cert( mbedtls_ssl_context
*ssl
,
709 const mbedtls_ssl_ciphersuite_t
* ciphersuite_info
)
711 mbedtls_ssl_key_cert
*cur
, *list
, *fallback
= NULL
;
712 mbedtls_pk_type_t pk_alg
=
713 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info
);
716 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
717 if( ssl
->handshake
->sni_key_cert
!= NULL
)
718 list
= ssl
->handshake
->sni_key_cert
;
721 list
= ssl
->conf
->key_cert
;
723 if( pk_alg
== MBEDTLS_PK_NONE
)
726 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
734 for( cur
= list
; cur
!= NULL
; cur
= cur
->next
)
736 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
739 if( ! mbedtls_pk_can_do( cur
->key
, pk_alg
) )
741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
746 * This avoids sending the client a cert it'll reject based on
747 * keyUsage or other extensions.
749 * It also allows the user to provision different certificates for
750 * different uses based on keyUsage, eg if they want to avoid signing
751 * and decrypting with the same RSA key.
753 if( mbedtls_ssl_check_cert_usage( cur
->cert
, ciphersuite_info
,
754 MBEDTLS_SSL_IS_SERVER
, &flags
) != 0 )
756 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
757 "(extended) key usage extension" ) );
761 #if defined(MBEDTLS_ECDSA_C)
762 if( pk_alg
== MBEDTLS_PK_ECDSA
&&
763 ssl_check_key_curve( cur
->key
, ssl
->handshake
->curves
) != 0 )
765 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
771 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
772 * present them a SHA-higher cert rather than failing if it's the only
773 * one we got that satisfies the other conditions.
775 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_3
&&
776 cur
->cert
->sig_md
!= MBEDTLS_MD_SHA1
)
778 if( fallback
== NULL
)
781 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
782 "sha-2 with pre-TLS 1.2 client" ) );
787 /* If we get there, we got a winner */
794 /* Do not update ssl->handshake->key_cert unless there is a match */
797 ssl
->handshake
->key_cert
= cur
;
798 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
799 ssl
->handshake
->key_cert
->cert
);
805 #endif /* MBEDTLS_X509_CRT_PARSE_C */
808 * Check if a given ciphersuite is suitable for use with our config/keys/etc
809 * Sets ciphersuite_info only if the suite matches.
811 static int ssl_ciphersuite_match( mbedtls_ssl_context
*ssl
, int suite_id
,
812 const mbedtls_ssl_ciphersuite_t
**ciphersuite_info
)
814 const mbedtls_ssl_ciphersuite_t
*suite_info
;
816 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
817 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
818 mbedtls_pk_type_t sig_type
;
821 suite_info
= mbedtls_ssl_ciphersuite_from_id( suite_id
);
822 if( suite_info
== NULL
)
824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
825 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info
->name
) );
830 if( suite_info
->min_minor_ver
> ssl
->minor_ver
||
831 suite_info
->max_minor_ver
< ssl
->minor_ver
)
833 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
837 #if defined(MBEDTLS_SSL_PROTO_DTLS)
838 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
839 ( suite_info
->flags
& MBEDTLS_CIPHERSUITE_NODTLS
) )
843 #if defined(MBEDTLS_ARC4_C)
844 if( ssl
->conf
->arc4_disabled
== MBEDTLS_SSL_ARC4_DISABLED
&&
845 suite_info
->cipher
== MBEDTLS_CIPHER_ARC4_128
)
847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
852 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
853 if( suite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
&&
854 ( ssl
->handshake
->cli_exts
& MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
) == 0 )
856 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
857 "not configured or ext missing" ) );
863 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
864 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info
) &&
865 ( ssl
->handshake
->curves
== NULL
||
866 ssl
->handshake
->curves
[0] == NULL
) )
868 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
869 "no common elliptic curve" ) );
874 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
875 /* If the ciphersuite requires a pre-shared key and we don't
876 * have one, skip it now rather than failing later */
877 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info
) &&
878 ssl
->conf
->f_psk
== NULL
&&
879 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
880 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
882 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
887 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
888 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
889 /* If the ciphersuite requires signing, check whether
890 * a suitable hash algorithm is present. */
891 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
893 sig_type
= mbedtls_ssl_get_ciphersuite_sig_alg( suite_info
);
894 if( sig_type
!= MBEDTLS_PK_NONE
&&
895 mbedtls_ssl_sig_hash_set_find( &ssl
->handshake
->hash_algs
, sig_type
) == MBEDTLS_MD_NONE
)
897 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
898 "for signature algorithm %d", sig_type
) );
903 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
904 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
906 #if defined(MBEDTLS_X509_CRT_PARSE_C)
908 * Final check: if ciphersuite requires us to have a
909 * certificate/key of a particular type:
910 * - select the appropriate certificate if we have one, or
911 * - try the next ciphersuite if we don't
912 * This must be done last since we modify the key_cert list.
914 if( ssl_pick_cert( ssl
, suite_info
) != 0 )
916 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
917 "no suitable certificate" ) );
922 *ciphersuite_info
= suite_info
;
926 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
927 static int ssl_parse_client_hello_v2( mbedtls_ssl_context
*ssl
)
929 int ret
, got_common_suite
;
932 unsigned int ciph_len
, sess_len
, chal_len
;
933 unsigned char *buf
, *p
;
934 const int *ciphersuites
;
935 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
939 #if defined(MBEDTLS_SSL_RENEGOTIATION)
940 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
942 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
943 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
944 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
945 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
947 #endif /* MBEDTLS_SSL_RENEGOTIATION */
951 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, 5 );
953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
955 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
956 ( ( buf
[0] & 0x7F ) << 8 ) | buf
[1] ) );
957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
964 * 0 . 1 message length
968 * 3 . 4 protocol version
970 if( buf
[2] != MBEDTLS_SSL_HS_CLIENT_HELLO
||
971 buf
[3] != MBEDTLS_SSL_MAJOR_VERSION_3
)
973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
974 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
977 n
= ( ( buf
[0] << 8 ) | buf
[1] ) & 0x7FFF;
979 if( n
< 17 || n
> 512 )
981 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
982 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
985 ssl
->major_ver
= MBEDTLS_SSL_MAJOR_VERSION_3
;
986 ssl
->minor_ver
= ( buf
[4] <= ssl
->conf
->max_minor_ver
)
987 ? buf
[4] : ssl
->conf
->max_minor_ver
;
989 if( ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
992 " [%d:%d] < [%d:%d]",
993 ssl
->major_ver
, ssl
->minor_ver
,
994 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
996 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
997 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
998 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
1001 ssl
->handshake
->max_major_ver
= buf
[3];
1002 ssl
->handshake
->max_minor_ver
= buf
[4];
1004 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 2 + n
) ) != 0 )
1006 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1010 ssl
->handshake
->update_checksum( ssl
, buf
+ 2, n
);
1013 n
= ssl
->in_left
- 5;
1016 * 0 . 1 ciphersuitelist length
1017 * 2 . 3 session id length
1018 * 4 . 5 challenge length
1019 * 6 . .. ciphersuitelist
1020 * .. . .. session id
1023 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, n
);
1025 ciph_len
= ( buf
[0] << 8 ) | buf
[1];
1026 sess_len
= ( buf
[2] << 8 ) | buf
[3];
1027 chal_len
= ( buf
[4] << 8 ) | buf
[5];
1029 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1030 ciph_len
, sess_len
, chal_len
) );
1033 * Make sure each parameter length is valid
1035 if( ciph_len
< 3 || ( ciph_len
% 3 ) != 0 )
1037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1038 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1043 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1044 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1047 if( chal_len
< 8 || chal_len
> 32 )
1049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1050 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1053 if( n
!= 6 + ciph_len
+ sess_len
+ chal_len
)
1055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1056 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1059 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1060 buf
+ 6, ciph_len
);
1061 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
1062 buf
+ 6 + ciph_len
, sess_len
);
1063 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
1064 buf
+ 6 + ciph_len
+ sess_len
, chal_len
);
1066 p
= buf
+ 6 + ciph_len
;
1067 ssl
->session_negotiate
->id_len
= sess_len
;
1068 memset( ssl
->session_negotiate
->id
, 0,
1069 sizeof( ssl
->session_negotiate
->id
) );
1070 memcpy( ssl
->session_negotiate
->id
, p
, ssl
->session_negotiate
->id_len
);
1073 memset( ssl
->handshake
->randbytes
, 0, 64 );
1074 memcpy( ssl
->handshake
->randbytes
+ 32 - chal_len
, p
, chal_len
);
1077 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1079 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
1081 if( p
[0] == 0 && p
[1] == 0 && p
[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
1083 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1084 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1085 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1088 "during renegotiation" ) );
1090 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1091 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
1092 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1094 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1095 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
1100 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1101 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
1104 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
1105 p
[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
1107 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1109 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
1111 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1113 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1114 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
1116 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1122 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1124 got_common_suite
= 0;
1125 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1126 ciphersuite_info
= NULL
;
1127 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1128 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1129 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1131 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1132 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1136 p
[1] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1137 p
[2] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1140 got_common_suite
= 1;
1142 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1143 &ciphersuite_info
) ) != 0 )
1146 if( ciphersuite_info
!= NULL
)
1147 goto have_ciphersuite_v2
;
1150 if( got_common_suite
)
1152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1153 "but none of them usable" ) );
1154 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
1158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1159 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
1162 have_ciphersuite_v2
:
1163 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
1165 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
1166 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
1169 * SSLv2 Client Hello relevant renegotiation security checks
1171 if( ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1172 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1174 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1175 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1176 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
1177 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1183 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1187 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1189 /* This function doesn't alert on errors that happen early during
1190 ClientHello parsing because they might indicate that the client is
1191 not talking SSL/TLS at all and would not understand our alert. */
1192 static int ssl_parse_client_hello( mbedtls_ssl_context
*ssl
)
1194 int ret
, got_common_suite
;
1196 size_t ciph_offset
, comp_offset
, ext_offset
;
1197 size_t msg_len
, ciph_len
, sess_len
, comp_len
, ext_len
;
1198 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1199 size_t cookie_offset
, cookie_len
;
1201 unsigned char *buf
, *p
, *ext
;
1202 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1203 int renegotiation_info_seen
= 0;
1205 int handshake_failure
= 0;
1206 const int *ciphersuites
;
1207 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
1210 /* If there is no signature-algorithm extension present,
1211 * we need to fall back to the default values for allowed
1212 * signature-hash pairs. */
1213 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1214 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1215 int sig_hash_alg_ext_present
= 0;
1216 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1217 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1219 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1221 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1225 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1226 * otherwise read it ourselves manually in order to support SSLv2
1227 * ClientHello, which doesn't use the same record layer format.
1229 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1230 if( ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1233 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 5 ) ) != 0 )
1235 /* No alert on a read error. */
1236 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1243 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1244 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1245 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_STREAM
)
1247 if( ( buf
[0] & 0x80 ) != 0 )
1248 return( ssl_parse_client_hello_v2( ssl
) );
1251 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, mbedtls_ssl_hdr_len( ssl
) );
1254 * SSLv3/TLS Client Hello
1257 * 0 . 0 message type
1258 * 1 . 2 protocol version
1259 * 3 . 11 DTLS: epoch + record sequence number
1260 * 3 . 4 message length
1262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1265 if( buf
[0] != MBEDTLS_SSL_MSG_HANDSHAKE
)
1267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1268 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1272 ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1] ) );
1274 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1277 mbedtls_ssl_read_version( &major
, &minor
, ssl
->conf
->transport
, buf
+ 1 );
1279 /* According to RFC 5246 Appendix E.1, the version here is typically
1280 * "{03,00}, the lowest version number supported by the client, [or] the
1281 * value of ClientHello.client_version", so the only meaningful check here
1282 * is the major version shouldn't be less than 3 */
1283 if( major
< MBEDTLS_SSL_MAJOR_VERSION_3
)
1285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1286 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1289 /* For DTLS if this is the initial handshake, remember the client sequence
1290 * number to use it in our next message (RFC 6347 4.2.1) */
1291 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1292 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
1293 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1294 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1298 /* Epoch should be 0 for initial handshakes */
1299 if( ssl
->in_ctr
[0] != 0 || ssl
->in_ctr
[1] != 0 )
1301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1302 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1305 memcpy( ssl
->out_ctr
+ 2, ssl
->in_ctr
+ 2, 6 );
1307 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1308 if( mbedtls_ssl_dtls_replay_check( ssl
) != 0 )
1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1311 ssl
->next_record_offset
= 0;
1313 goto read_record_header
;
1316 /* No MAC to check yet, so we can update right now */
1317 mbedtls_ssl_dtls_replay_update( ssl
);
1320 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1322 msg_len
= ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1];
1324 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1325 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1327 /* Set by mbedtls_ssl_read_record() */
1328 msg_len
= ssl
->in_hslen
;
1333 if( msg_len
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
1335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1336 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1339 if( ( ret
= mbedtls_ssl_fetch_input( ssl
,
1340 mbedtls_ssl_hdr_len( ssl
) + msg_len
) ) != 0 )
1342 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1346 /* Done reading this record, get ready for the next one */
1347 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1348 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1349 ssl
->next_record_offset
= msg_len
+ mbedtls_ssl_hdr_len( ssl
);
1357 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, msg_len
);
1359 ssl
->handshake
->update_checksum( ssl
, buf
, msg_len
);
1363 * 0 . 0 handshake type
1364 * 1 . 3 handshake length
1365 * 4 . 5 DTLS only: message seqence number
1366 * 6 . 8 DTLS only: fragment offset
1367 * 9 . 11 DTLS only: fragment length
1369 if( msg_len
< mbedtls_ssl_hs_hdr_len( ssl
) )
1371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf
[0] ) );
1377 if( buf
[0] != MBEDTLS_SSL_HS_CLIENT_HELLO
)
1379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1380 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1383 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1384 ( buf
[1] << 16 ) | ( buf
[2] << 8 ) | buf
[3] ) );
1386 /* We don't support fragmentation of ClientHello (yet?) */
1388 msg_len
!= mbedtls_ssl_hs_hdr_len( ssl
) + ( ( buf
[2] << 8 ) | buf
[3] ) )
1390 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1391 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1394 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1395 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1398 * Copy the client's handshake message_seq on initial handshakes,
1399 * check sequence number on renego.
1401 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1402 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1404 /* This couldn't be done in ssl_prepare_handshake_record() */
1405 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1408 if( cli_msg_seq
!= ssl
->handshake
->in_msg_seq
)
1410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1411 "%d (expected %d)", cli_msg_seq
,
1412 ssl
->handshake
->in_msg_seq
) );
1413 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1416 ssl
->handshake
->in_msg_seq
++;
1421 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1423 ssl
->handshake
->out_msg_seq
= cli_msg_seq
;
1424 ssl
->handshake
->in_msg_seq
= cli_msg_seq
+ 1;
1428 * For now we don't support fragmentation, so make sure
1429 * fragment_offset == 0 and fragment_length == length
1431 if( ssl
->in_msg
[6] != 0 || ssl
->in_msg
[7] != 0 || ssl
->in_msg
[8] != 0 ||
1432 memcmp( ssl
->in_msg
+ 1, ssl
->in_msg
+ 9, 3 ) != 0 )
1434 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1435 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
1438 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1440 buf
+= mbedtls_ssl_hs_hdr_len( ssl
);
1441 msg_len
-= mbedtls_ssl_hs_hdr_len( ssl
);
1444 * ClientHello layer:
1445 * 0 . 1 protocol version
1446 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1447 * 34 . 35 session id length (1 byte)
1448 * 35 . 34+x session id
1449 * 35+x . 35+x DTLS only: cookie length (1 byte)
1450 * 36+x . .. DTLS only: cookie
1451 * .. . .. ciphersuite list length (2 bytes)
1452 * .. . .. ciphersuite list
1453 * .. . .. compression alg. list length (1 byte)
1454 * .. . .. compression alg. list
1455 * .. . .. extensions length (2 bytes, optional)
1456 * .. . .. extensions (optional)
1460 * Minimal length (with everything empty and extensions ommitted) is
1461 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1462 * read at least up to session id length without worrying.
1466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1467 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1471 * Check and save the protocol version
1473 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf
, 2 );
1475 mbedtls_ssl_read_version( &ssl
->major_ver
, &ssl
->minor_ver
,
1476 ssl
->conf
->transport
, buf
);
1478 ssl
->handshake
->max_major_ver
= ssl
->major_ver
;
1479 ssl
->handshake
->max_minor_ver
= ssl
->minor_ver
;
1481 if( ssl
->major_ver
< ssl
->conf
->min_major_ver
||
1482 ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
1484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1485 " [%d:%d] < [%d:%d]",
1486 ssl
->major_ver
, ssl
->minor_ver
,
1487 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
1488 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1489 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
1490 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
1493 if( ssl
->major_ver
> ssl
->conf
->max_major_ver
)
1495 ssl
->major_ver
= ssl
->conf
->max_major_ver
;
1496 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1498 else if( ssl
->minor_ver
> ssl
->conf
->max_minor_ver
)
1499 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1502 * Save client random (inc. Unix time)
1504 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf
+ 2, 32 );
1506 memcpy( ssl
->handshake
->randbytes
, buf
+ 2, 32 );
1509 * Check the session ID length and save session ID
1513 if( sess_len
> sizeof( ssl
->session_negotiate
->id
) ||
1514 sess_len
+ 34 + 2 > msg_len
) /* 2 for cipherlist length field */
1516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1517 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1518 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1519 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1522 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf
+ 35, sess_len
);
1524 ssl
->session_negotiate
->id_len
= sess_len
;
1525 memset( ssl
->session_negotiate
->id
, 0,
1526 sizeof( ssl
->session_negotiate
->id
) );
1527 memcpy( ssl
->session_negotiate
->id
, buf
+ 35,
1528 ssl
->session_negotiate
->id_len
);
1531 * Check the cookie length and content
1533 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1534 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1536 cookie_offset
= 35 + sess_len
;
1537 cookie_len
= buf
[cookie_offset
];
1539 if( cookie_offset
+ 1 + cookie_len
+ 2 > msg_len
)
1541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1542 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1543 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
1544 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1547 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1548 buf
+ cookie_offset
+ 1, cookie_len
);
1550 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1551 if( ssl
->conf
->f_cookie_check
!= NULL
1552 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1553 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1557 if( ssl
->conf
->f_cookie_check( ssl
->conf
->p_cookie
,
1558 buf
+ cookie_offset
+ 1, cookie_len
,
1559 ssl
->cli_id
, ssl
->cli_id_len
) != 0 )
1561 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1562 ssl
->handshake
->verify_cookie_len
= 1;
1566 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1567 ssl
->handshake
->verify_cookie_len
= 0;
1571 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1573 /* We know we didn't send a cookie, so it should be empty */
1574 if( cookie_len
!= 0 )
1576 /* This may be an attacker's probe, so don't send an alert */
1577 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1578 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1581 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1585 * Check the ciphersuitelist length (will be parsed later)
1587 ciph_offset
= cookie_offset
+ 1 + cookie_len
;
1590 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1591 ciph_offset
= 35 + sess_len
;
1593 ciph_len
= ( buf
[ciph_offset
+ 0] << 8 )
1594 | ( buf
[ciph_offset
+ 1] );
1597 ciph_len
+ 2 + ciph_offset
+ 1 > msg_len
|| /* 1 for comp. alg. len */
1598 ( ciph_len
% 2 ) != 0 )
1600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1601 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1602 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1603 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1606 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1607 buf
+ ciph_offset
+ 2, ciph_len
);
1610 * Check the compression algorithms length and pick one
1612 comp_offset
= ciph_offset
+ 2 + ciph_len
;
1614 comp_len
= buf
[comp_offset
];
1618 comp_len
+ comp_offset
+ 1 > msg_len
)
1620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1621 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1626 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1627 buf
+ comp_offset
+ 1, comp_len
);
1629 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1630 #if defined(MBEDTLS_ZLIB_SUPPORT)
1631 for( i
= 0; i
< comp_len
; ++i
)
1633 if( buf
[comp_offset
+ 1 + i
] == MBEDTLS_SSL_COMPRESS_DEFLATE
)
1635 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_DEFLATE
;
1641 /* See comments in ssl_write_client_hello() */
1642 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1643 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1644 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1647 /* Do not parse the extensions if the protocol is SSLv3 */
1648 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1649 if( ( ssl
->major_ver
!= 3 ) || ( ssl
->minor_ver
!= 0 ) )
1653 * Check the extension length
1655 ext_offset
= comp_offset
+ 1 + comp_len
;
1656 if( msg_len
> ext_offset
)
1658 if( msg_len
< ext_offset
+ 2 )
1660 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1661 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1662 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1663 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1666 ext_len
= ( buf
[ext_offset
+ 0] << 8 )
1667 | ( buf
[ext_offset
+ 1] );
1669 if( ( ext_len
> 0 && ext_len
< 4 ) ||
1670 msg_len
!= ext_offset
+ 2 + ext_len
)
1672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1673 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1674 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1675 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1681 ext
= buf
+ ext_offset
+ 2;
1682 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext
, ext_len
);
1684 while( ext_len
!= 0 )
1686 unsigned int ext_id
;
1687 unsigned int ext_size
;
1688 if ( ext_len
< 4 ) {
1689 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1690 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1691 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1692 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1694 ext_id
= ( ( ext
[0] << 8 ) | ( ext
[1] ) );
1695 ext_size
= ( ( ext
[2] << 8 ) | ( ext
[3] ) );
1697 if( ext_size
+ 4 > ext_len
)
1699 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1700 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1701 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1702 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1706 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1707 case MBEDTLS_TLS_EXT_SERVERNAME
:
1708 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1709 if( ssl
->conf
->f_sni
== NULL
)
1712 ret
= ssl_parse_servername_ext( ssl
, ext
+ 4, ext_size
);
1716 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1718 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
:
1719 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1720 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1721 renegotiation_info_seen
= 1;
1724 ret
= ssl_parse_renegotiation_info( ssl
, ext
+ 4, ext_size
);
1729 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1730 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1731 case MBEDTLS_TLS_EXT_SIG_ALG
:
1732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1734 ret
= ssl_parse_signature_algorithms_ext( ssl
, ext
+ 4, ext_size
);
1738 sig_hash_alg_ext_present
= 1;
1740 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1741 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1743 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1744 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1745 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
:
1746 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1748 ret
= ssl_parse_supported_elliptic_curves( ssl
, ext
+ 4, ext_size
);
1753 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
:
1754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1755 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
;
1757 ret
= ssl_parse_supported_point_formats( ssl
, ext
+ 4, ext_size
);
1761 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1762 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1764 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1765 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP
:
1766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1768 ret
= ssl_parse_ecjpake_kkpp( ssl
, ext
+ 4, ext_size
);
1772 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1774 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1775 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
:
1776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1778 ret
= ssl_parse_max_fragment_length_ext( ssl
, ext
+ 4, ext_size
);
1782 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1784 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1785 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC
:
1786 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1788 ret
= ssl_parse_truncated_hmac_ext( ssl
, ext
+ 4, ext_size
);
1792 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1794 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1795 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
:
1796 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1798 ret
= ssl_parse_encrypt_then_mac_ext( ssl
, ext
+ 4, ext_size
);
1802 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1804 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1805 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
:
1806 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1808 ret
= ssl_parse_extended_ms_ext( ssl
, ext
+ 4, ext_size
);
1812 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1814 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1815 case MBEDTLS_TLS_EXT_SESSION_TICKET
:
1816 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1818 ret
= ssl_parse_session_ticket_ext( ssl
, ext
+ 4, ext_size
);
1822 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1824 #if defined(MBEDTLS_SSL_ALPN)
1825 case MBEDTLS_TLS_EXT_ALPN
:
1826 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1828 ret
= ssl_parse_alpn_ext( ssl
, ext
+ 4, ext_size
);
1832 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1839 ext_len
-= 4 + ext_size
;
1840 ext
+= 4 + ext_size
;
1842 if( ext_len
> 0 && ext_len
< 4 )
1844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1845 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1846 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
);
1847 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1850 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1854 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1855 for( i
= 0, p
= buf
+ ciph_offset
+ 2; i
< ciph_len
; i
+= 2, p
+= 2 )
1857 if( p
[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
1858 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
1860 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1862 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
1864 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1866 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1867 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
1869 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1875 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1877 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1878 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1881 * Try to fall back to default hash SHA1 if the client
1882 * hasn't provided any preferred signature-hash combinations.
1884 if( sig_hash_alg_ext_present
== 0 )
1886 mbedtls_md_type_t md_default
= MBEDTLS_MD_SHA1
;
1888 if( mbedtls_ssl_check_sig_hash( ssl
, md_default
) != 0 )
1889 md_default
= MBEDTLS_MD_NONE
;
1891 mbedtls_ssl_sig_hash_set_const_hash( &ssl
->handshake
->hash_algs
, md_default
);
1894 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1895 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1898 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1900 for( i
= 0, p
= buf
+ ciph_offset
+ 2; i
< ciph_len
; i
+= 2, p
+= 2 )
1902 if( p
[0] == 0 && p
[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
1904 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1905 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1906 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1909 "during renegotiation" ) );
1910 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1911 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
1912 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1915 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
1921 * Renegotiation security checks
1923 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1924 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1927 handshake_failure
= 1;
1929 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1930 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1931 ssl
->secure_renegotiation
== MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1932 renegotiation_info_seen
== 0 )
1934 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1935 handshake_failure
= 1;
1937 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1938 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1939 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
)
1941 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1942 handshake_failure
= 1;
1944 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1945 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1946 renegotiation_info_seen
== 1 )
1948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1949 handshake_failure
= 1;
1951 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1953 if( handshake_failure
== 1 )
1955 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1956 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
1957 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1961 * Search for a matching ciphersuite
1962 * (At the end because we need information from the EC-based extensions
1963 * and certificate from the SNI callback triggered by the SNI extension.)
1965 got_common_suite
= 0;
1966 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1967 ciphersuite_info
= NULL
;
1968 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1969 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1970 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1972 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1973 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1976 if( p
[0] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1977 p
[1] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1980 got_common_suite
= 1;
1982 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1983 &ciphersuite_info
) ) != 0 )
1986 if( ciphersuite_info
!= NULL
)
1987 goto have_ciphersuite
;
1990 if( got_common_suite
)
1992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1993 "but none of them usable" ) );
1994 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1995 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
1996 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
2000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
2001 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
2002 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
);
2003 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
2007 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
2009 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
2010 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
2014 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2015 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
2016 mbedtls_ssl_recv_flight_completed( ssl
);
2019 /* Debugging-only output for testsuite */
2020 #if defined(MBEDTLS_DEBUG_C) && \
2021 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2022 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
2023 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2025 mbedtls_pk_type_t sig_alg
= mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info
);
2026 if( sig_alg
!= MBEDTLS_PK_NONE
)
2028 mbedtls_md_type_t md_alg
= mbedtls_ssl_sig_hash_set_find( &ssl
->handshake
->hash_algs
,
2030 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
2031 mbedtls_ssl_hash_from_md_alg( md_alg
) ) );
2035 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
2036 "%d - should not happen", sig_alg
) );
2041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
2046 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2047 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
2051 unsigned char *p
= buf
;
2053 if( ssl
->session_negotiate
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_DISABLED
)
2059 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
2061 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
>> 8 ) & 0xFF );
2062 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
) & 0xFF );
2069 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2071 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2072 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
2076 unsigned char *p
= buf
;
2077 const mbedtls_ssl_ciphersuite_t
*suite
= NULL
;
2078 const mbedtls_cipher_info_t
*cipher
= NULL
;
2080 if( ssl
->session_negotiate
->encrypt_then_mac
== MBEDTLS_SSL_ETM_DISABLED
||
2081 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
2088 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2089 * from a client and then selects a stream or Authenticated Encryption
2090 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2091 * encrypt-then-MAC response extension back to the client."
2093 if( ( suite
= mbedtls_ssl_ciphersuite_from_id(
2094 ssl
->session_negotiate
->ciphersuite
) ) == NULL
||
2095 ( cipher
= mbedtls_cipher_info_from_type( suite
->cipher
) ) == NULL
||
2096 cipher
->mode
!= MBEDTLS_MODE_CBC
)
2102 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
2104 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
>> 8 ) & 0xFF );
2105 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
) & 0xFF );
2112 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2114 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2115 static void ssl_write_extended_ms_ext( mbedtls_ssl_context
*ssl
,
2119 unsigned char *p
= buf
;
2121 if( ssl
->handshake
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_DISABLED
||
2122 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
2128 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
2131 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
>> 8 ) & 0xFF );
2132 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
) & 0xFF );
2139 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2141 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2142 static void ssl_write_session_ticket_ext( mbedtls_ssl_context
*ssl
,
2146 unsigned char *p
= buf
;
2148 if( ssl
->handshake
->new_session_ticket
== 0 )
2154 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
2156 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
>> 8 ) & 0xFF );
2157 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
) & 0xFF );
2164 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2166 static void ssl_write_renegotiation_ext( mbedtls_ssl_context
*ssl
,
2170 unsigned char *p
= buf
;
2172 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
)
2178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
2180 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
>> 8 ) & 0xFF );
2181 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
) & 0xFF );
2183 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2184 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
2187 *p
++ = ( ssl
->verify_data_len
* 2 + 1 ) & 0xFF;
2188 *p
++ = ssl
->verify_data_len
* 2 & 0xFF;
2190 memcpy( p
, ssl
->peer_verify_data
, ssl
->verify_data_len
);
2191 p
+= ssl
->verify_data_len
;
2192 memcpy( p
, ssl
->own_verify_data
, ssl
->verify_data_len
);
2193 p
+= ssl
->verify_data_len
;
2196 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2206 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2207 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
2211 unsigned char *p
= buf
;
2213 if( ssl
->session_negotiate
->mfl_code
== MBEDTLS_SSL_MAX_FRAG_LEN_NONE
)
2219 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2221 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
>> 8 ) & 0xFF );
2222 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
) & 0xFF );
2227 *p
++ = ssl
->session_negotiate
->mfl_code
;
2231 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2233 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2234 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2235 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context
*ssl
,
2239 unsigned char *p
= buf
;
2242 if( ( ssl
->handshake
->cli_exts
&
2243 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
) == 0 )
2249 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2251 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
>> 8 ) & 0xFF );
2252 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
) & 0xFF );
2258 *p
++ = MBEDTLS_ECP_PF_UNCOMPRESSED
;
2262 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2264 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2265 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context
*ssl
,
2270 unsigned char *p
= buf
;
2271 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2276 /* Skip costly computation if not needed */
2277 if( ssl
->transform_negotiate
->ciphersuite_info
->key_exchange
!=
2278 MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2281 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2289 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
>> 8 ) & 0xFF );
2290 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
) & 0xFF );
2292 ret
= mbedtls_ecjpake_write_round_one( &ssl
->handshake
->ecjpake_ctx
,
2293 p
+ 2, end
- p
- 2, &kkpp_len
,
2294 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2297 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret
);
2301 *p
++ = (unsigned char)( ( kkpp_len
>> 8 ) & 0xFF );
2302 *p
++ = (unsigned char)( ( kkpp_len
) & 0xFF );
2304 *olen
= kkpp_len
+ 4;
2306 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2308 #if defined(MBEDTLS_SSL_ALPN )
2309 static void ssl_write_alpn_ext( mbedtls_ssl_context
*ssl
,
2310 unsigned char *buf
, size_t *olen
)
2312 if( ssl
->alpn_chosen
== NULL
)
2318 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2321 * 0 . 1 ext identifier
2323 * 4 . 5 protocol list length
2324 * 6 . 6 protocol name length
2325 * 7 . 7+n protocol name
2327 buf
[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
>> 8 ) & 0xFF );
2328 buf
[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
) & 0xFF );
2330 *olen
= 7 + strlen( ssl
->alpn_chosen
);
2332 buf
[2] = (unsigned char)( ( ( *olen
- 4 ) >> 8 ) & 0xFF );
2333 buf
[3] = (unsigned char)( ( ( *olen
- 4 ) ) & 0xFF );
2335 buf
[4] = (unsigned char)( ( ( *olen
- 6 ) >> 8 ) & 0xFF );
2336 buf
[5] = (unsigned char)( ( ( *olen
- 6 ) ) & 0xFF );
2338 buf
[6] = (unsigned char)( ( ( *olen
- 7 ) ) & 0xFF );
2340 memcpy( buf
+ 7, ssl
->alpn_chosen
, *olen
- 7 );
2342 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2344 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2345 static int ssl_write_hello_verify_request( mbedtls_ssl_context
*ssl
)
2348 unsigned char *p
= ssl
->out_msg
+ 4;
2349 unsigned char *cookie_len_byte
;
2351 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2355 * ProtocolVersion server_version;
2356 * opaque cookie<0..2^8-1>;
2357 * } HelloVerifyRequest;
2360 /* The RFC is not clear on this point, but sending the actual negotiated
2361 * version looks like the most interoperable thing to do. */
2362 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2363 ssl
->conf
->transport
, p
);
2364 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p
, 2 );
2367 /* If we get here, f_cookie_check is not null */
2368 if( ssl
->conf
->f_cookie_write
== NULL
)
2370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2371 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2374 /* Skip length byte until we know the length */
2375 cookie_len_byte
= p
++;
2377 if( ( ret
= ssl
->conf
->f_cookie_write( ssl
->conf
->p_cookie
,
2378 &p
, ssl
->out_buf
+ MBEDTLS_SSL_BUFFER_LEN
,
2379 ssl
->cli_id
, ssl
->cli_id_len
) ) != 0 )
2381 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret
);
2385 *cookie_len_byte
= (unsigned char)( p
- ( cookie_len_byte
+ 1 ) );
2387 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte
+ 1, *cookie_len_byte
);
2389 ssl
->out_msglen
= p
- ssl
->out_msg
;
2390 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2391 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
;
2393 ssl
->state
= MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
;
2395 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
2397 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
2401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2405 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2407 static int ssl_write_server_hello( mbedtls_ssl_context
*ssl
)
2409 #if defined(MBEDTLS_HAVE_TIME)
2413 size_t olen
, ext_len
= 0, n
;
2414 unsigned char *buf
, *p
;
2416 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2418 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2419 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
2420 ssl
->handshake
->verify_cookie_len
!= 0 )
2422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2423 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2425 return( ssl_write_hello_verify_request( ssl
) );
2427 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2429 if( ssl
->conf
->f_rng
== NULL
)
2431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2432 return( MBEDTLS_ERR_SSL_NO_RNG
);
2436 * 0 . 0 handshake type
2437 * 1 . 3 handshake length
2438 * 4 . 5 protocol version
2440 * 10 . 37 random bytes
2445 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2446 ssl
->conf
->transport
, p
);
2449 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2452 #if defined(MBEDTLS_HAVE_TIME)
2453 t
= mbedtls_time( NULL
);
2454 *p
++ = (unsigned char)( t
>> 24 );
2455 *p
++ = (unsigned char)( t
>> 16 );
2456 *p
++ = (unsigned char)( t
>> 8 );
2457 *p
++ = (unsigned char)( t
);
2459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t
) );
2461 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 4 ) ) != 0 )
2465 #endif /* MBEDTLS_HAVE_TIME */
2467 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 28 ) ) != 0 )
2472 memcpy( ssl
->handshake
->randbytes
+ 32, buf
+ 6, 32 );
2474 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf
+ 6, 32 );
2477 * Resume is 0 by default, see ssl_handshake_init().
2478 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2479 * If not, try looking up session ID in our cache.
2481 if( ssl
->handshake
->resume
== 0 &&
2482 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2483 ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
&&
2485 ssl
->session_negotiate
->id_len
!= 0 &&
2486 ssl
->conf
->f_get_cache
!= NULL
&&
2487 ssl
->conf
->f_get_cache( ssl
->conf
->p_cache
, ssl
->session_negotiate
) == 0 )
2489 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2490 ssl
->handshake
->resume
= 1;
2493 if( ssl
->handshake
->resume
== 0 )
2496 * New session, create a new session id,
2497 * unless we're about to issue a session ticket
2501 #if defined(MBEDTLS_HAVE_TIME)
2502 ssl
->session_negotiate
->start
= mbedtls_time( NULL
);
2505 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2506 if( ssl
->handshake
->new_session_ticket
!= 0 )
2508 ssl
->session_negotiate
->id_len
= n
= 0;
2509 memset( ssl
->session_negotiate
->id
, 0, 32 );
2512 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2514 ssl
->session_negotiate
->id_len
= n
= 32;
2515 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, ssl
->session_negotiate
->id
,
2523 * Resuming a session
2525 n
= ssl
->session_negotiate
->id_len
;
2526 ssl
->state
= MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
;
2528 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
2530 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
2536 * 38 . 38 session id length
2537 * 39 . 38+n session id
2538 * 39+n . 40+n chosen ciphersuite
2539 * 41+n . 41+n chosen compression alg.
2540 * 42+n . 43+n extensions length
2541 * 44+n . 43+n+m extensions
2543 *p
++ = (unsigned char) ssl
->session_negotiate
->id_len
;
2544 memcpy( p
, ssl
->session_negotiate
->id
, ssl
->session_negotiate
->id_len
);
2545 p
+= ssl
->session_negotiate
->id_len
;
2547 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n
) );
2548 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf
+ 39, n
);
2549 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2550 ssl
->handshake
->resume
? "a" : "no" ) );
2552 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
>> 8 );
2553 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
);
2554 *p
++ = (unsigned char)( ssl
->session_negotiate
->compression
);
2556 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2557 mbedtls_ssl_get_ciphersuite_name( ssl
->session_negotiate
->ciphersuite
) ) );
2558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2559 ssl
->session_negotiate
->compression
) );
2561 /* Do not write the extensions if the protocol is SSLv3 */
2562 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2563 if( ( ssl
->major_ver
!= 3 ) || ( ssl
->minor_ver
!= 0 ) )
2568 * First write extensions, then the total length
2570 ssl_write_renegotiation_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2573 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2574 ssl_write_max_fragment_length_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2578 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2579 ssl_write_truncated_hmac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2583 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2584 ssl_write_encrypt_then_mac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2588 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2589 ssl_write_extended_ms_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2593 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2594 ssl_write_session_ticket_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2598 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2599 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2600 if ( mbedtls_ssl_ciphersuite_uses_ec(
2601 mbedtls_ssl_ciphersuite_from_id( ssl
->session_negotiate
->ciphersuite
) ) )
2603 ssl_write_supported_point_formats_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2608 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2609 ssl_write_ecjpake_kkpp_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2613 #if defined(MBEDTLS_SSL_ALPN)
2614 ssl_write_alpn_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2618 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len
) );
2622 *p
++ = (unsigned char)( ( ext_len
>> 8 ) & 0xFF );
2623 *p
++ = (unsigned char)( ( ext_len
) & 0xFF );
2627 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2631 ssl
->out_msglen
= p
- buf
;
2632 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2633 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO
;
2635 ret
= mbedtls_ssl_write_record( ssl
);
2637 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2642 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2643 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2644 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2645 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2646 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
2647 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2648 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2650 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
2651 ssl
->transform_negotiate
->ciphersuite_info
;
2653 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2655 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2656 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2657 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2658 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2659 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2661 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2667 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2670 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2672 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
2673 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
2674 ssl
->transform_negotiate
->ciphersuite_info
;
2675 size_t dn_size
, total_dn_size
; /* excluding length bytes */
2676 size_t ct_len
, sa_len
; /* including length bytes */
2677 unsigned char *buf
, *p
;
2678 const unsigned char * const end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2679 const mbedtls_x509_crt
*crt
;
2682 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2686 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2687 if( ssl
->handshake
->sni_authmode
!= MBEDTLS_SSL_VERIFY_UNSET
)
2688 authmode
= ssl
->handshake
->sni_authmode
;
2691 authmode
= ssl
->conf
->authmode
;
2693 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2694 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2695 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2696 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2697 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
2698 authmode
== MBEDTLS_SSL_VERIFY_NONE
)
2700 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2705 * 0 . 0 handshake type
2706 * 1 . 3 handshake length
2707 * 4 . 4 cert type count
2708 * 5 .. m-1 cert types
2709 * m .. m+1 sig alg length (TLS 1.2 only)
2710 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2711 * n .. n+1 length of all DNs
2712 * n+2 .. n+3 length of DN 1
2713 * n+4 .. ... Distinguished Name #1
2714 * ... .. ... length of DN 2, etc.
2720 * Supported certificate types
2722 * ClientCertificateType certificate_types<1..2^8-1>;
2723 * enum { (255) } ClientCertificateType;
2727 #if defined(MBEDTLS_RSA_C)
2728 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
;
2730 #if defined(MBEDTLS_ECDSA_C)
2731 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
;
2734 p
[0] = (unsigned char) ct_len
++;
2738 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2740 * Add signature_algorithms for verify (TLS 1.2)
2742 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2745 * HashAlgorithm hash;
2746 * SignatureAlgorithm signature;
2747 * } SignatureAndHashAlgorithm;
2749 * enum { (255) } HashAlgorithm;
2750 * enum { (255) } SignatureAlgorithm;
2752 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2757 * Supported signature algorithms
2759 for( cur
= ssl
->conf
->sig_hashes
; *cur
!= MBEDTLS_MD_NONE
; cur
++ )
2761 unsigned char hash
= mbedtls_ssl_hash_from_md_alg( *cur
);
2763 if( MBEDTLS_SSL_HASH_NONE
== hash
|| mbedtls_ssl_set_calc_verify_md( ssl
, hash
) )
2766 #if defined(MBEDTLS_RSA_C)
2767 p
[2 + sa_len
++] = hash
;
2768 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_RSA
;
2770 #if defined(MBEDTLS_ECDSA_C)
2771 p
[2 + sa_len
++] = hash
;
2772 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_ECDSA
;
2776 p
[0] = (unsigned char)( sa_len
>> 8 );
2777 p
[1] = (unsigned char)( sa_len
);
2781 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2784 * DistinguishedName certificate_authorities<0..2^16-1>;
2785 * opaque DistinguishedName<1..2^16-1>;
2791 if( ssl
->conf
->cert_req_ca_list
== MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
)
2793 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2794 if( ssl
->handshake
->sni_ca_chain
!= NULL
)
2795 crt
= ssl
->handshake
->sni_ca_chain
;
2798 crt
= ssl
->conf
->ca_chain
;
2800 while( crt
!= NULL
&& crt
->version
!= 0 )
2802 dn_size
= crt
->subject_raw
.len
;
2805 (size_t)( end
- p
) < dn_size
||
2806 (size_t)( end
- p
) < 2 + dn_size
)
2808 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2812 *p
++ = (unsigned char)( dn_size
>> 8 );
2813 *p
++ = (unsigned char)( dn_size
);
2814 memcpy( p
, crt
->subject_raw
.p
, dn_size
);
2817 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p
- dn_size
, dn_size
);
2819 total_dn_size
+= 2 + dn_size
;
2824 ssl
->out_msglen
= p
- buf
;
2825 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2826 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
;
2827 ssl
->out_msg
[4 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
>> 8 );
2828 ssl
->out_msg
[5 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
);
2830 ret
= mbedtls_ssl_write_record( ssl
);
2832 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2836 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2837 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2838 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
2839 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2840 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
2841 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2843 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2844 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2845 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context
*ssl
)
2849 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_ECKEY
) )
2851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2852 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
);
2855 if( ( ret
= mbedtls_ecdh_get_params( &ssl
->handshake
->ecdh_ctx
,
2856 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl
) ),
2857 MBEDTLS_ECDH_OURS
) ) != 0 )
2859 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret
);
2865 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2866 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2868 static int ssl_write_server_key_exchange( mbedtls_ssl_context
*ssl
)
2872 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
2873 ssl
->transform_negotiate
->ciphersuite_info
;
2875 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
2876 unsigned char *p
= ssl
->out_msg
+ 4;
2878 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2879 unsigned char *dig_signed
= p
;
2880 size_t dig_signed_len
= 0;
2881 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2882 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
2884 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2888 * Part 1: Extract static ECDH parameters and abort
2889 * if ServerKeyExchange not needed.
2893 /* For suites involving ECDH, extract DH parameters
2894 * from certificate at this point. */
2895 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
2896 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info
) )
2898 ssl_get_ecdh_params_from_cert( ssl
);
2900 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
2902 /* Key exchanges not involving ephemeral keys don't use
2903 * ServerKeyExchange, so end here. */
2904 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
2905 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info
) )
2907 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2911 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */
2915 * Part 2: Provide key exchange parameters for chosen ciphersuite.
2920 * - ECJPAKE key exchanges
2922 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2923 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2925 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2927 ret
= mbedtls_ecjpake_write_round_two( &ssl
->handshake
->ecjpake_ctx
,
2928 p
, end
- p
, &len
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2931 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret
);
2938 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2941 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2942 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2943 * we use empty support identity hints here.
2945 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2946 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2947 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2948 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
2955 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2956 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2959 * - DHE key exchanges
2961 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
2962 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info
) )
2964 if( ssl
->conf
->dhm_P
.p
== NULL
|| ssl
->conf
->dhm_G
.p
== NULL
)
2966 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
2967 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2971 * Ephemeral DH parameters:
2974 * opaque dh_p<1..2^16-1>;
2975 * opaque dh_g<1..2^16-1>;
2976 * opaque dh_Ys<1..2^16-1>;
2979 if( ( ret
= mbedtls_dhm_set_group( &ssl
->handshake
->dhm_ctx
,
2981 &ssl
->conf
->dhm_G
) ) != 0 )
2983 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret
);
2987 if( ( ret
= mbedtls_dhm_make_params( &ssl
->handshake
->dhm_ctx
,
2988 (int) mbedtls_mpi_size( &ssl
->handshake
->dhm_ctx
.P
),
2989 p
, &len
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2991 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret
);
2995 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2997 dig_signed_len
= len
;
3003 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl
->handshake
->dhm_ctx
.X
);
3004 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl
->handshake
->dhm_ctx
.P
);
3005 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl
->handshake
->dhm_ctx
.G
);
3006 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl
->handshake
->dhm_ctx
.GX
);
3008 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
3011 * - ECDHE key exchanges
3013 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
3014 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info
) )
3017 * Ephemeral ECDH parameters:
3020 * ECParameters curve_params;
3022 * } ServerECDHParams;
3024 const mbedtls_ecp_curve_info
**curve
= NULL
;
3025 const mbedtls_ecp_group_id
*gid
;
3027 /* Match our preference list against the offered curves */
3028 for( gid
= ssl
->conf
->curve_list
; *gid
!= MBEDTLS_ECP_DP_NONE
; gid
++ )
3029 for( curve
= ssl
->handshake
->curves
; *curve
!= NULL
; curve
++ )
3030 if( (*curve
)->grp_id
== *gid
)
3031 goto curve_matching_done
;
3033 curve_matching_done
:
3034 if( curve
== NULL
|| *curve
== NULL
)
3036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
3037 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
3040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve
)->name
) );
3042 if( ( ret
= mbedtls_ecp_group_load( &ssl
->handshake
->ecdh_ctx
.grp
,
3043 (*curve
)->grp_id
) ) != 0 )
3045 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret
);
3049 if( ( ret
= mbedtls_ecdh_make_params( &ssl
->handshake
->ecdh_ctx
, &len
,
3050 p
, MBEDTLS_SSL_MAX_CONTENT_LEN
- n
,
3051 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3053 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret
);
3057 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3059 dig_signed_len
= len
;
3065 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl
->handshake
->ecdh_ctx
.Q
);
3067 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
3071 * Part 3: For key exchanges involving the server signing the
3072 * exchange parameters, compute and add the signature here.
3075 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3076 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info
) )
3078 size_t signature_len
= 0;
3079 unsigned int hashlen
= 0;
3080 unsigned char hash
[64];
3083 * 3.1: Choose hash algorithm:
3084 * A: For TLS 1.2, obey signature-hash-algorithm extension
3085 * to choose appropriate hash.
3086 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3087 * (RFC 4492, Sec. 5.4)
3088 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3091 mbedtls_md_type_t md_alg
;
3093 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3094 mbedtls_pk_type_t sig_alg
=
3095 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info
);
3096 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
3098 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3099 * (RFC 5246, Sec. 7.4.1.4.1). */
3100 if( sig_alg
== MBEDTLS_PK_NONE
||
3101 ( md_alg
= mbedtls_ssl_sig_hash_set_find( &ssl
->handshake
->hash_algs
,
3102 sig_alg
) ) == MBEDTLS_MD_NONE
)
3104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3105 /* (... because we choose a cipher suite
3106 * only if there is a matching hash.) */
3107 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3111 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3112 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3113 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3114 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
)
3116 /* B: Default hash SHA1 */
3117 md_alg
= MBEDTLS_MD_SHA1
;
3120 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3121 MBEDTLS_SSL_PROTO_TLS1_1 */
3124 md_alg
= MBEDTLS_MD_NONE
;
3127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg
) );
3130 * 3.2: Compute the hash to be signed
3132 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3133 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3134 if( md_alg
== MBEDTLS_MD_NONE
)
3137 ret
= mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl
, hash
,
3144 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3145 MBEDTLS_SSL_PROTO_TLS1_1 */
3146 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3147 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3148 if( md_alg
!= MBEDTLS_MD_NONE
)
3150 /* Info from md_alg will be used instead */
3152 ret
= mbedtls_ssl_get_key_exchange_md_tls1_2( ssl
, hash
,
3160 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3161 MBEDTLS_SSL_PROTO_TLS1_2 */
3163 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3164 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3167 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash
, hashlen
!= 0 ? hashlen
:
3168 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg
) ) ) );
3171 * 3.3: Compute and add the signature
3173 if( mbedtls_ssl_own_key( ssl
) == NULL
)
3175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
3176 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3179 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3180 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
3183 * For TLS 1.2, we need to specify signature and hash algorithm
3184 * explicitly through a prefix to the signature.
3187 * HashAlgorithm hash;
3188 * SignatureAlgorithm signature;
3189 * } SignatureAndHashAlgorithm;
3192 * SignatureAndHashAlgorithm algorithm;
3193 * opaque signature<0..2^16-1>;
3194 * } DigitallySigned;
3198 *(p
++) = mbedtls_ssl_hash_from_md_alg( md_alg
);
3199 *(p
++) = mbedtls_ssl_sig_from_pk_alg( sig_alg
);
3203 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3205 if( ( ret
= mbedtls_pk_sign( mbedtls_ssl_own_key( ssl
), md_alg
, hash
, hashlen
,
3206 p
+ 2 , &signature_len
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3208 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret
);
3212 *(p
++) = (unsigned char)( signature_len
>> 8 );
3213 *(p
++) = (unsigned char)( signature_len
);
3216 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p
, signature_len
);
3220 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3222 /* Done with actual work; add header and send. */
3224 ssl
->out_msglen
= 4 + n
;
3225 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3226 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
;
3230 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3232 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3241 static int ssl_write_server_hello_done( mbedtls_ssl_context
*ssl
)
3245 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3247 ssl
->out_msglen
= 4;
3248 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3249 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE
;
3253 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3254 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3255 mbedtls_ssl_send_flight_completed( ssl
);
3258 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3269 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3270 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3271 static int ssl_parse_client_dh_public( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3272 const unsigned char *end
)
3274 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3278 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3282 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3283 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3286 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3292 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3295 if( ( ret
= mbedtls_dhm_read_public( &ssl
->handshake
->dhm_ctx
, *p
, n
) ) != 0 )
3297 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret
);
3298 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3303 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl
->handshake
->dhm_ctx
.GY
);
3307 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3308 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3310 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3311 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3312 static int ssl_parse_encrypted_pms( mbedtls_ssl_context
*ssl
,
3313 const unsigned char *p
,
3314 const unsigned char *end
,
3318 size_t len
= mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl
) );
3319 unsigned char *pms
= ssl
->handshake
->premaster
+ pms_offset
;
3320 unsigned char ver
[2];
3321 unsigned char fake_pms
[48], peer_pms
[48];
3323 size_t i
, peer_pmslen
;
3326 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_RSA
) )
3328 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3329 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3333 * Decrypt the premaster using own private RSA key
3335 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3336 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3337 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
3339 if ( p
+ 2 > end
) {
3340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3341 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3343 if( *p
++ != ( ( len
>> 8 ) & 0xFF ) ||
3344 *p
++ != ( ( len
) & 0xFF ) )
3346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3347 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3352 if( p
+ len
!= end
)
3354 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3355 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3358 mbedtls_ssl_write_version( ssl
->handshake
->max_major_ver
,
3359 ssl
->handshake
->max_minor_ver
,
3360 ssl
->conf
->transport
, ver
);
3363 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3364 * must not cause the connection to end immediately; instead, send a
3365 * bad_record_mac later in the handshake.
3366 * Also, avoid data-dependant branches here to protect against
3367 * timing-based variants.
3369 ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, fake_pms
, sizeof( fake_pms
) );
3373 ret
= mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl
), p
, len
,
3374 peer_pms
, &peer_pmslen
,
3376 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3378 diff
= (unsigned int) ret
;
3379 diff
|= peer_pmslen
^ 48;
3380 diff
|= peer_pms
[0] ^ ver
[0];
3381 diff
|= peer_pms
[1] ^ ver
[1];
3383 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3385 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3388 if( sizeof( ssl
->handshake
->premaster
) < pms_offset
||
3389 sizeof( ssl
->handshake
->premaster
) - pms_offset
< 48 )
3391 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3392 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3394 ssl
->handshake
->pmslen
= 48;
3396 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3397 /* MSVC has a warning about unary minus on unsigned, but this is
3398 * well-defined and precisely what we want to do here */
3399 #if defined(_MSC_VER)
3400 #pragma warning( push )
3401 #pragma warning( disable : 4146 )
3403 mask
= - ( ( diff
| - diff
) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3404 #if defined(_MSC_VER)
3405 #pragma warning( pop )
3408 for( i
= 0; i
< ssl
->handshake
->pmslen
; i
++ )
3409 pms
[i
] = ( mask
& fake_pms
[i
] ) | ( (~mask
) & peer_pms
[i
] );
3413 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3414 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3416 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3417 static int ssl_parse_client_psk_identity( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3418 const unsigned char *end
)
3423 if( ssl
->conf
->f_psk
== NULL
&&
3424 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
3425 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
3427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3428 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3432 * Receive client pre-shared key identity name
3436 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3437 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3440 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3443 if( n
< 1 || n
> 65535 || n
> (size_t) ( end
- *p
) )
3445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3446 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3449 if( ssl
->conf
->f_psk
!= NULL
)
3451 if( ssl
->conf
->f_psk( ssl
->conf
->p_psk
, ssl
, *p
, n
) != 0 )
3452 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3456 /* Identity is not a big secret since clients send it in the clear,
3457 * but treat it carefully anyway, just in case */
3458 if( n
!= ssl
->conf
->psk_identity_len
||
3459 mbedtls_ssl_safer_memcmp( ssl
->conf
->psk_identity
, *p
, n
) != 0 )
3461 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3465 if( ret
== MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
)
3467 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p
, n
);
3468 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3469 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
);
3470 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
);
3477 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3479 static int ssl_parse_client_key_exchange( mbedtls_ssl_context
*ssl
)
3482 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
3483 unsigned char *p
, *end
;
3485 ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3487 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3489 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
3491 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
3495 p
= ssl
->in_msg
+ mbedtls_ssl_hs_hdr_len( ssl
);
3496 end
= ssl
->in_msg
+ ssl
->in_hslen
;
3498 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
)
3500 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3501 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3504 if( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
)
3506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3507 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3510 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3511 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
)
3513 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3515 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3522 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3525 if( ( ret
= mbedtls_dhm_calc_secret( &ssl
->handshake
->dhm_ctx
,
3526 ssl
->handshake
->premaster
,
3527 MBEDTLS_PREMASTER_SIZE
,
3528 &ssl
->handshake
->pmslen
,
3529 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3531 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret
);
3532 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3535 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl
->handshake
->dhm_ctx
.K
);
3538 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3539 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3540 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3541 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3542 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3543 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
3544 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
||
3545 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA
||
3546 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
)
3548 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3549 p
, end
- p
) ) != 0 )
3551 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3552 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3555 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3557 if( ( ret
= mbedtls_ecdh_calc_secret( &ssl
->handshake
->ecdh_ctx
,
3558 &ssl
->handshake
->pmslen
,
3559 ssl
->handshake
->premaster
,
3560 MBEDTLS_MPI_MAX_SIZE
,
3561 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3563 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret
);
3564 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3567 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl
->handshake
->ecdh_ctx
.z
);
3570 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3571 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3572 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3573 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3574 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3575 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
)
3577 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3579 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3586 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3589 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3590 ciphersuite_info
->key_exchange
) ) != 0 )
3592 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3597 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3598 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3599 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
3601 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3603 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3607 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 2 ) ) != 0 )
3609 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret
);
3613 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3614 ciphersuite_info
->key_exchange
) ) != 0 )
3616 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3621 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3622 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3623 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
3625 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3627 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3630 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3632 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3639 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3642 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3643 ciphersuite_info
->key_exchange
) ) != 0 )
3645 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3650 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3651 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3652 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
3654 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3656 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3660 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3661 p
, end
- p
) ) != 0 )
3663 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3664 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3667 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3669 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3670 ciphersuite_info
->key_exchange
) ) != 0 )
3672 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3677 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3678 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3679 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA
)
3681 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 0 ) ) != 0 )
3683 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret
);
3688 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3689 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3690 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3692 ret
= mbedtls_ecjpake_read_round_two( &ssl
->handshake
->ecjpake_ctx
,
3696 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret
);
3697 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
);
3700 ret
= mbedtls_ecjpake_derive_secret( &ssl
->handshake
->ecjpake_ctx
,
3701 ssl
->handshake
->premaster
, 32, &ssl
->handshake
->pmslen
,
3702 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3705 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret
);
3710 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3713 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3716 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
3718 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
3724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3729 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3730 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3731 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3732 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3733 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3734 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3735 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3737 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
3738 ssl
->transform_negotiate
->ciphersuite_info
;
3740 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3742 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3743 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3744 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3745 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3746 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3753 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3754 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3757 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3759 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3761 unsigned char hash
[48];
3762 unsigned char *hash_start
= hash
;
3764 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3765 mbedtls_pk_type_t pk_alg
;
3767 mbedtls_md_type_t md_alg
;
3768 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
3769 ssl
->transform_negotiate
->ciphersuite_info
;
3771 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3773 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3774 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3775 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3776 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3777 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
3778 ssl
->session_negotiate
->peer_cert
== NULL
)
3780 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3785 /* Read the message without adding it to the checksum */
3788 if( ( ret
= mbedtls_ssl_read_record_layer( ssl
) ) != 0 )
3790 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret
);
3794 ret
= mbedtls_ssl_handle_message_type( ssl
);
3796 } while( MBEDTLS_ERR_SSL_NON_FATAL
== ret
);
3800 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret
);
3806 /* Process the message contents */
3807 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
||
3808 ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
)
3810 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3811 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3814 i
= mbedtls_ssl_hs_hdr_len( ssl
);
3818 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3819 * opaque signature<0..2^16-1>;
3820 * } DigitallySigned;
3822 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3823 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3824 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_3
)
3826 md_alg
= MBEDTLS_MD_NONE
;
3829 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3830 if( mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
,
3831 MBEDTLS_PK_ECDSA
) )
3835 md_alg
= MBEDTLS_MD_SHA1
;
3839 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
3840 MBEDTLS_SSL_PROTO_TLS1_1 */
3841 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3842 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
3844 if( i
+ 2 > ssl
->in_hslen
)
3846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3847 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3853 md_alg
= mbedtls_ssl_md_alg_from_hash( ssl
->in_msg
[i
] );
3855 if( md_alg
== MBEDTLS_MD_NONE
|| mbedtls_ssl_set_calc_verify_md( ssl
, ssl
->in_msg
[i
] ) )
3857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3858 " for verify message" ) );
3859 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3862 #if !defined(MBEDTLS_MD_SHA1)
3863 if( MBEDTLS_MD_SHA1
== md_alg
)
3867 /* Info from md_alg will be used instead */
3875 if( ( pk_alg
= mbedtls_ssl_pk_alg_from_sig( ssl
->in_msg
[i
] ) )
3876 == MBEDTLS_PK_NONE
)
3878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3879 " for verify message" ) );
3880 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3884 * Check the certificate's key type matches the signature alg
3886 if( ! mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
, pk_alg
) )
3888 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3889 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3895 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3897 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3898 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3901 if( i
+ 2 > ssl
->in_hslen
)
3903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3904 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3907 sig_len
= ( ssl
->in_msg
[i
] << 8 ) | ssl
->in_msg
[i
+1];
3910 if( i
+ sig_len
!= ssl
->in_hslen
)
3912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3913 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3916 /* Calculate hash and verify signature */
3917 ssl
->handshake
->calc_verify( ssl
, hash
);
3919 if( ( ret
= mbedtls_pk_verify( &ssl
->session_negotiate
->peer_cert
->pk
,
3920 md_alg
, hash_start
, hashlen
,
3921 ssl
->in_msg
+ i
, sig_len
) ) != 0 )
3923 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret
);
3927 mbedtls_ssl_update_handshake_status( ssl
);
3929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3933 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3934 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3935 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3936 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3937 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3938 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3940 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3941 static int ssl_write_new_session_ticket( mbedtls_ssl_context
*ssl
)
3947 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3949 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3950 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET
;
3954 * uint32 ticket_lifetime_hint;
3955 * opaque ticket<0..2^16-1>;
3956 * } NewSessionTicket;
3958 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3959 * 8 . 9 ticket_len (n)
3960 * 10 . 9+n ticket content
3963 if( ( ret
= ssl
->conf
->f_ticket_write( ssl
->conf
->p_ticket
,
3964 ssl
->session_negotiate
,
3966 ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
,
3967 &tlen
, &lifetime
) ) != 0 )
3969 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret
);
3973 ssl
->out_msg
[4] = ( lifetime
>> 24 ) & 0xFF;
3974 ssl
->out_msg
[5] = ( lifetime
>> 16 ) & 0xFF;
3975 ssl
->out_msg
[6] = ( lifetime
>> 8 ) & 0xFF;
3976 ssl
->out_msg
[7] = ( lifetime
) & 0xFF;
3978 ssl
->out_msg
[8] = (unsigned char)( ( tlen
>> 8 ) & 0xFF );
3979 ssl
->out_msg
[9] = (unsigned char)( ( tlen
) & 0xFF );
3981 ssl
->out_msglen
= 10 + tlen
;
3984 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3985 * ChangeCipherSpec share the same state.
3987 ssl
->handshake
->new_session_ticket
= 0;
3989 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3991 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3995 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3999 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4002 * SSL handshake -- server side -- single step
4004 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context
*ssl
)
4008 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
|| ssl
->handshake
== NULL
)
4009 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
4011 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl
->state
) );
4013 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
4016 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4017 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
4018 ssl
->handshake
->retransmit_state
== MBEDTLS_SSL_RETRANS_SENDING
)
4020 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
4025 switch( ssl
->state
)
4027 case MBEDTLS_SSL_HELLO_REQUEST
:
4028 ssl
->state
= MBEDTLS_SSL_CLIENT_HELLO
;
4034 case MBEDTLS_SSL_CLIENT_HELLO
:
4035 ret
= ssl_parse_client_hello( ssl
);
4038 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4039 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
:
4040 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
);
4046 * ( ServerKeyExchange )
4047 * ( CertificateRequest )
4050 case MBEDTLS_SSL_SERVER_HELLO
:
4051 ret
= ssl_write_server_hello( ssl
);
4054 case MBEDTLS_SSL_SERVER_CERTIFICATE
:
4055 ret
= mbedtls_ssl_write_certificate( ssl
);
4058 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE
:
4059 ret
= ssl_write_server_key_exchange( ssl
);
4062 case MBEDTLS_SSL_CERTIFICATE_REQUEST
:
4063 ret
= ssl_write_certificate_request( ssl
);
4066 case MBEDTLS_SSL_SERVER_HELLO_DONE
:
4067 ret
= ssl_write_server_hello_done( ssl
);
4071 * <== ( Certificate/Alert )
4073 * ( CertificateVerify )
4077 case MBEDTLS_SSL_CLIENT_CERTIFICATE
:
4078 ret
= mbedtls_ssl_parse_certificate( ssl
);
4081 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
:
4082 ret
= ssl_parse_client_key_exchange( ssl
);
4085 case MBEDTLS_SSL_CERTIFICATE_VERIFY
:
4086 ret
= ssl_parse_certificate_verify( ssl
);
4089 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
:
4090 ret
= mbedtls_ssl_parse_change_cipher_spec( ssl
);
4093 case MBEDTLS_SSL_CLIENT_FINISHED
:
4094 ret
= mbedtls_ssl_parse_finished( ssl
);
4098 * ==> ( NewSessionTicket )
4102 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
:
4103 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4104 if( ssl
->handshake
->new_session_ticket
!= 0 )
4105 ret
= ssl_write_new_session_ticket( ssl
);
4108 ret
= mbedtls_ssl_write_change_cipher_spec( ssl
);
4111 case MBEDTLS_SSL_SERVER_FINISHED
:
4112 ret
= mbedtls_ssl_write_finished( ssl
);
4115 case MBEDTLS_SSL_FLUSH_BUFFERS
:
4116 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4117 ssl
->state
= MBEDTLS_SSL_HANDSHAKE_WRAPUP
;
4120 case MBEDTLS_SSL_HANDSHAKE_WRAPUP
:
4121 mbedtls_ssl_handshake_wrapup( ssl
);
4125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl
->state
) );
4126 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
4131 #endif /* MBEDTLS_SSL_SRV_C */