2 * SSLv3/TLSv1 server-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 #if !defined(MBEDTLS_CONFIG_FILE)
25 #include "mbedtls/config.h"
27 #include MBEDTLS_CONFIG_FILE
30 #if defined(MBEDTLS_SSL_SRV_C)
32 #if defined(MBEDTLS_PLATFORM_C)
33 #include "mbedtls/platform.h"
36 #define mbedtls_calloc calloc
37 #define mbedtls_free free
40 #include "mbedtls/debug.h"
41 #include "mbedtls/ssl.h"
42 #include "mbedtls/ssl_internal.h"
46 #if defined(MBEDTLS_ECP_C)
47 #include "mbedtls/ecp.h"
50 #if defined(MBEDTLS_HAVE_TIME)
51 #include "mbedtls/platform_time.h"
54 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
55 /* Implementation that should never be optimized out by the compiler */
56 static void mbedtls_zeroize( void *v
, size_t n
) {
57 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
61 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
62 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context
*ssl
,
63 const unsigned char *info
,
66 if( ssl
->conf
->endpoint
!= MBEDTLS_SSL_IS_SERVER
)
67 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
69 mbedtls_free( ssl
->cli_id
);
71 if( ( ssl
->cli_id
= mbedtls_calloc( 1, ilen
) ) == NULL
)
72 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
74 memcpy( ssl
->cli_id
, info
, ilen
);
75 ssl
->cli_id_len
= ilen
;
80 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config
*conf
,
81 mbedtls_ssl_cookie_write_t
*f_cookie_write
,
82 mbedtls_ssl_cookie_check_t
*f_cookie_check
,
85 conf
->f_cookie_write
= f_cookie_write
;
86 conf
->f_cookie_check
= f_cookie_check
;
87 conf
->p_cookie
= p_cookie
;
89 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
91 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
92 static int ssl_parse_servername_ext( mbedtls_ssl_context
*ssl
,
93 const unsigned char *buf
,
97 size_t servername_list_size
, hostname_len
;
98 const unsigned char *p
;
100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
102 servername_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
103 if( servername_list_size
+ 2 != len
)
105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
110 while( servername_list_size
> 0 )
112 hostname_len
= ( ( p
[1] << 8 ) | p
[2] );
113 if( hostname_len
+ 3 > servername_list_size
)
115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
116 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
119 if( p
[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
)
121 ret
= ssl
->conf
->f_sni( ssl
->conf
->p_sni
,
122 ssl
, p
+ 3, hostname_len
);
125 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret
);
126 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
127 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
);
128 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
133 servername_list_size
-= hostname_len
+ 3;
134 p
+= hostname_len
+ 3;
137 if( servername_list_size
!= 0 )
139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
140 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
145 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
147 static int ssl_parse_renegotiation_info( mbedtls_ssl_context
*ssl
,
148 const unsigned char *buf
,
153 #if defined(MBEDTLS_SSL_RENEGOTIATION)
154 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
156 /* Check verify-data in constant-time. The length OTOH is no secret */
157 if( len
!= 1 + ssl
->verify_data_len
||
158 buf
[0] != ssl
->verify_data_len
||
159 mbedtls_ssl_safer_memcmp( buf
+ 1, ssl
->peer_verify_data
,
160 ssl
->verify_data_len
) != 0 )
162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
164 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
171 #endif /* MBEDTLS_SSL_RENEGOTIATION */
173 if( len
!= 1 || buf
[0] != 0x0 )
175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
177 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
180 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
183 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
189 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
190 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
191 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context
*ssl
,
192 const unsigned char *buf
,
195 size_t sig_alg_list_size
;
196 const unsigned char *p
;
197 const unsigned char *end
= buf
+ len
;
201 sig_alg_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
202 if( sig_alg_list_size
+ 2 != len
||
203 sig_alg_list_size
% 2 != 0 )
205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
210 * For now, ignore the SignatureAlgorithm part and rely on offered
211 * ciphersuites only for that part. To be fixed later.
213 * So, just look at the HashAlgorithm part.
215 for( md_cur
= ssl
->conf
->sig_hashes
; *md_cur
!= MBEDTLS_MD_NONE
; md_cur
++ ) {
216 for( p
= buf
+ 2; p
< end
; p
+= 2 ) {
217 if( *md_cur
== (int) mbedtls_ssl_md_alg_from_hash( p
[0] ) ) {
218 ssl
->handshake
->sig_alg
= p
[0];
224 /* Some key echanges do not need signatures at all */
225 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
230 ssl
->handshake
->sig_alg
) );
234 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
235 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
237 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
238 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
239 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context
*ssl
,
240 const unsigned char *buf
,
243 size_t list_size
, our_size
;
244 const unsigned char *p
;
245 const mbedtls_ecp_curve_info
*curve_info
, **curves
;
247 list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
248 if( list_size
+ 2 != len
||
251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
255 /* Should never happen unless client duplicates the extension */
256 if( ssl
->handshake
->curves
!= NULL
)
258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
259 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
262 /* Don't allow our peer to make us allocate too much memory,
263 * and leave room for a final 0 */
264 our_size
= list_size
/ 2 + 1;
265 if( our_size
> MBEDTLS_ECP_DP_MAX
)
266 our_size
= MBEDTLS_ECP_DP_MAX
;
268 if( ( curves
= mbedtls_calloc( our_size
, sizeof( *curves
) ) ) == NULL
)
269 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
271 ssl
->handshake
->curves
= curves
;
274 while( list_size
> 0 && our_size
> 1 )
276 curve_info
= mbedtls_ecp_curve_info_from_tls_id( ( p
[0] << 8 ) | p
[1] );
278 if( curve_info
!= NULL
)
280 *curves
++ = curve_info
;
291 static int ssl_parse_supported_point_formats( mbedtls_ssl_context
*ssl
,
292 const unsigned char *buf
,
296 const unsigned char *p
;
299 if( list_size
+ 1 != len
)
301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
302 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
306 while( list_size
> 0 )
308 if( p
[0] == MBEDTLS_ECP_PF_UNCOMPRESSED
||
309 p
[0] == MBEDTLS_ECP_PF_COMPRESSED
)
311 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
312 ssl
->handshake
->ecdh_ctx
.point_format
= p
[0];
314 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
315 ssl
->handshake
->ecjpake_ctx
.point_format
= p
[0];
317 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p
[0] ) );
327 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
328 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
330 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
331 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context
*ssl
,
332 const unsigned char *buf
,
337 if( mbedtls_ecjpake_check( &ssl
->handshake
->ecjpake_ctx
) != 0 )
339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
343 if( ( ret
= mbedtls_ecjpake_read_round_one( &ssl
->handshake
->ecjpake_ctx
,
346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret
);
350 /* Only mark the extension as OK when we're sure it is */
351 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
;
355 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
357 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
358 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
359 const unsigned char *buf
,
362 if( len
!= 1 || buf
[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
)
364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
365 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
368 ssl
->session_negotiate
->mfl_code
= buf
[0];
372 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
374 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
375 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
376 const unsigned char *buf
,
381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
382 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
387 if( ssl
->conf
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_ENABLED
)
388 ssl
->session_negotiate
->trunc_hmac
= MBEDTLS_SSL_TRUNC_HMAC_ENABLED
;
392 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
395 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
396 const unsigned char *buf
,
401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
402 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
407 if( ssl
->conf
->encrypt_then_mac
== MBEDTLS_SSL_ETM_ENABLED
&&
408 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
410 ssl
->session_negotiate
->encrypt_then_mac
= MBEDTLS_SSL_ETM_ENABLED
;
415 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
417 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
418 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context
*ssl
,
419 const unsigned char *buf
,
424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
425 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
430 if( ssl
->conf
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_ENABLED
&&
431 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
433 ssl
->handshake
->extended_ms
= MBEDTLS_SSL_EXTENDED_MS_ENABLED
;
438 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
440 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
441 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context
*ssl
,
446 mbedtls_ssl_session session
;
448 mbedtls_ssl_session_init( &session
);
450 if( ssl
->conf
->f_ticket_parse
== NULL
||
451 ssl
->conf
->f_ticket_write
== NULL
)
456 /* Remember the client asked us to send a new ticket */
457 ssl
->handshake
->new_session_ticket
= 1;
459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len
) );
464 #if defined(MBEDTLS_SSL_RENEGOTIATION)
465 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
467 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
470 #endif /* MBEDTLS_SSL_RENEGOTIATION */
473 * Failures are ok: just ignore the ticket and proceed.
475 if( ( ret
= ssl
->conf
->f_ticket_parse( ssl
->conf
->p_ticket
, &session
,
478 mbedtls_ssl_session_free( &session
);
480 if( ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
482 else if( ret
== MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
)
483 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
485 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret
);
491 * Keep the session ID sent by the client, since we MUST send it back to
492 * inform them we're accepting the ticket (RFC 5077 section 3.4)
494 session
.id_len
= ssl
->session_negotiate
->id_len
;
495 memcpy( &session
.id
, ssl
->session_negotiate
->id
, session
.id_len
);
497 mbedtls_ssl_session_free( ssl
->session_negotiate
);
498 memcpy( ssl
->session_negotiate
, &session
, sizeof( mbedtls_ssl_session
) );
500 /* Zeroize instead of free as we copied the content */
501 mbedtls_zeroize( &session
, sizeof( mbedtls_ssl_session
) );
503 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
505 ssl
->handshake
->resume
= 1;
507 /* Don't send a new ticket after all, this one is OK */
508 ssl
->handshake
->new_session_ticket
= 0;
512 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
514 #if defined(MBEDTLS_SSL_ALPN)
515 static int ssl_parse_alpn_ext( mbedtls_ssl_context
*ssl
,
516 const unsigned char *buf
, size_t len
)
518 size_t list_len
, cur_len
, ours_len
;
519 const unsigned char *theirs
, *start
, *end
;
522 /* If ALPN not configured, just ignore the extension */
523 if( ssl
->conf
->alpn_list
== NULL
)
527 * opaque ProtocolName<1..2^8-1>;
530 * ProtocolName protocol_name_list<2..2^16-1>
531 * } ProtocolNameList;
534 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
538 list_len
= ( buf
[0] << 8 ) | buf
[1];
539 if( list_len
!= len
- 2 )
540 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
543 * Use our order of preference
547 for( ours
= ssl
->conf
->alpn_list
; *ours
!= NULL
; ours
++ )
549 ours_len
= strlen( *ours
);
550 for( theirs
= start
; theirs
!= end
; theirs
+= cur_len
)
552 /* If the list is well formed, we should get equality first */
554 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
558 /* Empty strings MUST NOT be included */
560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
562 if( cur_len
== ours_len
&&
563 memcmp( theirs
, *ours
, cur_len
) == 0 )
565 ssl
->alpn_chosen
= *ours
;
571 /* If we get there, no match was found */
572 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
573 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
);
574 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
576 #endif /* MBEDTLS_SSL_ALPN */
579 * Auxiliary functions for ServerHello parsing and related actions
582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
584 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
586 #if defined(MBEDTLS_ECDSA_C)
587 static int ssl_check_key_curve( mbedtls_pk_context
*pk
,
588 const mbedtls_ecp_curve_info
**curves
)
590 const mbedtls_ecp_curve_info
**crv
= curves
;
591 mbedtls_ecp_group_id grp_id
= mbedtls_pk_ec( *pk
)->grp
.id
;
593 while( *crv
!= NULL
)
595 if( (*crv
)->grp_id
== grp_id
)
602 #endif /* MBEDTLS_ECDSA_C */
605 * Try picking a certificate for this ciphersuite,
606 * return 0 on success and -1 on failure.
608 static int ssl_pick_cert( mbedtls_ssl_context
*ssl
,
609 const mbedtls_ssl_ciphersuite_t
* ciphersuite_info
)
611 mbedtls_ssl_key_cert
*cur
, *list
, *fallback
= NULL
;
612 mbedtls_pk_type_t pk_alg
= mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info
);
615 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
616 if( ssl
->handshake
->sni_key_cert
!= NULL
)
617 list
= ssl
->handshake
->sni_key_cert
;
620 list
= ssl
->conf
->key_cert
;
622 if( pk_alg
== MBEDTLS_PK_NONE
)
625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
633 for( cur
= list
; cur
!= NULL
; cur
= cur
->next
)
635 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
638 if( ! mbedtls_pk_can_do( cur
->key
, pk_alg
) )
640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
645 * This avoids sending the client a cert it'll reject based on
646 * keyUsage or other extensions.
648 * It also allows the user to provision different certificates for
649 * different uses based on keyUsage, eg if they want to avoid signing
650 * and decrypting with the same RSA key.
652 if( mbedtls_ssl_check_cert_usage( cur
->cert
, ciphersuite_info
,
653 MBEDTLS_SSL_IS_SERVER
, &flags
) != 0 )
655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
656 "(extended) key usage extension" ) );
660 #if defined(MBEDTLS_ECDSA_C)
661 if( pk_alg
== MBEDTLS_PK_ECDSA
&&
662 ssl_check_key_curve( cur
->key
, ssl
->handshake
->curves
) != 0 )
664 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
670 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
671 * present them a SHA-higher cert rather than failing if it's the only
672 * one we got that satisfies the other conditions.
674 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_3
&&
675 cur
->cert
->sig_md
!= MBEDTLS_MD_SHA1
)
677 if( fallback
== NULL
)
680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
681 "sha-2 with pre-TLS 1.2 client" ) );
686 /* If we get there, we got a winner */
693 /* Do not update ssl->handshake->key_cert unless there is a match */
696 ssl
->handshake
->key_cert
= cur
;
697 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
698 ssl
->handshake
->key_cert
->cert
);
704 #endif /* MBEDTLS_X509_CRT_PARSE_C */
707 * Check if a given ciphersuite is suitable for use with our config/keys/etc
708 * Sets ciphersuite_info only if the suite matches.
710 static int ssl_ciphersuite_match( mbedtls_ssl_context
*ssl
, int suite_id
,
711 const mbedtls_ssl_ciphersuite_t
**ciphersuite_info
)
713 const mbedtls_ssl_ciphersuite_t
*suite_info
;
715 suite_info
= mbedtls_ssl_ciphersuite_from_id( suite_id
);
716 if( suite_info
== NULL
)
718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
722 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info
->name
) );
724 if( suite_info
->min_minor_ver
> ssl
->minor_ver
||
725 suite_info
->max_minor_ver
< ssl
->minor_ver
)
727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
731 #if defined(MBEDTLS_SSL_PROTO_DTLS)
732 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
733 ( suite_info
->flags
& MBEDTLS_CIPHERSUITE_NODTLS
) )
737 #if defined(MBEDTLS_ARC4_C)
738 if( ssl
->conf
->arc4_disabled
== MBEDTLS_SSL_ARC4_DISABLED
&&
739 suite_info
->cipher
== MBEDTLS_CIPHER_ARC4_128
)
741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
746 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
747 if( suite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
&&
748 ( ssl
->handshake
->cli_exts
& MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
) == 0 )
750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
751 "not configured or ext missing" ) );
757 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
758 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info
) &&
759 ( ssl
->handshake
->curves
== NULL
||
760 ssl
->handshake
->curves
[0] == NULL
) )
762 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
763 "no common elliptic curve" ) );
768 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
769 /* If the ciphersuite requires a pre-shared key and we don't
770 * have one, skip it now rather than failing later */
771 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info
) &&
772 ssl
->conf
->f_psk
== NULL
&&
773 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
774 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
781 #if defined(MBEDTLS_X509_CRT_PARSE_C)
783 * Final check: if ciphersuite requires us to have a
784 * certificate/key of a particular type:
785 * - select the appropriate certificate if we have one, or
786 * - try the next ciphersuite if we don't
787 * This must be done last since we modify the key_cert list.
789 if( ssl_pick_cert( ssl
, suite_info
) != 0 )
791 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
792 "no suitable certificate" ) );
797 *ciphersuite_info
= suite_info
;
801 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
802 static int ssl_parse_client_hello_v2( mbedtls_ssl_context
*ssl
)
804 int ret
, got_common_suite
;
807 unsigned int ciph_len
, sess_len
, chal_len
;
808 unsigned char *buf
, *p
;
809 const int *ciphersuites
;
810 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
814 #if defined(MBEDTLS_SSL_RENEGOTIATION)
815 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
819 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
822 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
824 #endif /* MBEDTLS_SSL_RENEGOTIATION */
828 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, 5 );
830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
833 ( ( buf
[0] & 0x7F ) << 8 ) | buf
[1] ) );
834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
841 * 0 . 1 message length
845 * 3 . 4 protocol version
847 if( buf
[2] != MBEDTLS_SSL_HS_CLIENT_HELLO
||
848 buf
[3] != MBEDTLS_SSL_MAJOR_VERSION_3
)
850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
851 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
854 n
= ( ( buf
[0] << 8 ) | buf
[1] ) & 0x7FFF;
856 if( n
< 17 || n
> 512 )
858 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
859 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
862 ssl
->major_ver
= MBEDTLS_SSL_MAJOR_VERSION_3
;
863 ssl
->minor_ver
= ( buf
[4] <= ssl
->conf
->max_minor_ver
)
864 ? buf
[4] : ssl
->conf
->max_minor_ver
;
866 if( ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
869 " [%d:%d] < [%d:%d]",
870 ssl
->major_ver
, ssl
->minor_ver
,
871 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
873 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
874 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
875 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
878 ssl
->handshake
->max_major_ver
= buf
[3];
879 ssl
->handshake
->max_minor_ver
= buf
[4];
881 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 2 + n
) ) != 0 )
883 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
887 ssl
->handshake
->update_checksum( ssl
, buf
+ 2, n
);
890 n
= ssl
->in_left
- 5;
893 * 0 . 1 ciphersuitelist length
894 * 2 . 3 session id length
895 * 4 . 5 challenge length
896 * 6 . .. ciphersuitelist
900 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, n
);
902 ciph_len
= ( buf
[0] << 8 ) | buf
[1];
903 sess_len
= ( buf
[2] << 8 ) | buf
[3];
904 chal_len
= ( buf
[4] << 8 ) | buf
[5];
906 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
907 ciph_len
, sess_len
, chal_len
) );
910 * Make sure each parameter length is valid
912 if( ciph_len
< 3 || ( ciph_len
% 3 ) != 0 )
914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
915 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
921 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
924 if( chal_len
< 8 || chal_len
> 32 )
926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
927 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
930 if( n
!= 6 + ciph_len
+ sess_len
+ chal_len
)
932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
933 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
936 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
938 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
939 buf
+ 6 + ciph_len
, sess_len
);
940 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
941 buf
+ 6 + ciph_len
+ sess_len
, chal_len
);
943 p
= buf
+ 6 + ciph_len
;
944 ssl
->session_negotiate
->id_len
= sess_len
;
945 memset( ssl
->session_negotiate
->id
, 0,
946 sizeof( ssl
->session_negotiate
->id
) );
947 memcpy( ssl
->session_negotiate
->id
, p
, ssl
->session_negotiate
->id_len
);
950 memset( ssl
->handshake
->randbytes
, 0, 64 );
951 memcpy( ssl
->handshake
->randbytes
+ 32 - chal_len
, p
, chal_len
);
954 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
956 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
958 if( p
[0] == 0 && p
[1] == 0 && p
[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
960 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
961 #if defined(MBEDTLS_SSL_RENEGOTIATION)
962 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
965 "during renegotiation" ) );
967 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
970 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
972 #endif /* MBEDTLS_SSL_RENEGOTIATION */
973 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
978 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
979 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
982 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
983 p
[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
987 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
991 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
992 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
994 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1000 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1002 got_common_suite
= 0;
1003 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1004 ciphersuite_info
= NULL
;
1005 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1006 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1008 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1010 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1012 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1016 p
[1] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1017 p
[2] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1020 got_common_suite
= 1;
1022 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1023 &ciphersuite_info
) ) != 0 )
1026 if( ciphersuite_info
!= NULL
)
1027 goto have_ciphersuite_v2
;
1031 if( got_common_suite
)
1033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1034 "but none of them usable" ) );
1035 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
1039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1040 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
1043 have_ciphersuite_v2
:
1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
1046 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
1047 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
1050 * SSLv2 Client Hello relevant renegotiation security checks
1052 if( ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1053 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1057 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1060 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1070 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1072 static int ssl_parse_client_hello( mbedtls_ssl_context
*ssl
)
1074 int ret
, got_common_suite
;
1076 size_t ciph_offset
, comp_offset
, ext_offset
;
1077 size_t msg_len
, ciph_len
, sess_len
, comp_len
, ext_len
;
1078 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1079 size_t cookie_offset
, cookie_len
;
1081 unsigned char *buf
, *p
, *ext
;
1082 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1083 int renegotiation_info_seen
= 0;
1085 int handshake_failure
= 0;
1086 const int *ciphersuites
;
1087 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
1090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1092 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1096 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1097 * otherwise read it ourselves manually in order to support SSLv2
1098 * ClientHello, which doesn't use the same record layer format.
1100 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1101 if( ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1104 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 5 ) ) != 0 )
1106 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1113 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1114 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1115 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_STREAM
)
1117 if( ( buf
[0] & 0x80 ) != 0 )
1118 return ssl_parse_client_hello_v2( ssl
);
1121 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, mbedtls_ssl_hdr_len( ssl
) );
1124 * SSLv3/TLS Client Hello
1127 * 0 . 0 message type
1128 * 1 . 2 protocol version
1129 * 3 . 11 DTLS: epoch + record sequence number
1130 * 3 . 4 message length
1132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1135 if( buf
[0] != MBEDTLS_SSL_MSG_HANDSHAKE
)
1137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1138 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1141 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1142 ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1] ) );
1144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1147 mbedtls_ssl_read_version( &major
, &minor
, ssl
->conf
->transport
, buf
+ 1 );
1149 /* According to RFC 5246 Appendix E.1, the version here is typically
1150 * "{03,00}, the lowest version number supported by the client, [or] the
1151 * value of ClientHello.client_version", so the only meaningful check here
1152 * is the major version shouldn't be less than 3 */
1153 if( major
< MBEDTLS_SSL_MAJOR_VERSION_3
)
1155 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1156 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1159 /* For DTLS if this is the initial handshake, remember the client sequence
1160 * number to use it in our next message (RFC 6347 4.2.1) */
1161 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1162 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
1163 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1164 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1168 /* Epoch should be 0 for initial handshakes */
1169 if( ssl
->in_ctr
[0] != 0 || ssl
->in_ctr
[1] != 0 )
1171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1172 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1175 memcpy( ssl
->out_ctr
+ 2, ssl
->in_ctr
+ 2, 6 );
1177 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1178 if( mbedtls_ssl_dtls_replay_check( ssl
) != 0 )
1180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1181 ssl
->next_record_offset
= 0;
1183 goto read_record_header
;
1186 /* No MAC to check yet, so we can update right now */
1187 mbedtls_ssl_dtls_replay_update( ssl
);
1190 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1192 msg_len
= ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1];
1194 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1195 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1197 /* Set by mbedtls_ssl_read_record() */
1198 msg_len
= ssl
->in_hslen
;
1203 if( msg_len
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
1205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1209 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, mbedtls_ssl_hdr_len( ssl
) + msg_len
) ) != 0 )
1211 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1215 /* Done reading this record, get ready for the next one */
1216 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1217 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1218 ssl
->next_record_offset
= msg_len
+ mbedtls_ssl_hdr_len( ssl
);
1226 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, msg_len
);
1228 ssl
->handshake
->update_checksum( ssl
, buf
, msg_len
);
1232 * 0 . 0 handshake type
1233 * 1 . 3 handshake length
1234 * 4 . 5 DTLS only: message seqence number
1235 * 6 . 8 DTLS only: fragment offset
1236 * 9 . 11 DTLS only: fragment length
1238 if( msg_len
< mbedtls_ssl_hs_hdr_len( ssl
) )
1240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1241 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1244 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf
[0] ) );
1246 if( buf
[0] != MBEDTLS_SSL_HS_CLIENT_HELLO
)
1248 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1249 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1252 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1253 ( buf
[1] << 16 ) | ( buf
[2] << 8 ) | buf
[3] ) );
1255 /* We don't support fragmentation of ClientHello (yet?) */
1257 msg_len
!= mbedtls_ssl_hs_hdr_len( ssl
) + ( ( buf
[2] << 8 ) | buf
[3] ) )
1259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1260 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1263 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1264 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1267 * Copy the client's handshake message_seq on initial handshakes,
1268 * check sequence number on renego.
1270 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1271 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1273 /* This couldn't be done in ssl_prepare_handshake_record() */
1274 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1277 if( cli_msg_seq
!= ssl
->handshake
->in_msg_seq
)
1279 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1280 "%d (expected %d)", cli_msg_seq
,
1281 ssl
->handshake
->in_msg_seq
) );
1282 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1285 ssl
->handshake
->in_msg_seq
++;
1290 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1292 ssl
->handshake
->out_msg_seq
= cli_msg_seq
;
1293 ssl
->handshake
->in_msg_seq
= cli_msg_seq
+ 1;
1297 * For now we don't support fragmentation, so make sure
1298 * fragment_offset == 0 and fragment_length == length
1300 if( ssl
->in_msg
[6] != 0 || ssl
->in_msg
[7] != 0 || ssl
->in_msg
[8] != 0 ||
1301 memcmp( ssl
->in_msg
+ 1, ssl
->in_msg
+ 9, 3 ) != 0 )
1303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1304 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
1307 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1309 buf
+= mbedtls_ssl_hs_hdr_len( ssl
);
1310 msg_len
-= mbedtls_ssl_hs_hdr_len( ssl
);
1313 * ClientHello layer:
1314 * 0 . 1 protocol version
1315 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1316 * 34 . 35 session id length (1 byte)
1317 * 35 . 34+x session id
1318 * 35+x . 35+x DTLS only: cookie length (1 byte)
1319 * 36+x . .. DTLS only: cookie
1320 * .. . .. ciphersuite list length (2 bytes)
1321 * .. . .. ciphersuite list
1322 * .. . .. compression alg. list length (1 byte)
1323 * .. . .. compression alg. list
1324 * .. . .. extensions length (2 bytes, optional)
1325 * .. . .. extensions (optional)
1329 * Minimal length (with everything empty and extensions ommitted) is
1330 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1331 * read at least up to session id length without worrying.
1335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1336 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1340 * Check and save the protocol version
1342 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf
, 2 );
1344 mbedtls_ssl_read_version( &ssl
->major_ver
, &ssl
->minor_ver
,
1345 ssl
->conf
->transport
, buf
);
1347 ssl
->handshake
->max_major_ver
= ssl
->major_ver
;
1348 ssl
->handshake
->max_minor_ver
= ssl
->minor_ver
;
1350 if( ssl
->major_ver
< ssl
->conf
->min_major_ver
||
1351 ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
1353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1354 " [%d:%d] < [%d:%d]",
1355 ssl
->major_ver
, ssl
->minor_ver
,
1356 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
1358 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1359 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
1361 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
1364 if( ssl
->major_ver
> ssl
->conf
->max_major_ver
)
1366 ssl
->major_ver
= ssl
->conf
->max_major_ver
;
1367 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1369 else if( ssl
->minor_ver
> ssl
->conf
->max_minor_ver
)
1370 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1373 * Save client random (inc. Unix time)
1375 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf
+ 2, 32 );
1377 memcpy( ssl
->handshake
->randbytes
, buf
+ 2, 32 );
1380 * Check the session ID length and save session ID
1384 if( sess_len
> sizeof( ssl
->session_negotiate
->id
) ||
1385 sess_len
+ 34 + 2 > msg_len
) /* 2 for cipherlist length field */
1387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1388 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1391 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf
+ 35, sess_len
);
1393 ssl
->session_negotiate
->id_len
= sess_len
;
1394 memset( ssl
->session_negotiate
->id
, 0,
1395 sizeof( ssl
->session_negotiate
->id
) );
1396 memcpy( ssl
->session_negotiate
->id
, buf
+ 35,
1397 ssl
->session_negotiate
->id_len
);
1400 * Check the cookie length and content
1402 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1403 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1405 cookie_offset
= 35 + sess_len
;
1406 cookie_len
= buf
[cookie_offset
];
1408 if( cookie_offset
+ 1 + cookie_len
+ 2 > msg_len
)
1410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1411 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1414 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1415 buf
+ cookie_offset
+ 1, cookie_len
);
1417 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1418 if( ssl
->conf
->f_cookie_check
!= NULL
1419 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1420 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1424 if( ssl
->conf
->f_cookie_check( ssl
->conf
->p_cookie
,
1425 buf
+ cookie_offset
+ 1, cookie_len
,
1426 ssl
->cli_id
, ssl
->cli_id_len
) != 0 )
1428 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1429 ssl
->handshake
->verify_cookie_len
= 1;
1433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1434 ssl
->handshake
->verify_cookie_len
= 0;
1438 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1440 /* We know we didn't send a cookie, so it should be empty */
1441 if( cookie_len
!= 0 )
1443 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1444 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1451 * Check the ciphersuitelist length (will be parsed later)
1453 ciph_offset
= cookie_offset
+ 1 + cookie_len
;
1456 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1457 ciph_offset
= 35 + sess_len
;
1459 ciph_len
= ( buf
[ciph_offset
+ 0] << 8 )
1460 | ( buf
[ciph_offset
+ 1] );
1463 ciph_len
+ 2 + ciph_offset
+ 1 > msg_len
|| /* 1 for comp. alg. len */
1464 ( ciph_len
% 2 ) != 0 )
1466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1467 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1470 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1471 buf
+ ciph_offset
+ 2, ciph_len
);
1474 * Check the compression algorithms length and pick one
1476 comp_offset
= ciph_offset
+ 2 + ciph_len
;
1478 comp_len
= buf
[comp_offset
];
1482 comp_len
+ comp_offset
+ 1 > msg_len
)
1484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1485 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1488 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1489 buf
+ comp_offset
+ 1, comp_len
);
1491 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1492 #if defined(MBEDTLS_ZLIB_SUPPORT)
1493 for( i
= 0; i
< comp_len
; ++i
)
1495 if( buf
[comp_offset
+ 1 + i
] == MBEDTLS_SSL_COMPRESS_DEFLATE
)
1497 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_DEFLATE
;
1503 /* See comments in ssl_write_client_hello() */
1504 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1505 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1506 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1509 /* Do not parse the extensions if the protocol is SSLv3 */
1510 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1511 if( ( ssl
->major_ver
!= 3 ) || ( ssl
->minor_ver
!= 0 ) )
1515 * Check the extension length
1517 ext_offset
= comp_offset
+ 1 + comp_len
;
1518 if( msg_len
> ext_offset
)
1520 if( msg_len
< ext_offset
+ 2 )
1522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1523 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1526 ext_len
= ( buf
[ext_offset
+ 0] << 8 )
1527 | ( buf
[ext_offset
+ 1] );
1529 if( ( ext_len
> 0 && ext_len
< 4 ) ||
1530 msg_len
!= ext_offset
+ 2 + ext_len
)
1532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1533 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1539 ext
= buf
+ ext_offset
+ 2;
1540 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext
, ext_len
);
1542 while( ext_len
!= 0 )
1544 unsigned int ext_id
= ( ( ext
[0] << 8 )
1546 unsigned int ext_size
= ( ( ext
[2] << 8 )
1549 if( ext_size
+ 4 > ext_len
)
1551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1552 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1556 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1557 case MBEDTLS_TLS_EXT_SERVERNAME
:
1558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1559 if( ssl
->conf
->f_sni
== NULL
)
1562 ret
= ssl_parse_servername_ext( ssl
, ext
+ 4, ext_size
);
1566 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1568 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
:
1569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1570 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1571 renegotiation_info_seen
= 1;
1574 ret
= ssl_parse_renegotiation_info( ssl
, ext
+ 4, ext_size
);
1579 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1580 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1581 case MBEDTLS_TLS_EXT_SIG_ALG
:
1582 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1583 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1584 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1588 ret
= ssl_parse_signature_algorithms_ext( ssl
, ext
+ 4, ext_size
);
1592 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1593 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1595 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1596 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1597 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
:
1598 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1600 ret
= ssl_parse_supported_elliptic_curves( ssl
, ext
+ 4, ext_size
);
1605 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
:
1606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1607 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
;
1609 ret
= ssl_parse_supported_point_formats( ssl
, ext
+ 4, ext_size
);
1613 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1614 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1616 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1617 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP
:
1618 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1620 ret
= ssl_parse_ecjpake_kkpp( ssl
, ext
+ 4, ext_size
);
1624 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1626 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1627 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
:
1628 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1630 ret
= ssl_parse_max_fragment_length_ext( ssl
, ext
+ 4, ext_size
);
1634 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1636 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1637 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC
:
1638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1640 ret
= ssl_parse_truncated_hmac_ext( ssl
, ext
+ 4, ext_size
);
1644 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1646 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1647 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
:
1648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1650 ret
= ssl_parse_encrypt_then_mac_ext( ssl
, ext
+ 4, ext_size
);
1654 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1656 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1657 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
:
1658 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1660 ret
= ssl_parse_extended_ms_ext( ssl
, ext
+ 4, ext_size
);
1664 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1666 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1667 case MBEDTLS_TLS_EXT_SESSION_TICKET
:
1668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1670 ret
= ssl_parse_session_ticket_ext( ssl
, ext
+ 4, ext_size
);
1674 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1676 #if defined(MBEDTLS_SSL_ALPN)
1677 case MBEDTLS_TLS_EXT_ALPN
:
1678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1680 ret
= ssl_parse_alpn_ext( ssl
, ext
+ 4, ext_size
);
1684 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1687 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1691 ext_len
-= 4 + ext_size
;
1692 ext
+= 4 + ext_size
;
1694 if( ext_len
> 0 && ext_len
< 4 )
1696 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1697 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1700 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1704 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1705 for( i
= 0, p
= buf
+ 41 + sess_len
; i
< ciph_len
; i
+= 2, p
+= 2 )
1707 if( p
[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
1708 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
1710 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1712 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
1714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1716 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1717 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
1719 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1725 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1728 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1730 for( i
= 0, p
= buf
+ ciph_offset
+ 2; i
< ciph_len
; i
+= 2, p
+= 2 )
1732 if( p
[0] == 0 && p
[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
1734 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1735 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1736 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1740 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1743 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1746 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
1752 * Renegotiation security checks
1754 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1755 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1758 handshake_failure
= 1;
1760 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1761 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1762 ssl
->secure_renegotiation
== MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1763 renegotiation_info_seen
== 0 )
1765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1766 handshake_failure
= 1;
1768 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1769 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1770 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
)
1772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1773 handshake_failure
= 1;
1775 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1776 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1777 renegotiation_info_seen
== 1 )
1779 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1780 handshake_failure
= 1;
1782 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1784 if( handshake_failure
== 1 )
1786 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1789 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1793 * Search for a matching ciphersuite
1794 * (At the end because we need information from the EC-based extensions
1795 * and certificate from the SNI callback triggered by the SNI extension.)
1797 got_common_suite
= 0;
1798 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1799 ciphersuite_info
= NULL
;
1800 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1801 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1803 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1805 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1807 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1810 if( p
[0] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1811 p
[1] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1814 got_common_suite
= 1;
1816 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1817 &ciphersuite_info
) ) != 0 )
1820 if( ciphersuite_info
!= NULL
)
1821 goto have_ciphersuite
;
1825 if( got_common_suite
)
1827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1828 "but none of them usable" ) );
1829 mbedtls_ssl_send_fatal_handshake_failure( ssl
);
1830 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
1834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1835 mbedtls_ssl_send_fatal_handshake_failure( ssl
);
1836 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
1840 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
1842 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
1843 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
1847 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1848 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1849 mbedtls_ssl_recv_flight_completed( ssl
);
1852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1857 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1858 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
1862 unsigned char *p
= buf
;
1864 if( ssl
->session_negotiate
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_DISABLED
)
1870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1872 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
>> 8 ) & 0xFF );
1873 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
) & 0xFF );
1880 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1882 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1883 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
1887 unsigned char *p
= buf
;
1888 const mbedtls_ssl_ciphersuite_t
*suite
= NULL
;
1889 const mbedtls_cipher_info_t
*cipher
= NULL
;
1891 if( ssl
->session_negotiate
->encrypt_then_mac
== MBEDTLS_SSL_EXTENDED_MS_DISABLED
||
1892 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1899 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1900 * from a client and then selects a stream or Authenticated Encryption
1901 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1902 * encrypt-then-MAC response extension back to the client."
1904 if( ( suite
= mbedtls_ssl_ciphersuite_from_id(
1905 ssl
->session_negotiate
->ciphersuite
) ) == NULL
||
1906 ( cipher
= mbedtls_cipher_info_from_type( suite
->cipher
) ) == NULL
||
1907 cipher
->mode
!= MBEDTLS_MODE_CBC
)
1913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
1915 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
>> 8 ) & 0xFF );
1916 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
) & 0xFF );
1923 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1925 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1926 static void ssl_write_extended_ms_ext( mbedtls_ssl_context
*ssl
,
1930 unsigned char *p
= buf
;
1932 if( ssl
->handshake
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_DISABLED
||
1933 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
1942 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
>> 8 ) & 0xFF );
1943 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
) & 0xFF );
1950 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1952 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1953 static void ssl_write_session_ticket_ext( mbedtls_ssl_context
*ssl
,
1957 unsigned char *p
= buf
;
1959 if( ssl
->handshake
->new_session_ticket
== 0 )
1965 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1967 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
>> 8 ) & 0xFF );
1968 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
) & 0xFF );
1975 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1977 static void ssl_write_renegotiation_ext( mbedtls_ssl_context
*ssl
,
1981 unsigned char *p
= buf
;
1983 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
)
1989 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1991 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
>> 8 ) & 0xFF );
1992 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
) & 0xFF );
1994 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1995 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1998 *p
++ = ( ssl
->verify_data_len
* 2 + 1 ) & 0xFF;
1999 *p
++ = ssl
->verify_data_len
* 2 & 0xFF;
2001 memcpy( p
, ssl
->peer_verify_data
, ssl
->verify_data_len
);
2002 p
+= ssl
->verify_data_len
;
2003 memcpy( p
, ssl
->own_verify_data
, ssl
->verify_data_len
);
2004 p
+= ssl
->verify_data_len
;
2007 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2017 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2018 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
2022 unsigned char *p
= buf
;
2024 if( ssl
->session_negotiate
->mfl_code
== MBEDTLS_SSL_MAX_FRAG_LEN_NONE
)
2030 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2032 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
>> 8 ) & 0xFF );
2033 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
) & 0xFF );
2038 *p
++ = ssl
->session_negotiate
->mfl_code
;
2042 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2044 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2045 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2046 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context
*ssl
,
2050 unsigned char *p
= buf
;
2053 if( ( ssl
->handshake
->cli_exts
&
2054 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
) == 0 )
2060 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2062 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
>> 8 ) & 0xFF );
2063 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
) & 0xFF );
2069 *p
++ = MBEDTLS_ECP_PF_UNCOMPRESSED
;
2073 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2075 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2076 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context
*ssl
,
2081 unsigned char *p
= buf
;
2082 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2087 /* Skip costly computation if not needed */
2088 if( ssl
->transform_negotiate
->ciphersuite_info
->key_exchange
!=
2089 MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2100 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
>> 8 ) & 0xFF );
2101 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
) & 0xFF );
2103 ret
= mbedtls_ecjpake_write_round_one( &ssl
->handshake
->ecjpake_ctx
,
2104 p
+ 2, end
- p
- 2, &kkpp_len
,
2105 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2108 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret
);
2112 *p
++ = (unsigned char)( ( kkpp_len
>> 8 ) & 0xFF );
2113 *p
++ = (unsigned char)( ( kkpp_len
) & 0xFF );
2115 *olen
= kkpp_len
+ 4;
2117 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2119 #if defined(MBEDTLS_SSL_ALPN )
2120 static void ssl_write_alpn_ext( mbedtls_ssl_context
*ssl
,
2121 unsigned char *buf
, size_t *olen
)
2123 if( ssl
->alpn_chosen
== NULL
)
2129 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2132 * 0 . 1 ext identifier
2134 * 4 . 5 protocol list length
2135 * 6 . 6 protocol name length
2136 * 7 . 7+n protocol name
2138 buf
[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
>> 8 ) & 0xFF );
2139 buf
[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
) & 0xFF );
2141 *olen
= 7 + strlen( ssl
->alpn_chosen
);
2143 buf
[2] = (unsigned char)( ( ( *olen
- 4 ) >> 8 ) & 0xFF );
2144 buf
[3] = (unsigned char)( ( ( *olen
- 4 ) ) & 0xFF );
2146 buf
[4] = (unsigned char)( ( ( *olen
- 6 ) >> 8 ) & 0xFF );
2147 buf
[5] = (unsigned char)( ( ( *olen
- 6 ) ) & 0xFF );
2149 buf
[6] = (unsigned char)( ( ( *olen
- 7 ) ) & 0xFF );
2151 memcpy( buf
+ 7, ssl
->alpn_chosen
, *olen
- 7 );
2153 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2155 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2156 static int ssl_write_hello_verify_request( mbedtls_ssl_context
*ssl
)
2159 unsigned char *p
= ssl
->out_msg
+ 4;
2160 unsigned char *cookie_len_byte
;
2162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2166 * ProtocolVersion server_version;
2167 * opaque cookie<0..2^8-1>;
2168 * } HelloVerifyRequest;
2171 /* The RFC is not clear on this point, but sending the actual negotiated
2172 * version looks like the most interoperable thing to do. */
2173 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2174 ssl
->conf
->transport
, p
);
2175 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p
, 2 );
2178 /* If we get here, f_cookie_check is not null */
2179 if( ssl
->conf
->f_cookie_write
== NULL
)
2181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2182 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2185 /* Skip length byte until we know the length */
2186 cookie_len_byte
= p
++;
2188 if( ( ret
= ssl
->conf
->f_cookie_write( ssl
->conf
->p_cookie
,
2189 &p
, ssl
->out_buf
+ MBEDTLS_SSL_BUFFER_LEN
,
2190 ssl
->cli_id
, ssl
->cli_id_len
) ) != 0 )
2192 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret
);
2196 *cookie_len_byte
= (unsigned char)( p
- ( cookie_len_byte
+ 1 ) );
2198 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte
+ 1, *cookie_len_byte
);
2200 ssl
->out_msglen
= p
- ssl
->out_msg
;
2201 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2202 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
;
2204 ssl
->state
= MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
;
2206 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
2208 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
2212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2216 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2218 static int ssl_write_server_hello( mbedtls_ssl_context
*ssl
)
2220 #if defined(MBEDTLS_HAVE_TIME)
2224 size_t olen
, ext_len
= 0, n
;
2225 unsigned char *buf
, *p
;
2227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2229 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2230 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
2231 ssl
->handshake
->verify_cookie_len
!= 0 )
2233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2234 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2236 return( ssl_write_hello_verify_request( ssl
) );
2238 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2240 if( ssl
->conf
->f_rng
== NULL
)
2242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2243 return( MBEDTLS_ERR_SSL_NO_RNG
);
2247 * 0 . 0 handshake type
2248 * 1 . 3 handshake length
2249 * 4 . 5 protocol version
2251 * 10 . 37 random bytes
2256 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2257 ssl
->conf
->transport
, p
);
2260 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2263 #if defined(MBEDTLS_HAVE_TIME)
2264 t
= mbedtls_time( NULL
);
2265 *p
++ = (unsigned char)( t
>> 24 );
2266 *p
++ = (unsigned char)( t
>> 16 );
2267 *p
++ = (unsigned char)( t
>> 8 );
2268 *p
++ = (unsigned char)( t
);
2270 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t
) );
2272 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 4 ) ) != 0 )
2276 #endif /* MBEDTLS_HAVE_TIME */
2278 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 28 ) ) != 0 )
2283 memcpy( ssl
->handshake
->randbytes
+ 32, buf
+ 6, 32 );
2285 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf
+ 6, 32 );
2288 * Resume is 0 by default, see ssl_handshake_init().
2289 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2290 * If not, try looking up session ID in our cache.
2292 if( ssl
->handshake
->resume
== 0 &&
2293 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2294 ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
&&
2296 ssl
->session_negotiate
->id_len
!= 0 &&
2297 ssl
->conf
->f_get_cache
!= NULL
&&
2298 ssl
->conf
->f_get_cache( ssl
->conf
->p_cache
, ssl
->session_negotiate
) == 0 )
2300 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2301 ssl
->handshake
->resume
= 1;
2304 if( ssl
->handshake
->resume
== 0 )
2307 * New session, create a new session id,
2308 * unless we're about to issue a session ticket
2312 #if defined(MBEDTLS_HAVE_TIME)
2313 ssl
->session_negotiate
->start
= mbedtls_time( NULL
);
2316 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2317 if( ssl
->handshake
->new_session_ticket
!= 0 )
2319 ssl
->session_negotiate
->id_len
= n
= 0;
2320 memset( ssl
->session_negotiate
->id
, 0, 32 );
2323 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2325 ssl
->session_negotiate
->id_len
= n
= 32;
2326 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, ssl
->session_negotiate
->id
,
2334 * Resuming a session
2336 n
= ssl
->session_negotiate
->id_len
;
2337 ssl
->state
= MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
;
2339 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
2341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
2347 * 38 . 38 session id length
2348 * 39 . 38+n session id
2349 * 39+n . 40+n chosen ciphersuite
2350 * 41+n . 41+n chosen compression alg.
2351 * 42+n . 43+n extensions length
2352 * 44+n . 43+n+m extensions
2354 *p
++ = (unsigned char) ssl
->session_negotiate
->id_len
;
2355 memcpy( p
, ssl
->session_negotiate
->id
, ssl
->session_negotiate
->id_len
);
2356 p
+= ssl
->session_negotiate
->id_len
;
2358 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n
) );
2359 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf
+ 39, n
);
2360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2361 ssl
->handshake
->resume
? "a" : "no" ) );
2363 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
>> 8 );
2364 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
);
2365 *p
++ = (unsigned char)( ssl
->session_negotiate
->compression
);
2367 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2368 mbedtls_ssl_get_ciphersuite_name( ssl
->session_negotiate
->ciphersuite
) ) );
2369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2370 ssl
->session_negotiate
->compression
) );
2372 /* Do not write the extensions if the protocol is SSLv3 */
2373 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2374 if( ( ssl
->major_ver
!= 3 ) || ( ssl
->minor_ver
!= 0 ) )
2379 * First write extensions, then the total length
2381 ssl_write_renegotiation_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2384 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2385 ssl_write_max_fragment_length_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2389 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2390 ssl_write_truncated_hmac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2395 ssl_write_encrypt_then_mac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2399 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2400 ssl_write_extended_ms_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2404 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2405 ssl_write_session_ticket_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2409 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2410 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2411 ssl_write_supported_point_formats_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2415 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2416 ssl_write_ecjpake_kkpp_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2420 #if defined(MBEDTLS_SSL_ALPN)
2421 ssl_write_alpn_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2425 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len
) );
2429 *p
++ = (unsigned char)( ( ext_len
>> 8 ) & 0xFF );
2430 *p
++ = (unsigned char)( ( ext_len
) & 0xFF );
2434 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2438 ssl
->out_msglen
= p
- buf
;
2439 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2440 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO
;
2442 ret
= mbedtls_ssl_write_record( ssl
);
2444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2449 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2450 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2451 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2452 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2453 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
2454 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2455 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2457 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
2459 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2461 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2462 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2463 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2464 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2465 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2473 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2476 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2478 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
2479 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
2480 size_t dn_size
, total_dn_size
; /* excluding length bytes */
2481 size_t ct_len
, sa_len
; /* including length bytes */
2482 unsigned char *buf
, *p
;
2483 const unsigned char * const end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2484 const mbedtls_x509_crt
*crt
;
2487 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2491 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2492 if( ssl
->handshake
->sni_authmode
!= MBEDTLS_SSL_VERIFY_UNSET
)
2493 authmode
= ssl
->handshake
->sni_authmode
;
2496 authmode
= ssl
->conf
->authmode
;
2498 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2499 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2500 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2501 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2502 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
2503 authmode
== MBEDTLS_SSL_VERIFY_NONE
)
2505 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2510 * 0 . 0 handshake type
2511 * 1 . 3 handshake length
2512 * 4 . 4 cert type count
2513 * 5 .. m-1 cert types
2514 * m .. m+1 sig alg length (TLS 1.2 only)
2515 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2516 * n .. n+1 length of all DNs
2517 * n+2 .. n+3 length of DN 1
2518 * n+4 .. ... Distinguished Name #1
2519 * ... .. ... length of DN 2, etc.
2525 * Supported certificate types
2527 * ClientCertificateType certificate_types<1..2^8-1>;
2528 * enum { (255) } ClientCertificateType;
2532 #if defined(MBEDTLS_RSA_C)
2533 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
;
2535 #if defined(MBEDTLS_ECDSA_C)
2536 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
;
2539 p
[0] = (unsigned char) ct_len
++;
2543 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2545 * Add signature_algorithms for verify (TLS 1.2)
2547 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2550 * HashAlgorithm hash;
2551 * SignatureAlgorithm signature;
2552 * } SignatureAndHashAlgorithm;
2554 * enum { (255) } HashAlgorithm;
2555 * enum { (255) } SignatureAlgorithm;
2557 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2562 * Supported signature algorithms
2564 for( cur
= ssl
->conf
->sig_hashes
; *cur
!= MBEDTLS_MD_NONE
; cur
++ )
2566 unsigned char hash
= mbedtls_ssl_hash_from_md_alg( *cur
);
2568 if( MBEDTLS_SSL_HASH_NONE
== hash
|| mbedtls_ssl_set_calc_verify_md( ssl
, hash
) )
2571 #if defined(MBEDTLS_RSA_C)
2572 p
[2 + sa_len
++] = hash
;
2573 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_RSA
;
2575 #if defined(MBEDTLS_ECDSA_C)
2576 p
[2 + sa_len
++] = hash
;
2577 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_ECDSA
;
2581 p
[0] = (unsigned char)( sa_len
>> 8 );
2582 p
[1] = (unsigned char)( sa_len
);
2586 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2589 * DistinguishedName certificate_authorities<0..2^16-1>;
2590 * opaque DistinguishedName<1..2^16-1>;
2593 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2594 if( ssl
->handshake
->sni_ca_chain
!= NULL
)
2595 crt
= ssl
->handshake
->sni_ca_chain
;
2598 crt
= ssl
->conf
->ca_chain
;
2601 while( crt
!= NULL
&& crt
->version
!= 0 )
2603 dn_size
= crt
->subject_raw
.len
;
2606 (size_t)( end
- p
) < dn_size
||
2607 (size_t)( end
- p
) < 2 + dn_size
)
2609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2613 *p
++ = (unsigned char)( dn_size
>> 8 );
2614 *p
++ = (unsigned char)( dn_size
);
2615 memcpy( p
, crt
->subject_raw
.p
, dn_size
);
2618 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p
- dn_size
, dn_size
);
2620 total_dn_size
+= 2 + dn_size
;
2624 ssl
->out_msglen
= p
- buf
;
2625 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2626 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
;
2627 ssl
->out_msg
[4 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
>> 8 );
2628 ssl
->out_msg
[5 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
);
2630 ret
= mbedtls_ssl_write_record( ssl
);
2632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2636 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2637 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2638 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
2639 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2640 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
2641 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2643 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2644 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2645 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context
*ssl
)
2649 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_ECKEY
) )
2651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2652 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
);
2655 if( ( ret
= mbedtls_ecdh_get_params( &ssl
->handshake
->ecdh_ctx
,
2656 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl
) ),
2657 MBEDTLS_ECDH_OURS
) ) != 0 )
2659 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret
);
2665 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2666 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2668 static int ssl_write_server_key_exchange( mbedtls_ssl_context
*ssl
)
2672 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
2673 ssl
->transform_negotiate
->ciphersuite_info
;
2675 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2676 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2677 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2678 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2679 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2680 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2681 unsigned char *p
= ssl
->out_msg
+ 4;
2682 unsigned char *dig_signed
= p
;
2683 size_t dig_signed_len
= 0, len
;
2684 ((void) dig_signed
);
2685 ((void) dig_signed_len
);
2689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2691 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2692 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2693 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2694 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA
||
2695 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2696 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
2698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2704 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2706 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA
||
2707 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
)
2709 ssl_get_ecdh_params_from_cert( ssl
);
2711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2717 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2718 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2721 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2723 ret
= mbedtls_ecjpake_write_round_two( &ssl
->handshake
->ecjpake_ctx
,
2724 p
, end
- p
, &jlen
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2727 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret
);
2734 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2736 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2737 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2738 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2739 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
2741 /* Note: we don't support identity hints, until someone asks
2748 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2749 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2751 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2752 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2753 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
||
2754 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
2756 if( ssl
->conf
->dhm_P
.p
== NULL
|| ssl
->conf
->dhm_G
.p
== NULL
)
2758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
2759 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2763 * Ephemeral DH parameters:
2766 * opaque dh_p<1..2^16-1>;
2767 * opaque dh_g<1..2^16-1>;
2768 * opaque dh_Ys<1..2^16-1>;
2771 if( ( ret
= mbedtls_mpi_copy( &ssl
->handshake
->dhm_ctx
.P
, &ssl
->conf
->dhm_P
) ) != 0 ||
2772 ( ret
= mbedtls_mpi_copy( &ssl
->handshake
->dhm_ctx
.G
, &ssl
->conf
->dhm_G
) ) != 0 )
2774 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret
);
2778 if( ( ret
= mbedtls_dhm_make_params( &ssl
->handshake
->dhm_ctx
,
2779 (int) mbedtls_mpi_size( &ssl
->handshake
->dhm_ctx
.P
),
2780 p
, &len
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2782 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret
);
2787 dig_signed_len
= len
;
2792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl
->handshake
->dhm_ctx
.X
);
2793 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl
->handshake
->dhm_ctx
.P
);
2794 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl
->handshake
->dhm_ctx
.G
);
2795 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl
->handshake
->dhm_ctx
.GX
);
2797 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2798 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2800 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2801 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
2802 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
||
2803 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
2806 * Ephemeral ECDH parameters:
2809 * ECParameters curve_params;
2811 * } ServerECDHParams;
2813 const mbedtls_ecp_curve_info
**curve
= NULL
;
2814 const mbedtls_ecp_group_id
*gid
;
2816 /* Match our preference list against the offered curves */
2817 for( gid
= ssl
->conf
->curve_list
; *gid
!= MBEDTLS_ECP_DP_NONE
; gid
++ )
2818 for( curve
= ssl
->handshake
->curves
; *curve
!= NULL
; curve
++ )
2819 if( (*curve
)->grp_id
== *gid
)
2820 goto curve_matching_done
;
2822 curve_matching_done
:
2823 if( curve
== NULL
|| *curve
== NULL
)
2825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2826 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
2829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve
)->name
) );
2831 if( ( ret
= mbedtls_ecp_group_load( &ssl
->handshake
->ecdh_ctx
.grp
,
2832 (*curve
)->grp_id
) ) != 0 )
2834 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret
);
2838 if( ( ret
= mbedtls_ecdh_make_params( &ssl
->handshake
->ecdh_ctx
, &len
,
2839 p
, MBEDTLS_SSL_MAX_CONTENT_LEN
- n
,
2840 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret
);
2847 dig_signed_len
= len
;
2852 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl
->handshake
->ecdh_ctx
.Q
);
2854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2856 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2857 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2858 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2859 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
||
2860 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
2861 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
)
2863 size_t signature_len
= 0;
2864 unsigned int hashlen
= 0;
2865 unsigned char hash
[64];
2866 mbedtls_md_type_t md_alg
= MBEDTLS_MD_NONE
;
2869 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2871 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2872 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2874 md_alg
= mbedtls_ssl_md_alg_from_hash( ssl
->handshake
->sig_alg
);
2876 if( md_alg
== MBEDTLS_MD_NONE
)
2878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2879 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2883 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2884 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2885 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2886 if( ciphersuite_info
->key_exchange
==
2887 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
)
2889 md_alg
= MBEDTLS_MD_SHA1
;
2894 md_alg
= MBEDTLS_MD_NONE
;
2898 * Compute the hash to be signed
2900 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2901 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2902 if( md_alg
== MBEDTLS_MD_NONE
)
2904 mbedtls_md5_context mbedtls_md5
;
2905 mbedtls_sha1_context mbedtls_sha1
;
2907 mbedtls_md5_init( &mbedtls_md5
);
2908 mbedtls_sha1_init( &mbedtls_sha1
);
2911 * digitally-signed struct {
2912 * opaque md5_hash[16];
2913 * opaque sha_hash[20];
2917 * MD5(ClientHello.random + ServerHello.random
2920 * SHA(ClientHello.random + ServerHello.random
2923 mbedtls_md5_starts( &mbedtls_md5
);
2924 mbedtls_md5_update( &mbedtls_md5
, ssl
->handshake
->randbytes
, 64 );
2925 mbedtls_md5_update( &mbedtls_md5
, dig_signed
, dig_signed_len
);
2926 mbedtls_md5_finish( &mbedtls_md5
, hash
);
2928 mbedtls_sha1_starts( &mbedtls_sha1
);
2929 mbedtls_sha1_update( &mbedtls_sha1
, ssl
->handshake
->randbytes
, 64 );
2930 mbedtls_sha1_update( &mbedtls_sha1
, dig_signed
, dig_signed_len
);
2931 mbedtls_sha1_finish( &mbedtls_sha1
, hash
+ 16 );
2935 mbedtls_md5_free( &mbedtls_md5
);
2936 mbedtls_sha1_free( &mbedtls_sha1
);
2939 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2940 MBEDTLS_SSL_PROTO_TLS1_1 */
2941 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2942 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2943 if( md_alg
!= MBEDTLS_MD_NONE
)
2945 mbedtls_md_context_t ctx
;
2946 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
2948 mbedtls_md_init( &ctx
);
2950 /* Info from md_alg will be used instead */
2954 * digitally-signed struct {
2955 * opaque client_random[32];
2956 * opaque server_random[32];
2957 * ServerDHParams params;
2960 if( ( ret
= mbedtls_md_setup( &ctx
, md_info
, 0 ) ) != 0 )
2962 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret
);
2966 mbedtls_md_starts( &ctx
);
2967 mbedtls_md_update( &ctx
, ssl
->handshake
->randbytes
, 64 );
2968 mbedtls_md_update( &ctx
, dig_signed
, dig_signed_len
);
2969 mbedtls_md_finish( &ctx
, hash
);
2970 mbedtls_md_free( &ctx
);
2973 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2974 MBEDTLS_SSL_PROTO_TLS1_2 */
2976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2977 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2980 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash
, hashlen
!= 0 ? hashlen
:
2981 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg
) ) ) );
2984 * Make the signature
2986 if( mbedtls_ssl_own_key( ssl
) == NULL
)
2988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2989 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
2992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2993 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2995 *(p
++) = ssl
->handshake
->sig_alg
;
2996 *(p
++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl
) );
3000 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3002 if( ( ret
= mbedtls_pk_sign( mbedtls_ssl_own_key( ssl
), md_alg
, hash
, hashlen
,
3003 p
+ 2 , &signature_len
,
3004 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3006 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret
);
3010 *(p
++) = (unsigned char)( signature_len
>> 8 );
3011 *(p
++) = (unsigned char)( signature_len
);
3014 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p
, signature_len
);
3018 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
3019 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3020 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3022 ssl
->out_msglen
= 4 + n
;
3023 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3024 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
;
3028 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3039 static int ssl_write_server_hello_done( mbedtls_ssl_context
*ssl
)
3043 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3045 ssl
->out_msglen
= 4;
3046 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3047 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE
;
3051 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3052 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3053 mbedtls_ssl_send_flight_completed( ssl
);
3056 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3067 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3068 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3069 static int ssl_parse_client_dh_public( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3070 const unsigned char *end
)
3072 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3076 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3081 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3084 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3090 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3093 if( ( ret
= mbedtls_dhm_read_public( &ssl
->handshake
->dhm_ctx
, *p
, n
) ) != 0 )
3095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret
);
3096 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3101 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl
->handshake
->dhm_ctx
.GY
);
3105 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3106 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3108 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3109 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3110 static int ssl_parse_encrypted_pms( mbedtls_ssl_context
*ssl
,
3111 const unsigned char *p
,
3112 const unsigned char *end
,
3116 size_t len
= mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl
) );
3117 unsigned char *pms
= ssl
->handshake
->premaster
+ pms_offset
;
3118 unsigned char ver
[2];
3119 unsigned char fake_pms
[48], peer_pms
[48];
3121 size_t i
, peer_pmslen
;
3124 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_RSA
) )
3126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3127 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3131 * Decrypt the premaster using own private RSA key
3133 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3134 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3135 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
3137 if( *p
++ != ( ( len
>> 8 ) & 0xFF ) ||
3138 *p
++ != ( ( len
) & 0xFF ) )
3140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3141 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3146 if( p
+ len
!= end
)
3148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3149 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3152 mbedtls_ssl_write_version( ssl
->handshake
->max_major_ver
,
3153 ssl
->handshake
->max_minor_ver
,
3154 ssl
->conf
->transport
, ver
);
3157 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3158 * must not cause the connection to end immediately; instead, send a
3159 * bad_record_mac later in the handshake.
3160 * Also, avoid data-dependant branches here to protect against
3161 * timing-based variants.
3163 ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, fake_pms
, sizeof( fake_pms
) );
3167 ret
= mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl
), p
, len
,
3168 peer_pms
, &peer_pmslen
,
3170 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3172 diff
= (unsigned int) ret
;
3173 diff
|= peer_pmslen
^ 48;
3174 diff
|= peer_pms
[0] ^ ver
[0];
3175 diff
|= peer_pms
[1] ^ ver
[1];
3177 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3182 if( sizeof( ssl
->handshake
->premaster
) < pms_offset
||
3183 sizeof( ssl
->handshake
->premaster
) - pms_offset
< 48 )
3185 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3186 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3188 ssl
->handshake
->pmslen
= 48;
3190 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3191 /* MSVC has a warning about unary minus on unsigned, but this is
3192 * well-defined and precisely what we want to do here */
3193 #if defined(_MSC_VER)
3194 #pragma warning( push )
3195 #pragma warning( disable : 4146 )
3197 mask
= - ( ( diff
| - diff
) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3198 #if defined(_MSC_VER)
3199 #pragma warning( pop )
3202 for( i
= 0; i
< ssl
->handshake
->pmslen
; i
++ )
3203 pms
[i
] = ( mask
& fake_pms
[i
] ) | ( (~mask
) & peer_pms
[i
] );
3207 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3208 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3210 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3211 static int ssl_parse_client_psk_identity( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3212 const unsigned char *end
)
3217 if( ssl
->conf
->f_psk
== NULL
&&
3218 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
3219 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
3221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3222 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3226 * Receive client pre-shared key identity name
3230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3231 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3234 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3237 if( n
< 1 || n
> 65535 || *p
+ n
> end
)
3239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3240 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3243 if( ssl
->conf
->f_psk
!= NULL
)
3245 if( ssl
->conf
->f_psk( ssl
->conf
->p_psk
, ssl
, *p
, n
) != 0 )
3246 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3250 /* Identity is not a big secret since clients send it in the clear,
3251 * but treat it carefully anyway, just in case */
3252 if( n
!= ssl
->conf
->psk_identity_len
||
3253 mbedtls_ssl_safer_memcmp( ssl
->conf
->psk_identity
, *p
, n
) != 0 )
3255 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3259 if( ret
== MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
)
3261 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p
, n
);
3262 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
3263 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3264 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
) ) != 0 )
3269 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
);
3276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3278 static int ssl_parse_client_key_exchange( mbedtls_ssl_context
*ssl
)
3281 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
3282 unsigned char *p
, *end
;
3284 ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3288 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
3290 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
3294 p
= ssl
->in_msg
+ mbedtls_ssl_hs_hdr_len( ssl
);
3295 end
= ssl
->in_msg
+ ssl
->in_hslen
;
3297 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
)
3299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3303 if( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
)
3305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3306 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3309 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3310 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
)
3312 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3314 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3321 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3324 if( ( ret
= mbedtls_dhm_calc_secret( &ssl
->handshake
->dhm_ctx
,
3325 ssl
->handshake
->premaster
,
3326 MBEDTLS_PREMASTER_SIZE
,
3327 &ssl
->handshake
->pmslen
,
3328 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret
);
3331 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3334 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl
->handshake
->dhm_ctx
.K
);
3337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3338 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3339 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3340 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3341 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3342 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
3343 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
||
3344 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA
||
3345 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
)
3347 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3348 p
, end
- p
) ) != 0 )
3350 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3354 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3356 if( ( ret
= mbedtls_ecdh_calc_secret( &ssl
->handshake
->ecdh_ctx
,
3357 &ssl
->handshake
->pmslen
,
3358 ssl
->handshake
->premaster
,
3359 MBEDTLS_MPI_MAX_SIZE
,
3360 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3362 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret
);
3363 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3366 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl
->handshake
->ecdh_ctx
.z
);
3369 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3370 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3371 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3372 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3373 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3374 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
)
3376 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3378 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3385 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3388 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3389 ciphersuite_info
->key_exchange
) ) != 0 )
3391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3396 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3397 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3398 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
3400 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3402 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3406 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 2 ) ) != 0 )
3408 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret
);
3412 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3413 ciphersuite_info
->key_exchange
) ) != 0 )
3415 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3420 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3421 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3422 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
3424 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3426 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3429 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3431 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3438 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3441 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3442 ciphersuite_info
->key_exchange
) ) != 0 )
3444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3449 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3450 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3451 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
3453 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3455 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3459 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3460 p
, end
- p
) ) != 0 )
3462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3463 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3466 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3468 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3469 ciphersuite_info
->key_exchange
) ) != 0 )
3471 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3476 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3477 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3478 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA
)
3480 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 0 ) ) != 0 )
3482 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret
);
3487 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3488 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3489 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3491 ret
= mbedtls_ecjpake_read_round_two( &ssl
->handshake
->ecjpake_ctx
,
3495 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret
);
3496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
);
3499 ret
= mbedtls_ecjpake_derive_secret( &ssl
->handshake
->ecjpake_ctx
,
3500 ssl
->handshake
->premaster
, 32, &ssl
->handshake
->pmslen
,
3501 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3504 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret
);
3509 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3515 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
3517 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
3523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3528 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3529 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3530 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3531 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3532 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3533 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3534 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3536 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3538 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3540 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3541 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3542 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3543 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3544 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3552 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3555 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3557 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3559 unsigned char hash
[48];
3560 unsigned char *hash_start
= hash
;
3562 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3563 mbedtls_pk_type_t pk_alg
;
3565 mbedtls_md_type_t md_alg
;
3566 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3568 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3570 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3571 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3572 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3573 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3574 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
3575 ssl
->session_negotiate
->peer_cert
== NULL
)
3577 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3582 /* Read the message without adding it to the checksum */
3585 if( ( ret
= mbedtls_ssl_read_record_layer( ssl
) ) != 0 )
3587 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret
);
3591 ret
= mbedtls_ssl_handle_message_type( ssl
);
3593 } while( MBEDTLS_ERR_SSL_NON_FATAL
== ret
);
3597 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret
);
3603 /* Process the message contents */
3604 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
||
3605 ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
)
3607 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3608 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3611 i
= mbedtls_ssl_hs_hdr_len( ssl
);
3615 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3616 * opaque signature<0..2^16-1>;
3617 * } DigitallySigned;
3619 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3620 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3621 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_3
)
3623 md_alg
= MBEDTLS_MD_NONE
;
3626 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3627 if( mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
,
3628 MBEDTLS_PK_ECDSA
) )
3632 md_alg
= MBEDTLS_MD_SHA1
;
3636 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
3637 MBEDTLS_SSL_PROTO_TLS1_1 */
3638 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3639 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
3641 if( i
+ 2 > ssl
->in_hslen
)
3643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3644 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3650 md_alg
= mbedtls_ssl_md_alg_from_hash( ssl
->in_msg
[i
] );
3652 if( md_alg
== MBEDTLS_MD_NONE
|| mbedtls_ssl_set_calc_verify_md( ssl
, ssl
->in_msg
[i
] ) )
3654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3655 " for verify message" ) );
3656 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3659 #if !defined(MBEDTLS_MD_SHA1)
3660 if( MBEDTLS_MD_SHA1
== md_alg
)
3664 /* Info from md_alg will be used instead */
3672 if( ( pk_alg
= mbedtls_ssl_pk_alg_from_sig( ssl
->in_msg
[i
] ) )
3673 == MBEDTLS_PK_NONE
)
3675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3676 " for verify message" ) );
3677 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3681 * Check the certificate's key type matches the signature alg
3683 if( ! mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
, pk_alg
) )
3685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3686 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3692 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3694 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3695 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3698 if( i
+ 2 > ssl
->in_hslen
)
3700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3701 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3704 sig_len
= ( ssl
->in_msg
[i
] << 8 ) | ssl
->in_msg
[i
+1];
3707 if( i
+ sig_len
!= ssl
->in_hslen
)
3709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3710 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3713 /* Calculate hash and verify signature */
3714 ssl
->handshake
->calc_verify( ssl
, hash
);
3716 if( ( ret
= mbedtls_pk_verify( &ssl
->session_negotiate
->peer_cert
->pk
,
3717 md_alg
, hash_start
, hashlen
,
3718 ssl
->in_msg
+ i
, sig_len
) ) != 0 )
3720 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret
);
3724 mbedtls_ssl_update_handshake_status( ssl
);
3726 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3730 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3731 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3732 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3733 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3734 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3735 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3737 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3738 static int ssl_write_new_session_ticket( mbedtls_ssl_context
*ssl
)
3744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3746 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3747 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET
;
3751 * uint32 ticket_lifetime_hint;
3752 * opaque ticket<0..2^16-1>;
3753 * } NewSessionTicket;
3755 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3756 * 8 . 9 ticket_len (n)
3757 * 10 . 9+n ticket content
3760 if( ( ret
= ssl
->conf
->f_ticket_write( ssl
->conf
->p_ticket
,
3761 ssl
->session_negotiate
,
3763 ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
,
3764 &tlen
, &lifetime
) ) != 0 )
3766 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret
);
3770 ssl
->out_msg
[4] = ( lifetime
>> 24 ) & 0xFF;
3771 ssl
->out_msg
[5] = ( lifetime
>> 16 ) & 0xFF;
3772 ssl
->out_msg
[6] = ( lifetime
>> 8 ) & 0xFF;
3773 ssl
->out_msg
[7] = ( lifetime
) & 0xFF;
3775 ssl
->out_msg
[8] = (unsigned char)( ( tlen
>> 8 ) & 0xFF );
3776 ssl
->out_msg
[9] = (unsigned char)( ( tlen
) & 0xFF );
3778 ssl
->out_msglen
= 10 + tlen
;
3781 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3782 * ChangeCipherSpec share the same state.
3784 ssl
->handshake
->new_session_ticket
= 0;
3786 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3788 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3796 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3799 * SSL handshake -- server side -- single step
3801 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context
*ssl
)
3805 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
|| ssl
->handshake
== NULL
)
3806 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
3808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl
->state
) );
3810 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
3813 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3814 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
3815 ssl
->handshake
->retransmit_state
== MBEDTLS_SSL_RETRANS_SENDING
)
3817 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
3822 switch( ssl
->state
)
3824 case MBEDTLS_SSL_HELLO_REQUEST
:
3825 ssl
->state
= MBEDTLS_SSL_CLIENT_HELLO
;
3831 case MBEDTLS_SSL_CLIENT_HELLO
:
3832 ret
= ssl_parse_client_hello( ssl
);
3835 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3836 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
:
3837 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
);
3843 * ( ServerKeyExchange )
3844 * ( CertificateRequest )
3847 case MBEDTLS_SSL_SERVER_HELLO
:
3848 ret
= ssl_write_server_hello( ssl
);
3851 case MBEDTLS_SSL_SERVER_CERTIFICATE
:
3852 ret
= mbedtls_ssl_write_certificate( ssl
);
3855 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE
:
3856 ret
= ssl_write_server_key_exchange( ssl
);
3859 case MBEDTLS_SSL_CERTIFICATE_REQUEST
:
3860 ret
= ssl_write_certificate_request( ssl
);
3863 case MBEDTLS_SSL_SERVER_HELLO_DONE
:
3864 ret
= ssl_write_server_hello_done( ssl
);
3868 * <== ( Certificate/Alert )
3870 * ( CertificateVerify )
3874 case MBEDTLS_SSL_CLIENT_CERTIFICATE
:
3875 ret
= mbedtls_ssl_parse_certificate( ssl
);
3878 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
:
3879 ret
= ssl_parse_client_key_exchange( ssl
);
3882 case MBEDTLS_SSL_CERTIFICATE_VERIFY
:
3883 ret
= ssl_parse_certificate_verify( ssl
);
3886 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
:
3887 ret
= mbedtls_ssl_parse_change_cipher_spec( ssl
);
3890 case MBEDTLS_SSL_CLIENT_FINISHED
:
3891 ret
= mbedtls_ssl_parse_finished( ssl
);
3895 * ==> ( NewSessionTicket )
3899 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
:
3900 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3901 if( ssl
->handshake
->new_session_ticket
!= 0 )
3902 ret
= ssl_write_new_session_ticket( ssl
);
3905 ret
= mbedtls_ssl_write_change_cipher_spec( ssl
);
3908 case MBEDTLS_SSL_SERVER_FINISHED
:
3909 ret
= mbedtls_ssl_write_finished( ssl
);
3912 case MBEDTLS_SSL_FLUSH_BUFFERS
:
3913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3914 ssl
->state
= MBEDTLS_SSL_HANDSHAKE_WRAPUP
;
3917 case MBEDTLS_SSL_HANDSHAKE_WRAPUP
:
3918 mbedtls_ssl_handshake_wrapup( ssl
);
3922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl
->state
) );
3923 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
3928 #endif /* MBEDTLS_SSL_SRV_C */