32eae0f2a40c1b13fe1f499e476c586fdf649230
[reactos.git] / reactos / dll / 3rdparty / mbedtls / ssl_cli.c
1 /*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
24 #else
25 #include MBEDTLS_CONFIG_FILE
26 #endif
27
28 #if defined(MBEDTLS_SSL_CLI_C)
29
30 #include "mbedtls/debug.h"
31 #include "mbedtls/ssl.h"
32 #include "mbedtls/ssl_internal.h"
33
34 #include <string.h>
35
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdlib.h>
40 #define mbedtls_calloc calloc
41 #define mbedtls_free free
42 #endif
43
44 #include <stdint.h>
45
46 #if defined(MBEDTLS_HAVE_TIME)
47 #include <time.h>
48 #endif
49
50 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
51 /* Implementation that should never be optimized out by the compiler */
52 static void mbedtls_zeroize( void *v, size_t n ) {
53 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
54 }
55 #endif
56
57 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
58 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
59 unsigned char *buf,
60 size_t *olen )
61 {
62 unsigned char *p = buf;
63 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
64 size_t hostname_len;
65
66 *olen = 0;
67
68 if( ssl->hostname == NULL )
69 return;
70
71 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
72 ssl->hostname ) );
73
74 hostname_len = strlen( ssl->hostname );
75
76 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
77 {
78 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
79 return;
80 }
81
82 /*
83 * struct {
84 * NameType name_type;
85 * select (name_type) {
86 * case host_name: HostName;
87 * } name;
88 * } ServerName;
89 *
90 * enum {
91 * host_name(0), (255)
92 * } NameType;
93 *
94 * opaque HostName<1..2^16-1>;
95 *
96 * struct {
97 * ServerName server_name_list<1..2^16-1>
98 * } ServerNameList;
99 */
100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
102
103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
105
106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
108
109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
112
113 memcpy( p, ssl->hostname, hostname_len );
114
115 *olen = hostname_len + 9;
116 }
117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
118
119 #if defined(MBEDTLS_SSL_RENEGOTIATION)
120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
121 unsigned char *buf,
122 size_t *olen )
123 {
124 unsigned char *p = buf;
125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
126
127 *olen = 0;
128
129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
130 return;
131
132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
133
134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
135 {
136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
137 return;
138 }
139
140 /*
141 * Secure renegotiation
142 */
143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
145
146 *p++ = 0x00;
147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
148 *p++ = ssl->verify_data_len & 0xFF;
149
150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
151
152 *olen = 5 + ssl->verify_data_len;
153 }
154 #endif /* MBEDTLS_SSL_RENEGOTIATION */
155
156 /*
157 * Only if we handle at least one key exchange that needs signatures.
158 */
159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
162 unsigned char *buf,
163 size_t *olen )
164 {
165 unsigned char *p = buf;
166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
167 size_t sig_alg_len = 0;
168 const int *md;
169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
170 unsigned char *sig_alg_list = buf + 6;
171 #endif
172
173 *olen = 0;
174
175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
176 return;
177
178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
179
180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
181 {
182 #if defined(MBEDTLS_ECDSA_C)
183 sig_alg_len += 2;
184 #endif
185 #if defined(MBEDTLS_RSA_C)
186 sig_alg_len += 2;
187 #endif
188 }
189
190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
191 {
192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
193 return;
194 }
195
196 /*
197 * Prepare signature_algorithms extension (TLS 1.2)
198 */
199 sig_alg_len = 0;
200
201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
202 {
203 #if defined(MBEDTLS_ECDSA_C)
204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
206 #endif
207 #if defined(MBEDTLS_RSA_C)
208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
210 #endif
211 }
212
213 /*
214 * enum {
215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
216 * sha512(6), (255)
217 * } HashAlgorithm;
218 *
219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
220 * SignatureAlgorithm;
221 *
222 * struct {
223 * HashAlgorithm hash;
224 * SignatureAlgorithm signature;
225 * } SignatureAndHashAlgorithm;
226 *
227 * SignatureAndHashAlgorithm
228 * supported_signature_algorithms<2..2^16-2>;
229 */
230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
232
233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
235
236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
238
239 *olen = 6 + sig_alg_len;
240 }
241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
243
244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
245 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
246 unsigned char *buf,
247 size_t *olen )
248 {
249 unsigned char *p = buf;
250 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
251 unsigned char *elliptic_curve_list = p + 6;
252 size_t elliptic_curve_len = 0;
253 const mbedtls_ecp_curve_info *info;
254 #if defined(MBEDTLS_ECP_C)
255 const mbedtls_ecp_group_id *grp_id;
256 #else
257 ((void) ssl);
258 #endif
259
260 *olen = 0;
261
262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
263
264 #if defined(MBEDTLS_ECP_C)
265 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
266 {
267 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
268 #else
269 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
270 {
271 #endif
272 elliptic_curve_len += 2;
273 }
274
275 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
276 {
277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
278 return;
279 }
280
281 elliptic_curve_len = 0;
282
283 #if defined(MBEDTLS_ECP_C)
284 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
285 {
286 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
287 #else
288 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
289 {
290 #endif
291
292 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
293 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
294 }
295
296 if( elliptic_curve_len == 0 )
297 return;
298
299 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
300 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
301
302 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
303 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
304
305 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
306 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
307
308 *olen = 6 + elliptic_curve_len;
309 }
310
311 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
312 unsigned char *buf,
313 size_t *olen )
314 {
315 unsigned char *p = buf;
316 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
317
318 *olen = 0;
319
320 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
321
322 if( end < p || (size_t)( end - p ) < 6 )
323 {
324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
325 return;
326 }
327
328 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
329 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
330
331 *p++ = 0x00;
332 *p++ = 2;
333
334 *p++ = 1;
335 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
336
337 *olen = 6;
338 }
339 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
340
341 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
342 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
343 unsigned char *buf,
344 size_t *olen )
345 {
346 unsigned char *p = buf;
347 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
348
349 *olen = 0;
350
351 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
352 return;
353 }
354
355 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
356
357 if( end < p || (size_t)( end - p ) < 5 )
358 {
359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
360 return;
361 }
362
363 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
364 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
365
366 *p++ = 0x00;
367 *p++ = 1;
368
369 *p++ = ssl->conf->mfl_code;
370
371 *olen = 5;
372 }
373 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
374
375 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
376 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
377 unsigned char *buf, size_t *olen )
378 {
379 unsigned char *p = buf;
380 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
381
382 *olen = 0;
383
384 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
385 {
386 return;
387 }
388
389 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
390
391 if( end < p || (size_t)( end - p ) < 4 )
392 {
393 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
394 return;
395 }
396
397 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
398 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
399
400 *p++ = 0x00;
401 *p++ = 0x00;
402
403 *olen = 4;
404 }
405 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
406
407 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
408 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
409 unsigned char *buf, size_t *olen )
410 {
411 unsigned char *p = buf;
412 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
413
414 *olen = 0;
415
416 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
417 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
418 {
419 return;
420 }
421
422 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
423 "extension" ) );
424
425 if( end < p || (size_t)( end - p ) < 4 )
426 {
427 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
428 return;
429 }
430
431 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
432 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
433
434 *p++ = 0x00;
435 *p++ = 0x00;
436
437 *olen = 4;
438 }
439 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
440
441 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
442 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
443 unsigned char *buf, size_t *olen )
444 {
445 unsigned char *p = buf;
446 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
447
448 *olen = 0;
449
450 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
451 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
452 {
453 return;
454 }
455
456 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
457 "extension" ) );
458
459 if( end < p || (size_t)( end - p ) < 4 )
460 {
461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
462 return;
463 }
464
465 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
466 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
467
468 *p++ = 0x00;
469 *p++ = 0x00;
470
471 *olen = 4;
472 }
473 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
474
475 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
476 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
477 unsigned char *buf, size_t *olen )
478 {
479 unsigned char *p = buf;
480 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
481 size_t tlen = ssl->session_negotiate->ticket_len;
482
483 *olen = 0;
484
485 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
486 {
487 return;
488 }
489
490 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
491
492 if( end < p || (size_t)( end - p ) < 4 + tlen )
493 {
494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
495 return;
496 }
497
498 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
499 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
500
501 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
502 *p++ = (unsigned char)( ( tlen ) & 0xFF );
503
504 *olen = 4;
505
506 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
507 {
508 return;
509 }
510
511 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
512
513 memcpy( p, ssl->session_negotiate->ticket, tlen );
514
515 *olen += tlen;
516 }
517 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
518
519 #if defined(MBEDTLS_SSL_ALPN)
520 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
521 unsigned char *buf, size_t *olen )
522 {
523 unsigned char *p = buf;
524 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
525 size_t alpnlen = 0;
526 const char **cur;
527
528 *olen = 0;
529
530 if( ssl->conf->alpn_list == NULL )
531 {
532 return;
533 }
534
535 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
536
537 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
538 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
539
540 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
541 {
542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
543 return;
544 }
545
546 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
547 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
548
549 /*
550 * opaque ProtocolName<1..2^8-1>;
551 *
552 * struct {
553 * ProtocolName protocol_name_list<2..2^16-1>
554 * } ProtocolNameList;
555 */
556
557 /* Skip writing extension and list length for now */
558 p += 4;
559
560 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
561 {
562 *p = (unsigned char)( strlen( *cur ) & 0xFF );
563 memcpy( p + 1, *cur, *p );
564 p += 1 + *p;
565 }
566
567 *olen = p - buf;
568
569 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
570 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
571 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
572
573 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
574 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
575 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
576 }
577 #endif /* MBEDTLS_SSL_ALPN */
578
579 /*
580 * Generate random bytes for ClientHello
581 */
582 static int ssl_generate_random( mbedtls_ssl_context *ssl )
583 {
584 int ret;
585 unsigned char *p = ssl->handshake->randbytes;
586 #if defined(MBEDTLS_HAVE_TIME)
587 time_t t;
588 #endif
589
590 /*
591 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
592 */
593 #if defined(MBEDTLS_SSL_PROTO_DTLS)
594 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
595 ssl->handshake->verify_cookie != NULL )
596 {
597 return( 0 );
598 }
599 #endif
600
601 #if defined(MBEDTLS_HAVE_TIME)
602 t = time( NULL );
603 *p++ = (unsigned char)( t >> 24 );
604 *p++ = (unsigned char)( t >> 16 );
605 *p++ = (unsigned char)( t >> 8 );
606 *p++ = (unsigned char)( t );
607
608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
609 #else
610 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
611 return( ret );
612
613 p += 4;
614 #endif /* MBEDTLS_HAVE_TIME */
615
616 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
617 return( ret );
618
619 return( 0 );
620 }
621
622 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
623 {
624 int ret;
625 size_t i, n, olen, ext_len = 0;
626 unsigned char *buf;
627 unsigned char *p, *q;
628 unsigned char offer_compress;
629 const int *ciphersuites;
630 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
631
632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
633
634 if( ssl->conf->f_rng == NULL )
635 {
636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
637 return( MBEDTLS_ERR_SSL_NO_RNG );
638 }
639
640 #if defined(MBEDTLS_SSL_RENEGOTIATION)
641 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
642 #endif
643 {
644 ssl->major_ver = ssl->conf->min_major_ver;
645 ssl->minor_ver = ssl->conf->min_minor_ver;
646 }
647
648 if( ssl->conf->max_major_ver == 0 )
649 {
650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
651 "consider using mbedtls_ssl_config_defaults()" ) );
652 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
653 }
654
655 /*
656 * 0 . 0 handshake type
657 * 1 . 3 handshake length
658 * 4 . 5 highest version supported
659 * 6 . 9 current UNIX time
660 * 10 . 37 random bytes
661 */
662 buf = ssl->out_msg;
663 p = buf + 4;
664
665 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
666 ssl->conf->transport, p );
667 p += 2;
668
669 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
670 buf[4], buf[5] ) );
671
672 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
673 {
674 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
675 return( ret );
676 }
677
678 memcpy( p, ssl->handshake->randbytes, 32 );
679 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
680 p += 32;
681
682 /*
683 * 38 . 38 session id length
684 * 39 . 39+n session id
685 * 39+n . 39+n DTLS only: cookie length (1 byte)
686 * 40+n . .. DTSL only: cookie
687 * .. . .. ciphersuitelist length (2 bytes)
688 * .. . .. ciphersuitelist
689 * .. . .. compression methods length (1 byte)
690 * .. . .. compression methods
691 * .. . .. extensions length (2 bytes)
692 * .. . .. extensions
693 */
694 n = ssl->session_negotiate->id_len;
695
696 if( n < 16 || n > 32 ||
697 #if defined(MBEDTLS_SSL_RENEGOTIATION)
698 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
699 #endif
700 ssl->handshake->resume == 0 )
701 {
702 n = 0;
703 }
704
705 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
706 /*
707 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
708 * generate and include a Session ID in the TLS ClientHello."
709 */
710 #if defined(MBEDTLS_SSL_RENEGOTIATION)
711 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
712 #endif
713 {
714 if( ssl->session_negotiate->ticket != NULL &&
715 ssl->session_negotiate->ticket_len != 0 )
716 {
717 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
718
719 if( ret != 0 )
720 return( ret );
721
722 ssl->session_negotiate->id_len = n = 32;
723 }
724 }
725 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
726
727 *p++ = (unsigned char) n;
728
729 for( i = 0; i < n; i++ )
730 *p++ = ssl->session_negotiate->id[i];
731
732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
733 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
734
735 /*
736 * DTLS cookie
737 */
738 #if defined(MBEDTLS_SSL_PROTO_DTLS)
739 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
740 {
741 if( ssl->handshake->verify_cookie == NULL )
742 {
743 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
744 *p++ = 0;
745 }
746 else
747 {
748 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
749 ssl->handshake->verify_cookie,
750 ssl->handshake->verify_cookie_len );
751
752 *p++ = ssl->handshake->verify_cookie_len;
753 memcpy( p, ssl->handshake->verify_cookie,
754 ssl->handshake->verify_cookie_len );
755 p += ssl->handshake->verify_cookie_len;
756 }
757 }
758 #endif
759
760 /*
761 * Ciphersuite list
762 */
763 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
764
765 /* Skip writing ciphersuite length for now */
766 n = 0;
767 q = p;
768 p += 2;
769
770 for( i = 0; ciphersuites[i] != 0; i++ )
771 {
772 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
773
774 if( ciphersuite_info == NULL )
775 continue;
776
777 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver ||
778 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver )
779 continue;
780
781 #if defined(MBEDTLS_SSL_PROTO_DTLS)
782 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
783 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
784 continue;
785 #endif
786
787 #if defined(MBEDTLS_ARC4_C)
788 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
789 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
790 continue;
791 #endif
792
793 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
794 ciphersuites[i] ) );
795
796 n++;
797 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
798 *p++ = (unsigned char)( ciphersuites[i] );
799 }
800
801 /*
802 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
803 */
804 #if defined(MBEDTLS_SSL_RENEGOTIATION)
805 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
806 #endif
807 {
808 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
809 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
810 n++;
811 }
812
813 /* Some versions of OpenSSL don't handle it correctly if not at end */
814 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
815 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
816 {
817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
818 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
819 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
820 n++;
821 }
822 #endif
823
824 *q++ = (unsigned char)( n >> 7 );
825 *q++ = (unsigned char)( n << 1 );
826
827 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
828
829 #if defined(MBEDTLS_ZLIB_SUPPORT)
830 offer_compress = 1;
831 #else
832 offer_compress = 0;
833 #endif
834
835 /*
836 * We don't support compression with DTLS right now: is many records come
837 * in the same datagram, uncompressing one could overwrite the next one.
838 * We don't want to add complexity for handling that case unless there is
839 * an actual need for it.
840 */
841 #if defined(MBEDTLS_SSL_PROTO_DTLS)
842 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
843 offer_compress = 0;
844 #endif
845
846 if( offer_compress )
847 {
848 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
850 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
851
852 *p++ = 2;
853 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
854 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
855 }
856 else
857 {
858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
859 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
860 MBEDTLS_SSL_COMPRESS_NULL ) );
861
862 *p++ = 1;
863 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
864 }
865
866 // First write extensions, then the total length
867 //
868 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
869 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
870 ext_len += olen;
871 #endif
872
873 #if defined(MBEDTLS_SSL_RENEGOTIATION)
874 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
875 ext_len += olen;
876 #endif
877
878 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
879 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
880 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
881 ext_len += olen;
882 #endif
883
884 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
885 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
886 ext_len += olen;
887
888 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
889 ext_len += olen;
890 #endif
891
892 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
893 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
894 ext_len += olen;
895 #endif
896
897 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
898 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
899 ext_len += olen;
900 #endif
901
902 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
903 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
904 ext_len += olen;
905 #endif
906
907 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
908 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
909 ext_len += olen;
910 #endif
911
912 #if defined(MBEDTLS_SSL_ALPN)
913 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
914 ext_len += olen;
915 #endif
916
917 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
918 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
919 ext_len += olen;
920 #endif
921
922 /* olen unused if all extensions are disabled */
923 ((void) olen);
924
925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
926 ext_len ) );
927
928 if( ext_len > 0 )
929 {
930 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
931 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
932 p += ext_len;
933 }
934
935 ssl->out_msglen = p - buf;
936 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
937 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
938
939 ssl->state++;
940
941 #if defined(MBEDTLS_SSL_PROTO_DTLS)
942 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
943 mbedtls_ssl_send_flight_completed( ssl );
944 #endif
945
946 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
947 {
948 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
949 return( ret );
950 }
951
952 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
953
954 return( 0 );
955 }
956
957 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
958 const unsigned char *buf,
959 size_t len )
960 {
961 int ret;
962
963 #if defined(MBEDTLS_SSL_RENEGOTIATION)
964 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
965 {
966 /* Check verify-data in constant-time. The length OTOH is no secret */
967 if( len != 1 + ssl->verify_data_len * 2 ||
968 buf[0] != ssl->verify_data_len * 2 ||
969 mbedtls_ssl_safer_memcmp( buf + 1,
970 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
971 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
972 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
973 {
974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
975
976 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
977 return( ret );
978
979 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
980 }
981 }
982 else
983 #endif /* MBEDTLS_SSL_RENEGOTIATION */
984 {
985 if( len != 1 || buf[0] != 0x00 )
986 {
987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
988
989 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
990 return( ret );
991
992 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
993 }
994
995 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
996 }
997
998 return( 0 );
999 }
1000
1001 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1002 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1003 const unsigned char *buf,
1004 size_t len )
1005 {
1006 /*
1007 * server should use the extension only if we did,
1008 * and if so the server's value should match ours (and len is always 1)
1009 */
1010 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1011 len != 1 ||
1012 buf[0] != ssl->conf->mfl_code )
1013 {
1014 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1015 }
1016
1017 return( 0 );
1018 }
1019 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1020
1021 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1022 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1023 const unsigned char *buf,
1024 size_t len )
1025 {
1026 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1027 len != 0 )
1028 {
1029 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1030 }
1031
1032 ((void) buf);
1033
1034 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1035
1036 return( 0 );
1037 }
1038 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1039
1040 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1041 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1042 const unsigned char *buf,
1043 size_t len )
1044 {
1045 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1046 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1047 len != 0 )
1048 {
1049 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1050 }
1051
1052 ((void) buf);
1053
1054 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1055
1056 return( 0 );
1057 }
1058 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1059
1060 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1061 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1062 const unsigned char *buf,
1063 size_t len )
1064 {
1065 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1066 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1067 len != 0 )
1068 {
1069 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1070 }
1071
1072 ((void) buf);
1073
1074 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1075
1076 return( 0 );
1077 }
1078 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1079
1080 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1081 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1082 const unsigned char *buf,
1083 size_t len )
1084 {
1085 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1086 len != 0 )
1087 {
1088 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1089 }
1090
1091 ((void) buf);
1092
1093 ssl->handshake->new_session_ticket = 1;
1094
1095 return( 0 );
1096 }
1097 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1098
1099 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1100 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1101 const unsigned char *buf,
1102 size_t len )
1103 {
1104 size_t list_size;
1105 const unsigned char *p;
1106
1107 list_size = buf[0];
1108 if( list_size + 1 != len )
1109 {
1110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1111 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1112 }
1113
1114 p = buf + 1;
1115 while( list_size > 0 )
1116 {
1117 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1118 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1119 {
1120 ssl->handshake->ecdh_ctx.point_format = p[0];
1121 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1122 return( 0 );
1123 }
1124
1125 list_size--;
1126 p++;
1127 }
1128
1129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1130 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1131 }
1132 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
1133
1134 #if defined(MBEDTLS_SSL_ALPN)
1135 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1136 const unsigned char *buf, size_t len )
1137 {
1138 size_t list_len, name_len;
1139 const char **p;
1140
1141 /* If we didn't send it, the server shouldn't send it */
1142 if( ssl->conf->alpn_list == NULL )
1143 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1144
1145 /*
1146 * opaque ProtocolName<1..2^8-1>;
1147 *
1148 * struct {
1149 * ProtocolName protocol_name_list<2..2^16-1>
1150 * } ProtocolNameList;
1151 *
1152 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1153 */
1154
1155 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1156 if( len < 4 )
1157 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1158
1159 list_len = ( buf[0] << 8 ) | buf[1];
1160 if( list_len != len - 2 )
1161 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1162
1163 name_len = buf[2];
1164 if( name_len != list_len - 1 )
1165 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1166
1167 /* Check that the server chosen protocol was in our list and save it */
1168 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1169 {
1170 if( name_len == strlen( *p ) &&
1171 memcmp( buf + 3, *p, name_len ) == 0 )
1172 {
1173 ssl->alpn_chosen = *p;
1174 return( 0 );
1175 }
1176 }
1177
1178 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1179 }
1180 #endif /* MBEDTLS_SSL_ALPN */
1181
1182 /*
1183 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1184 */
1185 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1186 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1187 {
1188 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1189 int major_ver, minor_ver;
1190 unsigned char cookie_len;
1191
1192 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1193
1194 /*
1195 * struct {
1196 * ProtocolVersion server_version;
1197 * opaque cookie<0..2^8-1>;
1198 * } HelloVerifyRequest;
1199 */
1200 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1201 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1202 p += 2;
1203
1204 /*
1205 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1206 * even is lower than our min version.
1207 */
1208 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1209 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1210 major_ver > ssl->conf->max_major_ver ||
1211 minor_ver > ssl->conf->max_minor_ver )
1212 {
1213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1214
1215 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1216 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1217
1218 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1219 }
1220
1221 cookie_len = *p++;
1222 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1223
1224 mbedtls_free( ssl->handshake->verify_cookie );
1225
1226 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1227 if( ssl->handshake->verify_cookie == NULL )
1228 {
1229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1230 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1231 }
1232
1233 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1234 ssl->handshake->verify_cookie_len = cookie_len;
1235
1236 /* Start over at ClientHello */
1237 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1238 mbedtls_ssl_reset_checksum( ssl );
1239
1240 mbedtls_ssl_recv_flight_completed( ssl );
1241
1242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1243
1244 return( 0 );
1245 }
1246 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1247
1248 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1249 {
1250 int ret, i;
1251 size_t n;
1252 size_t ext_len;
1253 unsigned char *buf, *ext;
1254 unsigned char comp;
1255 #if defined(MBEDTLS_ZLIB_SUPPORT)
1256 int accept_comp;
1257 #endif
1258 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1259 int renegotiation_info_seen = 0;
1260 #endif
1261 int handshake_failure = 0;
1262 const mbedtls_ssl_ciphersuite_t *suite_info;
1263 #if defined(MBEDTLS_DEBUG_C)
1264 uint32_t t;
1265 #endif
1266
1267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1268
1269 buf = ssl->in_msg;
1270
1271 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
1272 {
1273 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1274 return( ret );
1275 }
1276
1277 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1278 {
1279 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1280 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1281 {
1282 ssl->renego_records_seen++;
1283
1284 if( ssl->conf->renego_max_records >= 0 &&
1285 ssl->renego_records_seen > ssl->conf->renego_max_records )
1286 {
1287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1288 "but not honored by server" ) );
1289 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1290 }
1291
1292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1293 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1294 }
1295 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1296
1297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1298 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1299 }
1300
1301 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1302 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1303 {
1304 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1305 {
1306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1307 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1308 return( ssl_parse_hello_verify_request( ssl ) );
1309 }
1310 else
1311 {
1312 /* We made it through the verification process */
1313 mbedtls_free( ssl->handshake->verify_cookie );
1314 ssl->handshake->verify_cookie = NULL;
1315 ssl->handshake->verify_cookie_len = 0;
1316 }
1317 }
1318 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1319
1320 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1321 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1322 {
1323 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1324 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1325 }
1326
1327 /*
1328 * 0 . 1 server_version
1329 * 2 . 33 random (maybe including 4 bytes of Unix time)
1330 * 34 . 34 session_id length = n
1331 * 35 . 34+n session_id
1332 * 35+n . 36+n cipher_suite
1333 * 37+n . 37+n compression_method
1334 *
1335 * 38+n . 39+n extensions length (optional)
1336 * 40+n . .. extensions
1337 */
1338 buf += mbedtls_ssl_hs_hdr_len( ssl );
1339
1340 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1341 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1342 ssl->conf->transport, buf + 0 );
1343
1344 if( ssl->major_ver < ssl->conf->min_major_ver ||
1345 ssl->minor_ver < ssl->conf->min_minor_ver ||
1346 ssl->major_ver > ssl->conf->max_major_ver ||
1347 ssl->minor_ver > ssl->conf->max_minor_ver )
1348 {
1349 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1350 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1351 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1352 ssl->major_ver, ssl->minor_ver,
1353 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1354
1355 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1356 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1357
1358 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1359 }
1360
1361 #if defined(MBEDTLS_DEBUG_C)
1362 t = ( (uint32_t) buf[2] << 24 )
1363 | ( (uint32_t) buf[3] << 16 )
1364 | ( (uint32_t) buf[4] << 8 )
1365 | ( (uint32_t) buf[5] );
1366 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
1367 #endif
1368
1369 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1370
1371 n = buf[34];
1372
1373 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1374
1375 if( n > 32 )
1376 {
1377 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1378 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1379 }
1380
1381 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1382 {
1383 ext_len = ( ( buf[38 + n] << 8 )
1384 | ( buf[39 + n] ) );
1385
1386 if( ( ext_len > 0 && ext_len < 4 ) ||
1387 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1388 {
1389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1390 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1391 }
1392 }
1393 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1394 {
1395 ext_len = 0;
1396 }
1397 else
1398 {
1399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1400 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1401 }
1402
1403 /* ciphersuite (used later) */
1404 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1405
1406 /*
1407 * Read and check compression
1408 */
1409 comp = buf[37 + n];
1410
1411 #if defined(MBEDTLS_ZLIB_SUPPORT)
1412 /* See comments in ssl_write_client_hello() */
1413 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1414 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1415 accept_comp = 0;
1416 else
1417 #endif
1418 accept_comp = 1;
1419
1420 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1421 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1422 #else /* MBEDTLS_ZLIB_SUPPORT */
1423 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1424 #endif/* MBEDTLS_ZLIB_SUPPORT */
1425 {
1426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1427 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1428 }
1429
1430 /*
1431 * Initialize update checksum functions
1432 */
1433 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1434
1435 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1436 {
1437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1438 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1439 }
1440
1441 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1442
1443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1444 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1445
1446 /*
1447 * Check if the session can be resumed
1448 */
1449 if( ssl->handshake->resume == 0 || n == 0 ||
1450 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1451 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1452 #endif
1453 ssl->session_negotiate->ciphersuite != i ||
1454 ssl->session_negotiate->compression != comp ||
1455 ssl->session_negotiate->id_len != n ||
1456 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1457 {
1458 ssl->state++;
1459 ssl->handshake->resume = 0;
1460 #if defined(MBEDTLS_HAVE_TIME)
1461 ssl->session_negotiate->start = time( NULL );
1462 #endif
1463 ssl->session_negotiate->ciphersuite = i;
1464 ssl->session_negotiate->compression = comp;
1465 ssl->session_negotiate->id_len = n;
1466 memcpy( ssl->session_negotiate->id, buf + 35, n );
1467 }
1468 else
1469 {
1470 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1471
1472 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1473 {
1474 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1475 return( ret );
1476 }
1477 }
1478
1479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1480 ssl->handshake->resume ? "a" : "no" ) );
1481
1482 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
1483 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1484
1485 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1486 if( suite_info == NULL
1487 #if defined(MBEDTLS_ARC4_C)
1488 || ( ssl->conf->arc4_disabled &&
1489 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
1490 #endif
1491 )
1492 {
1493 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1494 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1495 }
1496
1497 i = 0;
1498 while( 1 )
1499 {
1500 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1501 {
1502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1503 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1504 }
1505
1506 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1507 ssl->session_negotiate->ciphersuite )
1508 {
1509 break;
1510 }
1511 }
1512
1513 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1514 #if defined(MBEDTLS_ZLIB_SUPPORT)
1515 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1516 #endif
1517 )
1518 {
1519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1520 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1521 }
1522 ssl->session_negotiate->compression = comp;
1523
1524 ext = buf + 40 + n;
1525
1526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1527
1528 while( ext_len )
1529 {
1530 unsigned int ext_id = ( ( ext[0] << 8 )
1531 | ( ext[1] ) );
1532 unsigned int ext_size = ( ( ext[2] << 8 )
1533 | ( ext[3] ) );
1534
1535 if( ext_size + 4 > ext_len )
1536 {
1537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1538 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1539 }
1540
1541 switch( ext_id )
1542 {
1543 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1544 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1545 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1546 renegotiation_info_seen = 1;
1547 #endif
1548
1549 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1550 ext_size ) ) != 0 )
1551 return( ret );
1552
1553 break;
1554
1555 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1556 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1558
1559 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1560 ext + 4, ext_size ) ) != 0 )
1561 {
1562 return( ret );
1563 }
1564
1565 break;
1566 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1567
1568 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1569 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1570 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1571
1572 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1573 ext + 4, ext_size ) ) != 0 )
1574 {
1575 return( ret );
1576 }
1577
1578 break;
1579 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1580
1581 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1582 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1583 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
1584
1585 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1586 ext + 4, ext_size ) ) != 0 )
1587 {
1588 return( ret );
1589 }
1590
1591 break;
1592 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1593
1594 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1595 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1596 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
1597
1598 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1599 ext + 4, ext_size ) ) != 0 )
1600 {
1601 return( ret );
1602 }
1603
1604 break;
1605 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1606
1607 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1608 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1609 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1610
1611 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1612 ext + 4, ext_size ) ) != 0 )
1613 {
1614 return( ret );
1615 }
1616
1617 break;
1618 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1619
1620 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1621 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1623
1624 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1625 ext + 4, ext_size ) ) != 0 )
1626 {
1627 return( ret );
1628 }
1629
1630 break;
1631 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
1632
1633 #if defined(MBEDTLS_SSL_ALPN)
1634 case MBEDTLS_TLS_EXT_ALPN:
1635 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1636
1637 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1638 return( ret );
1639
1640 break;
1641 #endif /* MBEDTLS_SSL_ALPN */
1642
1643 default:
1644 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1645 ext_id ) );
1646 }
1647
1648 ext_len -= 4 + ext_size;
1649 ext += 4 + ext_size;
1650
1651 if( ext_len > 0 && ext_len < 4 )
1652 {
1653 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1654 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1655 }
1656 }
1657
1658 /*
1659 * Renegotiation security checks
1660 */
1661 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1662 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1663 {
1664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1665 handshake_failure = 1;
1666 }
1667 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1668 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1669 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1670 renegotiation_info_seen == 0 )
1671 {
1672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1673 handshake_failure = 1;
1674 }
1675 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1676 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1677 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1678 {
1679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1680 handshake_failure = 1;
1681 }
1682 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1683 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1684 renegotiation_info_seen == 1 )
1685 {
1686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1687 handshake_failure = 1;
1688 }
1689 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1690
1691 if( handshake_failure == 1 )
1692 {
1693 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1694 return( ret );
1695
1696 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1697 }
1698
1699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1700
1701 return( 0 );
1702 }
1703
1704 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1705 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1706 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
1707 unsigned char *end )
1708 {
1709 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1710
1711 /*
1712 * Ephemeral DH parameters:
1713 *
1714 * struct {
1715 * opaque dh_p<1..2^16-1>;
1716 * opaque dh_g<1..2^16-1>;
1717 * opaque dh_Ys<1..2^16-1>;
1718 * } ServerDHParams;
1719 */
1720 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
1721 {
1722 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
1723 return( ret );
1724 }
1725
1726 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
1727 {
1728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
1729 ssl->handshake->dhm_ctx.len * 8,
1730 ssl->conf->dhm_min_bitlen ) );
1731 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1732 }
1733
1734 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
1735 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
1736 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
1737
1738 return( ret );
1739 }
1740 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
1741 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1742
1743 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1744 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1745 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
1746 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1747 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1748 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
1749 {
1750 const mbedtls_ecp_curve_info *curve_info;
1751
1752 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
1753 if( curve_info == NULL )
1754 {
1755 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1756 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1757 }
1758
1759 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
1760
1761 #if defined(MBEDTLS_ECP_C)
1762 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
1763 #else
1764 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
1765 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
1766 #endif
1767 return( -1 );
1768
1769 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
1770
1771 return( 0 );
1772 }
1773 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1774 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1775 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
1776 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
1777 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
1778
1779 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
1780 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
1781 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1782 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
1783 unsigned char **p,
1784 unsigned char *end )
1785 {
1786 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1787
1788 /*
1789 * Ephemeral ECDH parameters:
1790 *
1791 * struct {
1792 * ECParameters curve_params;
1793 * ECPoint public;
1794 * } ServerECDHParams;
1795 */
1796 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
1797 (const unsigned char **) p, end ) ) != 0 )
1798 {
1799 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
1800 return( ret );
1801 }
1802
1803 if( ssl_check_server_ecdh_params( ssl ) != 0 )
1804 {
1805 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
1806 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1807 }
1808
1809 return( ret );
1810 }
1811 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
1812 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
1813 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1814
1815 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1816 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
1817 unsigned char **p,
1818 unsigned char *end )
1819 {
1820 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1821 size_t len;
1822 ((void) ssl);
1823
1824 /*
1825 * PSK parameters:
1826 *
1827 * opaque psk_identity_hint<0..2^16-1>;
1828 */
1829 len = (*p)[0] << 8 | (*p)[1];
1830 *p += 2;
1831
1832 if( (*p) + len > end )
1833 {
1834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (psk_identity_hint length)" ) );
1835 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1836 }
1837
1838 // TODO: Retrieve PSK identity hint and callback to app
1839 //
1840 *p += len;
1841 ret = 0;
1842
1843 return( ret );
1844 }
1845 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1846
1847 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
1848 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1849 /*
1850 * Generate a pre-master secret and encrypt it with the server's RSA key
1851 */
1852 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
1853 size_t offset, size_t *olen,
1854 size_t pms_offset )
1855 {
1856 int ret;
1857 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
1858 unsigned char *p = ssl->handshake->premaster + pms_offset;
1859
1860 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN )
1861 {
1862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
1863 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1864 }
1865
1866 /*
1867 * Generate (part of) the pre-master as
1868 * struct {
1869 * ProtocolVersion client_version;
1870 * opaque random[46];
1871 * } PreMasterSecret;
1872 */
1873 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
1874 ssl->conf->transport, p );
1875
1876 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
1877 {
1878 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
1879 return( ret );
1880 }
1881
1882 ssl->handshake->pmslen = 48;
1883
1884 if( ssl->session_negotiate->peer_cert == NULL )
1885 {
1886 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
1887 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1888 }
1889
1890 /*
1891 * Now write it out, encrypted
1892 */
1893 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1894 MBEDTLS_PK_RSA ) )
1895 {
1896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
1897 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
1898 }
1899
1900 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
1901 p, ssl->handshake->pmslen,
1902 ssl->out_msg + offset + len_bytes, olen,
1903 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes,
1904 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1905 {
1906 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
1907 return( ret );
1908 }
1909
1910 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1911 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1912 if( len_bytes == 2 )
1913 {
1914 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
1915 ssl->out_msg[offset+1] = (unsigned char)( *olen );
1916 *olen += 2;
1917 }
1918 #endif
1919
1920 return( 0 );
1921 }
1922 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
1923 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1924
1925 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1926 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
1927 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
1928 unsigned char **p,
1929 unsigned char *end,
1930 mbedtls_md_type_t *md_alg,
1931 mbedtls_pk_type_t *pk_alg )
1932 {
1933 ((void) ssl);
1934 *md_alg = MBEDTLS_MD_NONE;
1935 *pk_alg = MBEDTLS_PK_NONE;
1936
1937 /* Only in TLS 1.2 */
1938 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
1939 {
1940 return( 0 );
1941 }
1942
1943 if( (*p) + 2 > end )
1944 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1945
1946 /*
1947 * Get hash algorithm
1948 */
1949 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
1950 {
1951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used unsupported "
1952 "HashAlgorithm %d", *(p)[0] ) );
1953 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1954 }
1955
1956 /*
1957 * Get signature algorithm
1958 */
1959 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
1960 {
1961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used unsupported "
1962 "SignatureAlgorithm %d", (*p)[1] ) );
1963 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1964 }
1965
1966 /*
1967 * Check if the hash is acceptable
1968 */
1969 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
1970 {
1971 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server used HashAlgorithm "
1972 "that was not offered" ) );
1973 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
1974 }
1975
1976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
1977 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
1978 *p += 2;
1979
1980 return( 0 );
1981 }
1982 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */
1983 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1984
1985 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
1986 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
1987 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
1988 {
1989 int ret;
1990 const mbedtls_ecp_keypair *peer_key;
1991
1992 if( ssl->session_negotiate->peer_cert == NULL )
1993 {
1994 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
1995 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1996 }
1997
1998 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
1999 MBEDTLS_PK_ECKEY ) )
2000 {
2001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2002 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2003 }
2004
2005 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2006
2007 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2008 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2009 {
2010 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2011 return( ret );
2012 }
2013
2014 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2015 {
2016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2017 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2018 }
2019
2020 return( ret );
2021 }
2022 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2023 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2024
2025 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2026 {
2027 int ret;
2028 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2029 unsigned char *p, *end;
2030
2031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2032
2033 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2034 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2035 {
2036 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2037 ssl->state++;
2038 return( 0 );
2039 }
2040 ((void) p);
2041 ((void) end);
2042 #endif
2043
2044 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2045 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2046 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2047 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2048 {
2049 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2050 {
2051 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2052 return( ret );
2053 }
2054
2055 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2056 ssl->state++;
2057 return( 0 );
2058 }
2059 ((void) p);
2060 ((void) end);
2061 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2062 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2063
2064 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2065 {
2066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2067 return( ret );
2068 }
2069
2070 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2071 {
2072 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2073 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2074 }
2075
2076 /*
2077 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2078 * doesn't use a psk_identity_hint
2079 */
2080 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2081 {
2082 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2083 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2084 {
2085 ssl->record_read = 1;
2086 goto exit;
2087 }
2088
2089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2090 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2091 }
2092
2093 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2094 end = ssl->in_msg + ssl->in_hslen;
2095 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2096
2097 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2098 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2099 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2100 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2101 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2102 {
2103 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2104 {
2105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2106 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2107 }
2108 } /* FALLTROUGH */
2109 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2110
2111 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2112 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2113 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2114 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2115 ; /* nothing more to do */
2116 else
2117 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2118 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2119 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2120 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2121 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2122 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2123 {
2124 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2125 {
2126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2127 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2128 }
2129 }
2130 else
2131 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2132 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2133 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2134 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2135 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2136 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2137 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2138 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2139 {
2140 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2141 {
2142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2143 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2144 }
2145 }
2146 else
2147 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2148 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2149 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2150 {
2151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2152 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2153 }
2154
2155 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2156 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2157 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2158 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2159 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2160 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2161 {
2162 size_t sig_len, hashlen;
2163 unsigned char hash[64];
2164 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2165 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2166 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2167 size_t params_len = p - params;
2168
2169 /*
2170 * Handle the digitally-signed structure
2171 */
2172 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2173 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2174 {
2175 if( ssl_parse_signature_algorithm( ssl, &p, end,
2176 &md_alg, &pk_alg ) != 0 )
2177 {
2178 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2179 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2180 }
2181
2182 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2183 {
2184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2185 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2186 }
2187 }
2188 else
2189 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2190 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2191 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2192 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2193 {
2194 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2195
2196 /* Default hash for ECDSA is SHA-1 */
2197 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2198 md_alg = MBEDTLS_MD_SHA1;
2199 }
2200 else
2201 #endif
2202 {
2203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2204 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2205 }
2206
2207 /*
2208 * Read signature
2209 */
2210 sig_len = ( p[0] << 8 ) | p[1];
2211 p += 2;
2212
2213 if( end != p + sig_len )
2214 {
2215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2216 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2217 }
2218
2219 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2220
2221 /*
2222 * Compute the hash that has been signed
2223 */
2224 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2225 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2226 if( md_alg == MBEDTLS_MD_NONE )
2227 {
2228 mbedtls_md5_context mbedtls_md5;
2229 mbedtls_sha1_context mbedtls_sha1;
2230
2231 mbedtls_md5_init( &mbedtls_md5 );
2232 mbedtls_sha1_init( &mbedtls_sha1 );
2233
2234 hashlen = 36;
2235
2236 /*
2237 * digitally-signed struct {
2238 * opaque md5_hash[16];
2239 * opaque sha_hash[20];
2240 * };
2241 *
2242 * md5_hash
2243 * MD5(ClientHello.random + ServerHello.random
2244 * + ServerParams);
2245 * sha_hash
2246 * SHA(ClientHello.random + ServerHello.random
2247 * + ServerParams);
2248 */
2249 mbedtls_md5_starts( &mbedtls_md5 );
2250 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
2251 mbedtls_md5_update( &mbedtls_md5, params, params_len );
2252 mbedtls_md5_finish( &mbedtls_md5, hash );
2253
2254 mbedtls_sha1_starts( &mbedtls_sha1 );
2255 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
2256 mbedtls_sha1_update( &mbedtls_sha1, params, params_len );
2257 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
2258
2259 mbedtls_md5_free( &mbedtls_md5 );
2260 mbedtls_sha1_free( &mbedtls_sha1 );
2261 }
2262 else
2263 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2264 MBEDTLS_SSL_PROTO_TLS1_1 */
2265 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2266 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2267 if( md_alg != MBEDTLS_MD_NONE )
2268 {
2269 mbedtls_md_context_t ctx;
2270
2271 mbedtls_md_init( &ctx );
2272
2273 /* Info from md_alg will be used instead */
2274 hashlen = 0;
2275
2276 /*
2277 * digitally-signed struct {
2278 * opaque client_random[32];
2279 * opaque server_random[32];
2280 * ServerDHParams params;
2281 * };
2282 */
2283 if( ( ret = mbedtls_md_setup( &ctx,
2284 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 )
2285 {
2286 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
2287 return( ret );
2288 }
2289
2290 mbedtls_md_starts( &ctx );
2291 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
2292 mbedtls_md_update( &ctx, params, params_len );
2293 mbedtls_md_finish( &ctx, hash );
2294 mbedtls_md_free( &ctx );
2295 }
2296 else
2297 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2298 MBEDTLS_SSL_PROTO_TLS1_2 */
2299 {
2300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2302 }
2303
2304 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2305 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
2306
2307 if( ssl->session_negotiate->peer_cert == NULL )
2308 {
2309 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2310 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2311 }
2312
2313 /*
2314 * Verify signature
2315 */
2316 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2317 {
2318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2319 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2320 }
2321
2322 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
2323 md_alg, hash, hashlen, p, sig_len ) ) != 0 )
2324 {
2325 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2326 return( ret );
2327 }
2328 }
2329 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2330 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2331 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2332
2333 exit:
2334 ssl->state++;
2335
2336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2337
2338 return( 0 );
2339 }
2340
2341 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2342 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2343 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2344 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2345 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2346 {
2347 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2348
2349 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2350
2351 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2352 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2353 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2354 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2355 {
2356 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2357 ssl->state++;
2358 return( 0 );
2359 }
2360
2361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2362 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2363 }
2364 #else
2365 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2366 {
2367 int ret;
2368 unsigned char *buf, *p;
2369 size_t n = 0, m = 0;
2370 size_t cert_type_len = 0, dn_len = 0;
2371 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2372
2373 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2374
2375 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2376 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2377 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2378 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2379 {
2380 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2381 ssl->state++;
2382 return( 0 );
2383 }
2384
2385 if( ssl->record_read == 0 )
2386 {
2387 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2388 {
2389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2390 return( ret );
2391 }
2392
2393 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2394 {
2395 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2396 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2397 }
2398
2399 ssl->record_read = 1;
2400 }
2401
2402 ssl->client_auth = 0;
2403 ssl->state++;
2404
2405 if( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST )
2406 ssl->client_auth++;
2407
2408 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2409 ssl->client_auth ? "a" : "no" ) );
2410
2411 if( ssl->client_auth == 0 )
2412 goto exit;
2413
2414 ssl->record_read = 0;
2415
2416 // TODO: handshake_failure alert for an anonymous server to request
2417 // client authentication
2418
2419 /*
2420 * struct {
2421 * ClientCertificateType certificate_types<1..2^8-1>;
2422 * SignatureAndHashAlgorithm
2423 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2424 * DistinguishedName certificate_authorities<0..2^16-1>;
2425 * } CertificateRequest;
2426 */
2427 buf = ssl->in_msg;
2428
2429 // Retrieve cert types
2430 //
2431 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
2432 n = cert_type_len;
2433
2434 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2435 {
2436 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2437 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2438 }
2439
2440 p = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 1;
2441 while( cert_type_len > 0 )
2442 {
2443 #if defined(MBEDTLS_RSA_C)
2444 if( *p == MBEDTLS_SSL_CERT_TYPE_RSA_SIGN &&
2445 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
2446 {
2447 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2448 break;
2449 }
2450 else
2451 #endif
2452 #if defined(MBEDTLS_ECDSA_C)
2453 if( *p == MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN &&
2454 mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
2455 {
2456 ssl->handshake->cert_type = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2457 break;
2458 }
2459 else
2460 #endif
2461 {
2462 ; /* Unsupported cert type, ignore */
2463 }
2464
2465 cert_type_len--;
2466 p++;
2467 }
2468
2469 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2470 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2471 {
2472 /* Ignored, see comments about hash in write_certificate_verify */
2473 // TODO: should check the signature part against our pk_key though
2474 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2475 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2476
2477 m += 2;
2478 n += sig_alg_len;
2479
2480 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2481 {
2482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2483 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2484 }
2485 }
2486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2487
2488 /* Ignore certificate_authorities, we only have one cert anyway */
2489 // TODO: should not send cert if no CA matches
2490 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + m + n] << 8 )
2491 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + m + n] ) );
2492
2493 n += dn_len;
2494 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + m + n )
2495 {
2496 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2497 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2498 }
2499
2500 exit:
2501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2502
2503 return( 0 );
2504 }
2505 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2506 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2507 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2508 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2509
2510 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
2511 {
2512 int ret;
2513
2514 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
2515
2516 if( ssl->record_read == 0 )
2517 {
2518 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2519 {
2520 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2521 return( ret );
2522 }
2523
2524 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2525 {
2526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2527 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2528 }
2529 }
2530 ssl->record_read = 0;
2531
2532 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
2533 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
2534 {
2535 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2536 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
2537 }
2538
2539 ssl->state++;
2540
2541 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2542 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2543 mbedtls_ssl_recv_flight_completed( ssl );
2544 #endif
2545
2546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2547
2548 return( 0 );
2549 }
2550
2551 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
2552 {
2553 int ret;
2554 size_t i, n;
2555 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2556
2557 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2558
2559 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2560 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
2561 {
2562 /*
2563 * DHM key exchange -- send G^X mod P
2564 */
2565 n = ssl->handshake->dhm_ctx.len;
2566
2567 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2568 ssl->out_msg[5] = (unsigned char)( n );
2569 i = 6;
2570
2571 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2572 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2573 &ssl->out_msg[i], n,
2574 ssl->conf->f_rng, ssl->conf->p_rng );
2575 if( ret != 0 )
2576 {
2577 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
2578 return( ret );
2579 }
2580
2581 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2582 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2583
2584 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
2585 ssl->handshake->premaster,
2586 MBEDTLS_PREMASTER_SIZE,
2587 &ssl->handshake->pmslen,
2588 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2589 {
2590 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
2591 return( ret );
2592 }
2593
2594 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2595 }
2596 else
2597 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2598 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2599 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2600 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2601 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2602 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2603 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2604 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2605 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2606 {
2607 /*
2608 * ECDH key exchange -- send client public value
2609 */
2610 i = 4;
2611
2612 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
2613 &n,
2614 &ssl->out_msg[i], 1000,
2615 ssl->conf->f_rng, ssl->conf->p_rng );
2616 if( ret != 0 )
2617 {
2618 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
2619 return( ret );
2620 }
2621
2622 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2623
2624 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
2625 &ssl->handshake->pmslen,
2626 ssl->handshake->premaster,
2627 MBEDTLS_MPI_MAX_SIZE,
2628 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2629 {
2630 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
2631 return( ret );
2632 }
2633
2634 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
2635 }
2636 else
2637 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2638 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2639 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2640 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2641 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2642 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2643 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2644 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2645 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2646 {
2647 /*
2648 * opaque psk_identity<0..2^16-1>;
2649 */
2650 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
2651 {
2652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
2653 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
2654 }
2655
2656 i = 4;
2657 n = ssl->conf->psk_identity_len;
2658
2659 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2660 {
2661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
2662 "SSL buffer too short" ) );
2663 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2664 }
2665
2666 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2667 ssl->out_msg[i++] = (unsigned char)( n );
2668
2669 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
2670 i += ssl->conf->psk_identity_len;
2671
2672 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
2673 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
2674 {
2675 n = 0;
2676 }
2677 else
2678 #endif
2679 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2680 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2681 {
2682 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
2683 return( ret );
2684 }
2685 else
2686 #endif
2687 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2688 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2689 {
2690 /*
2691 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
2692 */
2693 n = ssl->handshake->dhm_ctx.len;
2694
2695 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN )
2696 {
2697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
2698 " or SSL buffer too short" ) );
2699 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2700 }
2701
2702 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
2703 ssl->out_msg[i++] = (unsigned char)( n );
2704
2705 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2706 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2707 &ssl->out_msg[i], n,
2708 ssl->conf->f_rng, ssl->conf->p_rng );
2709 if( ret != 0 )
2710 {
2711 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
2712 return( ret );
2713 }
2714 }
2715 else
2716 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2717 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2718 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2719 {
2720 /*
2721 * ClientECDiffieHellmanPublic public;
2722 */
2723 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
2724 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i,
2725 ssl->conf->f_rng, ssl->conf->p_rng );
2726 if( ret != 0 )
2727 {
2728 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
2729 return( ret );
2730 }
2731
2732 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
2733 }
2734 else
2735 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2736 {
2737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2738 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2739 }
2740
2741 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
2742 ciphersuite_info->key_exchange ) ) != 0 )
2743 {
2744 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
2745 return( ret );
2746 }
2747 }
2748 else
2749 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2750 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2751 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2752 {
2753 i = 4;
2754 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
2755 return( ret );
2756 }
2757 else
2758 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
2759 {
2760 ((void) ciphersuite_info);
2761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2762 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2763 }
2764
2765 ssl->out_msglen = i + n;
2766 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2767 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
2768
2769 ssl->state++;
2770
2771 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
2772 {
2773 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2774 return( ret );
2775 }
2776
2777 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
2778
2779 return( 0 );
2780 }
2781
2782 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2783 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2784 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2785 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2786 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
2787 {
2788 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2789 int ret;
2790
2791 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2792
2793 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2794 {
2795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2796 return( ret );
2797 }
2798
2799 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2800 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2801 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2802 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2803 {
2804 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2805 ssl->state++;
2806 return( 0 );
2807 }
2808
2809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2810 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2811 }
2812 #else
2813 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
2814 {
2815 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2816 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2817 size_t n = 0, offset = 0;
2818 unsigned char hash[48];
2819 unsigned char *hash_start = hash;
2820 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2821 unsigned int hashlen;
2822
2823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
2824
2825 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2826 {
2827 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2828 return( ret );
2829 }
2830
2831 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2832 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2833 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2834 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2835 {
2836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2837 ssl->state++;
2838 return( 0 );
2839 }
2840
2841 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
2842 {
2843 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
2844 ssl->state++;
2845 return( 0 );
2846 }
2847
2848 if( mbedtls_ssl_own_key( ssl ) == NULL )
2849 {
2850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
2851 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
2852 }
2853
2854 /*
2855 * Make an RSA signature of the handshake digests
2856 */
2857 ssl->handshake->calc_verify( ssl, hash );
2858
2859 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2860 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2861 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2862 {
2863 /*
2864 * digitally-signed struct {
2865 * opaque md5_hash[16];
2866 * opaque sha_hash[20];
2867 * };
2868 *
2869 * md5_hash
2870 * MD5(handshake_messages);
2871 *
2872 * sha_hash
2873 * SHA(handshake_messages);
2874 */
2875 hashlen = 36;
2876 md_alg = MBEDTLS_MD_NONE;
2877
2878 /*
2879 * For ECDSA, default hash is SHA-1 only
2880 */
2881 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
2882 {
2883 hash_start += 16;
2884 hashlen -= 16;
2885 md_alg = MBEDTLS_MD_SHA1;
2886 }
2887 }
2888 else
2889 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2890 MBEDTLS_SSL_PROTO_TLS1_1 */
2891 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2892 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2893 {
2894 /*
2895 * digitally-signed struct {
2896 * opaque handshake_messages[handshake_messages_length];
2897 * };
2898 *
2899 * Taking shortcut here. We assume that the server always allows the
2900 * PRF Hash function and has sent it in the allowed signature
2901 * algorithms list received in the Certificate Request message.
2902 *
2903 * Until we encounter a server that does not, we will take this
2904 * shortcut.
2905 *
2906 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
2907 * in order to satisfy 'weird' needs from the server side.
2908 */
2909 if( ssl->transform_negotiate->ciphersuite_info->mac ==
2910 MBEDTLS_MD_SHA384 )
2911 {
2912 md_alg = MBEDTLS_MD_SHA384;
2913 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
2914 }
2915 else
2916 {
2917 md_alg = MBEDTLS_MD_SHA256;
2918 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
2919 }
2920 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
2921
2922 /* Info from md_alg will be used instead */
2923 hashlen = 0;
2924 offset = 2;
2925 }
2926 else
2927 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2928 {
2929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2930 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2931 }
2932
2933 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen,
2934 ssl->out_msg + 6 + offset, &n,
2935 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2936 {
2937 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
2938 return( ret );
2939 }
2940
2941 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
2942 ssl->out_msg[5 + offset] = (unsigned char)( n );
2943
2944 ssl->out_msglen = 6 + n + offset;
2945 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2946 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
2947
2948 ssl->state++;
2949
2950 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
2951 {
2952 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2953 return( ret );
2954 }
2955
2956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
2957
2958 return( ret );
2959 }
2960 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2961 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2962 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
2963
2964 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2965 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
2966 {
2967 int ret;
2968 uint32_t lifetime;
2969 size_t ticket_len;
2970 unsigned char *ticket;
2971 const unsigned char *msg;
2972
2973 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
2974
2975 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
2976 {
2977 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2978 return( ret );
2979 }
2980
2981 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2982 {
2983 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
2984 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2985 }
2986
2987 /*
2988 * struct {
2989 * uint32 ticket_lifetime_hint;
2990 * opaque ticket<0..2^16-1>;
2991 * } NewSessionTicket;
2992 *
2993 * 0 . 3 ticket_lifetime_hint
2994 * 4 . 5 ticket_len (n)
2995 * 6 . 5+n ticket content
2996 */
2997 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
2998 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
2999 {
3000 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3001 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3002 }
3003
3004 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3005
3006 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) |
3007 ( msg[2] << 8 ) | ( msg[3] );
3008
3009 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3010
3011 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3012 {
3013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3014 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3015 }
3016
3017 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3018
3019 /* We're not waiting for a NewSessionTicket message any more */
3020 ssl->handshake->new_session_ticket = 0;
3021 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3022
3023 /*
3024 * Zero-length ticket means the server changed his mind and doesn't want
3025 * to send a ticket after all, so just forget it
3026 */
3027 if( ticket_len == 0 )
3028 return( 0 );
3029
3030 mbedtls_zeroize( ssl->session_negotiate->ticket,
3031 ssl->session_negotiate->ticket_len );
3032 mbedtls_free( ssl->session_negotiate->ticket );
3033 ssl->session_negotiate->ticket = NULL;
3034 ssl->session_negotiate->ticket_len = 0;
3035
3036 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3037 {
3038 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3039 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3040 }
3041
3042 memcpy( ticket, msg + 6, ticket_len );
3043
3044 ssl->session_negotiate->ticket = ticket;
3045 ssl->session_negotiate->ticket_len = ticket_len;
3046 ssl->session_negotiate->ticket_lifetime = lifetime;
3047
3048 /*
3049 * RFC 5077 section 3.4:
3050 * "If the client receives a session ticket from the server, then it
3051 * discards any Session ID that was sent in the ServerHello."
3052 */
3053 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3054 ssl->session_negotiate->id_len = 0;
3055
3056 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3057
3058 return( 0 );
3059 }
3060 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3061
3062 /*
3063 * SSL handshake -- client side -- single step
3064 */
3065 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3066 {
3067 int ret = 0;
3068
3069 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3070 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3071
3072 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3073
3074 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3075 return( ret );
3076
3077 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3078 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3079 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3080 {
3081 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3082 return( ret );
3083 }
3084 #endif
3085
3086 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3087 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3088 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3089 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3090 ssl->handshake->new_session_ticket != 0 )
3091 {
3092 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3093 }
3094 #endif
3095
3096 switch( ssl->state )
3097 {
3098 case MBEDTLS_SSL_HELLO_REQUEST:
3099 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3100 break;
3101
3102 /*
3103 * ==> ClientHello
3104 */
3105 case MBEDTLS_SSL_CLIENT_HELLO:
3106 ret = ssl_write_client_hello( ssl );
3107 break;
3108
3109 /*
3110 * <== ServerHello
3111 * Certificate
3112 * ( ServerKeyExchange )
3113 * ( CertificateRequest )
3114 * ServerHelloDone
3115 */
3116 case MBEDTLS_SSL_SERVER_HELLO:
3117 ret = ssl_parse_server_hello( ssl );
3118 break;
3119
3120 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3121 ret = mbedtls_ssl_parse_certificate( ssl );
3122 break;
3123
3124 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3125 ret = ssl_parse_server_key_exchange( ssl );
3126 break;
3127
3128 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3129 ret = ssl_parse_certificate_request( ssl );
3130 break;
3131
3132 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3133 ret = ssl_parse_server_hello_done( ssl );
3134 break;
3135
3136 /*
3137 * ==> ( Certificate/Alert )
3138 * ClientKeyExchange
3139 * ( CertificateVerify )
3140 * ChangeCipherSpec
3141 * Finished
3142 */
3143 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3144 ret = mbedtls_ssl_write_certificate( ssl );
3145 break;
3146
3147 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3148 ret = ssl_write_client_key_exchange( ssl );
3149 break;
3150
3151 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3152 ret = ssl_write_certificate_verify( ssl );
3153 break;
3154
3155 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3156 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3157 break;
3158
3159 case MBEDTLS_SSL_CLIENT_FINISHED:
3160 ret = mbedtls_ssl_write_finished( ssl );
3161 break;
3162
3163 /*
3164 * <== ( NewSessionTicket )
3165 * ChangeCipherSpec
3166 * Finished
3167 */
3168 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3169 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
3170 ret = ssl_parse_new_session_ticket( ssl );
3171 break;
3172 #endif
3173
3174 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3175 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3176 break;
3177
3178 case MBEDTLS_SSL_SERVER_FINISHED:
3179 ret = mbedtls_ssl_parse_finished( ssl );
3180 break;
3181
3182 case MBEDTLS_SSL_FLUSH_BUFFERS:
3183 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3184 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3185 break;
3186
3187 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3188 mbedtls_ssl_handshake_wrapup( ssl );
3189 break;
3190
3191 default:
3192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3193 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3194 }
3195
3196 return( ret );
3197 }
3198 #endif /* MBEDTLS_SSL_CLI_C */