projects / reactos.git / blob
? search:


5264f25d602579d221ab01ad9ac9746407a8b390
[reactos.git] / reactos / dll / 3rdparty / mbedtls / ssl_srv.c
1 /*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24 #if !defined(MBEDTLS_CONFIG_FILE)
25 #include "mbedtls/config.h"
26 #else
27 #include MBEDTLS_CONFIG_FILE
28 #endif
29
30 #if defined(MBEDTLS_SSL_SRV_C)
31
32 #if defined(MBEDTLS_PLATFORM_C)
33 #include "mbedtls/platform.h"
34 #else
35 #include <stdlib.h>
36 #define mbedtls_calloc calloc
37 #define mbedtls_free free
38 #endif
39
40 #include "mbedtls/debug.h"
41 #include "mbedtls/ssl.h"
42 #include "mbedtls/ssl_internal.h"
43
44 #include <string.h>
45
46 #if defined(MBEDTLS_ECP_C)
47 #include "mbedtls/ecp.h"
48 #endif
49
50 #if defined(MBEDTLS_HAVE_TIME)
51 #include "mbedtls/platform_time.h"
52 #endif
53
54 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
55 /* Implementation that should never be optimized out by the compiler */
56 static void mbedtls_zeroize( void *v, size_t n ) {
57 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58 }
59 #endif
60
61 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
62 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
63 const unsigned char *info,
64 size_t ilen )
65 {
66 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
67 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
68
69 mbedtls_free( ssl->cli_id );
70
71 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
72 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
73
74 memcpy( ssl->cli_id, info, ilen );
75 ssl->cli_id_len = ilen;
76
77 return( 0 );
78 }
79
80 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
81 mbedtls_ssl_cookie_write_t *f_cookie_write,
82 mbedtls_ssl_cookie_check_t *f_cookie_check,
83 void *p_cookie )
84 {
85 conf->f_cookie_write = f_cookie_write;
86 conf->f_cookie_check = f_cookie_check;
87 conf->p_cookie = p_cookie;
88 }
89 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
90
91 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
92 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
93 const unsigned char *buf,
94 size_t len )
95 {
96 int ret;
97 size_t servername_list_size, hostname_len;
98 const unsigned char *p;
99
100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
101
102 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
103 if( servername_list_size + 2 != len )
104 {
105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
107 }
108
109 p = buf + 2;
110 while( servername_list_size > 0 )
111 {
112 hostname_len = ( ( p[1] << 8 ) | p[2] );
113 if( hostname_len + 3 > servername_list_size )
114 {
115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
116 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
117 }
118
119 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
120 {
121 ret = ssl->conf->f_sni( ssl->conf->p_sni,
122 ssl, p + 3, hostname_len );
123 if( ret != 0 )
124 {
125 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
126 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
127 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
128 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
129 }
130 return( 0 );
131 }
132
133 servername_list_size -= hostname_len + 3;
134 p += hostname_len + 3;
135 }
136
137 if( servername_list_size != 0 )
138 {
139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
140 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
141 }
142
143 return( 0 );
144 }
145 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
146
147 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
148 const unsigned char *buf,
149 size_t len )
150 {
151 int ret;
152
153 #if defined(MBEDTLS_SSL_RENEGOTIATION)
154 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
155 {
156 /* Check verify-data in constant-time. The length OTOH is no secret */
157 if( len != 1 + ssl->verify_data_len ||
158 buf[0] != ssl->verify_data_len ||
159 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
160 ssl->verify_data_len ) != 0 )
161 {
162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
163
164 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
165 return( ret );
166
167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
168 }
169 }
170 else
171 #endif /* MBEDTLS_SSL_RENEGOTIATION */
172 {
173 if( len != 1 || buf[0] != 0x0 )
174 {
175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
176
177 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
178 return( ret );
179
180 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
181 }
182
183 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
184 }
185
186 return( 0 );
187 }
188
189 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
190 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
191 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
192 const unsigned char *buf,
193 size_t len )
194 {
195 size_t sig_alg_list_size;
196 const unsigned char *p;
197 const unsigned char *end = buf + len;
198 const int *md_cur;
199
200
201 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
202 if( sig_alg_list_size + 2 != len ||
203 sig_alg_list_size % 2 != 0 )
204 {
205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
207 }
208
209 /*
210 * For now, ignore the SignatureAlgorithm part and rely on offered
211 * ciphersuites only for that part. To be fixed later.
212 *
213 * So, just look at the HashAlgorithm part.
214 */
215 for( md_cur = ssl->conf->sig_hashes; *md_cur != MBEDTLS_MD_NONE; md_cur++ ) {
216 for( p = buf + 2; p < end; p += 2 ) {
217 if( *md_cur == (int) mbedtls_ssl_md_alg_from_hash( p[0] ) ) {
218 ssl->handshake->sig_alg = p[0];
219 goto have_sig_alg;
220 }
221 }
222 }
223
224 /* Some key echanges do not need signatures at all */
225 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
226 return( 0 );
227
228 have_sig_alg:
229 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
230 ssl->handshake->sig_alg ) );
231
232 return( 0 );
233 }
234 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
235 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
236
237 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
238 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
239 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
240 const unsigned char *buf,
241 size_t len )
242 {
243 size_t list_size, our_size;
244 const unsigned char *p;
245 const mbedtls_ecp_curve_info *curve_info, **curves;
246
247 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
248 if( list_size + 2 != len ||
249 list_size % 2 != 0 )
250 {
251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
253 }
254
255 /* Should never happen unless client duplicates the extension */
256 if( ssl->handshake->curves != NULL )
257 {
258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
259 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
260 }
261
262 /* Don't allow our peer to make us allocate too much memory,
263 * and leave room for a final 0 */
264 our_size = list_size / 2 + 1;
265 if( our_size > MBEDTLS_ECP_DP_MAX )
266 our_size = MBEDTLS_ECP_DP_MAX;
267
268 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
269 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
270
271 ssl->handshake->curves = curves;
272
273 p = buf + 2;
274 while( list_size > 0 && our_size > 1 )
275 {
276 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
277
278 if( curve_info != NULL )
279 {
280 *curves++ = curve_info;
281 our_size--;
282 }
283
284 list_size -= 2;
285 p += 2;
286 }
287
288 return( 0 );
289 }
290
291 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
292 const unsigned char *buf,
293 size_t len )
294 {
295 size_t list_size;
296 const unsigned char *p;
297
298 list_size = buf[0];
299 if( list_size + 1 != len )
300 {
301 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
302 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
303 }
304
305 p = buf + 1;
306 while( list_size > 0 )
307 {
308 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
309 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
310 {
311 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
312 ssl->handshake->ecdh_ctx.point_format = p[0];
313 #endif
314 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
315 ssl->handshake->ecjpake_ctx.point_format = p[0];
316 #endif
317 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
318 return( 0 );
319 }
320
321 list_size--;
322 p++;
323 }
324
325 return( 0 );
326 }
327 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
328 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
329
330 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
331 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
332 const unsigned char *buf,
333 size_t len )
334 {
335 int ret;
336
337 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
338 {
339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
340 return( 0 );
341 }
342
343 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
344 buf, len ) ) != 0 )
345 {
346 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
347 return( ret );
348 }
349
350 /* Only mark the extension as OK when we're sure it is */
351 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
352
353 return( 0 );
354 }
355 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
356
357 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
358 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
359 const unsigned char *buf,
360 size_t len )
361 {
362 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
363 {
364 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
365 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
366 }
367
368 ssl->session_negotiate->mfl_code = buf[0];
369
370 return( 0 );
371 }
372 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
373
374 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
375 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
376 const unsigned char *buf,
377 size_t len )
378 {
379 if( len != 0 )
380 {
381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
382 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
383 }
384
385 ((void) buf);
386
387 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
388 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
389
390 return( 0 );
391 }
392 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
393
394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
395 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
396 const unsigned char *buf,
397 size_t len )
398 {
399 if( len != 0 )
400 {
401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
402 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
403 }
404
405 ((void) buf);
406
407 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
408 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
409 {
410 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
411 }
412
413 return( 0 );
414 }
415 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
416
417 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
418 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len )
421 {
422 if( len != 0 )
423 {
424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
425 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
426 }
427
428 ((void) buf);
429
430 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
431 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
432 {
433 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
434 }
435
436 return( 0 );
437 }
438 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
439
440 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
441 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
442 unsigned char *buf,
443 size_t len )
444 {
445 int ret;
446 mbedtls_ssl_session session;
447
448 mbedtls_ssl_session_init( &session );
449
450 if( ssl->conf->f_ticket_parse == NULL ||
451 ssl->conf->f_ticket_write == NULL )
452 {
453 return( 0 );
454 }
455
456 /* Remember the client asked us to send a new ticket */
457 ssl->handshake->new_session_ticket = 1;
458
459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
460
461 if( len == 0 )
462 return( 0 );
463
464 #if defined(MBEDTLS_SSL_RENEGOTIATION)
465 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
466 {
467 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
468 return( 0 );
469 }
470 #endif /* MBEDTLS_SSL_RENEGOTIATION */
471
472 /*
473 * Failures are ok: just ignore the ticket and proceed.
474 */
475 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
476 buf, len ) ) != 0 )
477 {
478 mbedtls_ssl_session_free( &session );
479
480 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
482 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
483 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
484 else
485 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
486
487 return( 0 );
488 }
489
490 /*
491 * Keep the session ID sent by the client, since we MUST send it back to
492 * inform them we're accepting the ticket (RFC 5077 section 3.4)
493 */
494 session.id_len = ssl->session_negotiate->id_len;
495 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
496
497 mbedtls_ssl_session_free( ssl->session_negotiate );
498 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
499
500 /* Zeroize instead of free as we copied the content */
501 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) );
502
503 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
504
505 ssl->handshake->resume = 1;
506
507 /* Don't send a new ticket after all, this one is OK */
508 ssl->handshake->new_session_ticket = 0;
509
510 return( 0 );
511 }
512 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
513
514 #if defined(MBEDTLS_SSL_ALPN)
515 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
516 const unsigned char *buf, size_t len )
517 {
518 size_t list_len, cur_len, ours_len;
519 const unsigned char *theirs, *start, *end;
520 const char **ours;
521
522 /* If ALPN not configured, just ignore the extension */
523 if( ssl->conf->alpn_list == NULL )
524 return( 0 );
525
526 /*
527 * opaque ProtocolName<1..2^8-1>;
528 *
529 * struct {
530 * ProtocolName protocol_name_list<2..2^16-1>
531 * } ProtocolNameList;
532 */
533
534 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
535 if( len < 4 )
536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
537
538 list_len = ( buf[0] << 8 ) | buf[1];
539 if( list_len != len - 2 )
540 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
541
542 /*
543 * Use our order of preference
544 */
545 start = buf + 2;
546 end = buf + len;
547 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
548 {
549 ours_len = strlen( *ours );
550 for( theirs = start; theirs != end; theirs += cur_len )
551 {
552 /* If the list is well formed, we should get equality first */
553 if( theirs > end )
554 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
555
556 cur_len = *theirs++;
557
558 /* Empty strings MUST NOT be included */
559 if( cur_len == 0 )
560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
561
562 if( cur_len == ours_len &&
563 memcmp( theirs, *ours, cur_len ) == 0 )
564 {
565 ssl->alpn_chosen = *ours;
566 return( 0 );
567 }
568 }
569 }
570
571 /* If we get there, no match was found */
572 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
573 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
574 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
575 }
576 #endif /* MBEDTLS_SSL_ALPN */
577
578 /*
579 * Auxiliary functions for ServerHello parsing and related actions
580 */
581
582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
583 /*
584 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
585 */
586 #if defined(MBEDTLS_ECDSA_C)
587 static int ssl_check_key_curve( mbedtls_pk_context *pk,
588 const mbedtls_ecp_curve_info **curves )
589 {
590 const mbedtls_ecp_curve_info **crv = curves;
591 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
592
593 while( *crv != NULL )
594 {
595 if( (*crv)->grp_id == grp_id )
596 return( 0 );
597 crv++;
598 }
599
600 return( -1 );
601 }
602 #endif /* MBEDTLS_ECDSA_C */
603
604 /*
605 * Try picking a certificate for this ciphersuite,
606 * return 0 on success and -1 on failure.
607 */
608 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
609 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
610 {
611 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
612 mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
613 uint32_t flags;
614
615 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
616 if( ssl->handshake->sni_key_cert != NULL )
617 list = ssl->handshake->sni_key_cert;
618 else
619 #endif
620 list = ssl->conf->key_cert;
621
622 if( pk_alg == MBEDTLS_PK_NONE )
623 return( 0 );
624
625 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
626
627 if( list == NULL )
628 {
629 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
630 return( -1 );
631 }
632
633 for( cur = list; cur != NULL; cur = cur->next )
634 {
635 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
636 cur->cert );
637
638 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) )
639 {
640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
641 continue;
642 }
643
644 /*
645 * This avoids sending the client a cert it'll reject based on
646 * keyUsage or other extensions.
647 *
648 * It also allows the user to provision different certificates for
649 * different uses based on keyUsage, eg if they want to avoid signing
650 * and decrypting with the same RSA key.
651 */
652 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
653 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
654 {
655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
656 "(extended) key usage extension" ) );
657 continue;
658 }
659
660 #if defined(MBEDTLS_ECDSA_C)
661 if( pk_alg == MBEDTLS_PK_ECDSA &&
662 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
663 {
664 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
665 continue;
666 }
667 #endif
668
669 /*
670 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
671 * present them a SHA-higher cert rather than failing if it's the only
672 * one we got that satisfies the other conditions.
673 */
674 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
675 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
676 {
677 if( fallback == NULL )
678 fallback = cur;
679 {
680 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
681 "sha-2 with pre-TLS 1.2 client" ) );
682 continue;
683 }
684 }
685
686 /* If we get there, we got a winner */
687 break;
688 }
689
690 if( cur == NULL )
691 cur = fallback;
692
693 /* Do not update ssl->handshake->key_cert unless there is a match */
694 if( cur != NULL )
695 {
696 ssl->handshake->key_cert = cur;
697 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
698 ssl->handshake->key_cert->cert );
699 return( 0 );
700 }
701
702 return( -1 );
703 }
704 #endif /* MBEDTLS_X509_CRT_PARSE_C */
705
706 /*
707 * Check if a given ciphersuite is suitable for use with our config/keys/etc
708 * Sets ciphersuite_info only if the suite matches.
709 */
710 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
711 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
712 {
713 const mbedtls_ssl_ciphersuite_t *suite_info;
714
715 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
716 if( suite_info == NULL )
717 {
718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
720 }
721
722 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
723
724 if( suite_info->min_minor_ver > ssl->minor_ver ||
725 suite_info->max_minor_ver < ssl->minor_ver )
726 {
727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
728 return( 0 );
729 }
730
731 #if defined(MBEDTLS_SSL_PROTO_DTLS)
732 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
733 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
734 return( 0 );
735 #endif
736
737 #if defined(MBEDTLS_ARC4_C)
738 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
739 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
740 {
741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
742 return( 0 );
743 }
744 #endif
745
746 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
747 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
748 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
749 {
750 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
751 "not configured or ext missing" ) );
752 return( 0 );
753 }
754 #endif
755
756
757 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
758 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
759 ( ssl->handshake->curves == NULL ||
760 ssl->handshake->curves[0] == NULL ) )
761 {
762 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
763 "no common elliptic curve" ) );
764 return( 0 );
765 }
766 #endif
767
768 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
769 /* If the ciphersuite requires a pre-shared key and we don't
770 * have one, skip it now rather than failing later */
771 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
772 ssl->conf->f_psk == NULL &&
773 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
774 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
775 {
776 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
777 return( 0 );
778 }
779 #endif
780
781 #if defined(MBEDTLS_X509_CRT_PARSE_C)
782 /*
783 * Final check: if ciphersuite requires us to have a
784 * certificate/key of a particular type:
785 * - select the appropriate certificate if we have one, or
786 * - try the next ciphersuite if we don't
787 * This must be done last since we modify the key_cert list.
788 */
789 if( ssl_pick_cert( ssl, suite_info ) != 0 )
790 {
791 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
792 "no suitable certificate" ) );
793 return( 0 );
794 }
795 #endif
796
797 *ciphersuite_info = suite_info;
798 return( 0 );
799 }
800
801 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
802 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
803 {
804 int ret, got_common_suite;
805 unsigned int i, j;
806 size_t n;
807 unsigned int ciph_len, sess_len, chal_len;
808 unsigned char *buf, *p;
809 const int *ciphersuites;
810 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
811
812 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
813
814 #if defined(MBEDTLS_SSL_RENEGOTIATION)
815 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
816 {
817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
818
819 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
820 return( ret );
821
822 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
823 }
824 #endif /* MBEDTLS_SSL_RENEGOTIATION */
825
826 buf = ssl->in_hdr;
827
828 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
829
830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
831 buf[2] ) );
832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
833 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
834 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
835 buf[3], buf[4] ) );
836
837 /*
838 * SSLv2 Client Hello
839 *
840 * Record layer:
841 * 0 . 1 message length
842 *
843 * SSL layer:
844 * 2 . 2 message type
845 * 3 . 4 protocol version
846 */
847 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
848 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
849 {
850 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
851 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
852 }
853
854 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
855
856 if( n < 17 || n > 512 )
857 {
858 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
859 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
860 }
861
862 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
863 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
864 ? buf[4] : ssl->conf->max_minor_ver;
865
866 if( ssl->minor_ver < ssl->conf->min_minor_ver )
867 {
868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
869 " [%d:%d] < [%d:%d]",
870 ssl->major_ver, ssl->minor_ver,
871 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
872
873 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
874 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
875 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
876 }
877
878 ssl->handshake->max_major_ver = buf[3];
879 ssl->handshake->max_minor_ver = buf[4];
880
881 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
882 {
883 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
884 return( ret );
885 }
886
887 ssl->handshake->update_checksum( ssl, buf + 2, n );
888
889 buf = ssl->in_msg;
890 n = ssl->in_left - 5;
891
892 /*
893 * 0 . 1 ciphersuitelist length
894 * 2 . 3 session id length
895 * 4 . 5 challenge length
896 * 6 . .. ciphersuitelist
897 * .. . .. session id
898 * .. . .. challenge
899 */
900 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
901
902 ciph_len = ( buf[0] << 8 ) | buf[1];
903 sess_len = ( buf[2] << 8 ) | buf[3];
904 chal_len = ( buf[4] << 8 ) | buf[5];
905
906 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
907 ciph_len, sess_len, chal_len ) );
908
909 /*
910 * Make sure each parameter length is valid
911 */
912 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
913 {
914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
915 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
916 }
917
918 if( sess_len > 32 )
919 {
920 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
921 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
922 }
923
924 if( chal_len < 8 || chal_len > 32 )
925 {
926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
927 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
928 }
929
930 if( n != 6 + ciph_len + sess_len + chal_len )
931 {
932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
933 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
934 }
935
936 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
937 buf + 6, ciph_len );
938 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
939 buf + 6 + ciph_len, sess_len );
940 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
941 buf + 6 + ciph_len + sess_len, chal_len );
942
943 p = buf + 6 + ciph_len;
944 ssl->session_negotiate->id_len = sess_len;
945 memset( ssl->session_negotiate->id, 0,
946 sizeof( ssl->session_negotiate->id ) );
947 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
948
949 p += sess_len;
950 memset( ssl->handshake->randbytes, 0, 64 );
951 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
952
953 /*
954 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
955 */
956 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
957 {
958 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
959 {
960 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
961 #if defined(MBEDTLS_SSL_RENEGOTIATION)
962 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
963 {
964 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
965 "during renegotiation" ) );
966
967 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
968 return( ret );
969
970 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
971 }
972 #endif /* MBEDTLS_SSL_RENEGOTIATION */
973 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
974 break;
975 }
976 }
977
978 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
979 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
980 {
981 if( p[0] == 0 &&
982 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
983 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
984 {
985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
986
987 if( ssl->minor_ver < ssl->conf->max_minor_ver )
988 {
989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
990
991 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
992 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
993
994 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
995 }
996
997 break;
998 }
999 }
1000 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1001
1002 got_common_suite = 0;
1003 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1004 ciphersuite_info = NULL;
1005 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1006 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1007 {
1008 for( i = 0; ciphersuites[i] != 0; i++ )
1009 #else
1010 for( i = 0; ciphersuites[i] != 0; i++ )
1011 {
1012 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1013 #endif
1014 {
1015 if( p[0] != 0 ||
1016 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1017 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1018 continue;
1019
1020 got_common_suite = 1;
1021
1022 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1023 &ciphersuite_info ) ) != 0 )
1024 return( ret );
1025
1026 if( ciphersuite_info != NULL )
1027 goto have_ciphersuite_v2;
1028 }
1029 }
1030
1031 if( got_common_suite )
1032 {
1033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1034 "but none of them usable" ) );
1035 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1036 }
1037 else
1038 {
1039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1040 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1041 }
1042
1043 have_ciphersuite_v2:
1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1045
1046 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1047 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1048
1049 /*
1050 * SSLv2 Client Hello relevant renegotiation security checks
1051 */
1052 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1053 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1054 {
1055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1056
1057 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1058 return( ret );
1059
1060 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1061 }
1062
1063 ssl->in_left = 0;
1064 ssl->state++;
1065
1066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1067
1068 return( 0 );
1069 }
1070 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1071
1072 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
1073 {
1074 int ret, got_common_suite;
1075 size_t i, j;
1076 size_t ciph_offset, comp_offset, ext_offset;
1077 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1078 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1079 size_t cookie_offset, cookie_len;
1080 #endif
1081 unsigned char *buf, *p, *ext;
1082 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1083 int renegotiation_info_seen = 0;
1084 #endif
1085 int handshake_failure = 0;
1086 const int *ciphersuites;
1087 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1088 int major, minor;
1089
1090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1091
1092 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1093 read_record_header:
1094 #endif
1095 /*
1096 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1097 * otherwise read it ourselves manually in order to support SSLv2
1098 * ClientHello, which doesn't use the same record layer format.
1099 */
1100 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1101 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1102 #endif
1103 {
1104 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
1105 {
1106 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1107 return( ret );
1108 }
1109 }
1110
1111 buf = ssl->in_hdr;
1112
1113 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1114 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1115 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
1116 #endif
1117 if( ( buf[0] & 0x80 ) != 0 )
1118 return ssl_parse_client_hello_v2( ssl );
1119 #endif
1120
1121 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
1122
1123 /*
1124 * SSLv3/TLS Client Hello
1125 *
1126 * Record layer:
1127 * 0 . 0 message type
1128 * 1 . 2 protocol version
1129 * 3 . 11 DTLS: epoch + record sequence number
1130 * 3 . 4 message length
1131 */
1132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1133 buf[0] ) );
1134
1135 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
1136 {
1137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1138 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1139 }
1140
1141 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1142 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
1143
1144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1145 buf[1], buf[2] ) );
1146
1147 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
1148
1149 /* According to RFC 5246 Appendix E.1, the version here is typically
1150 * "{03,00}, the lowest version number supported by the client, [or] the
1151 * value of ClientHello.client_version", so the only meaningful check here
1152 * is the major version shouldn't be less than 3 */
1153 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
1154 {
1155 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1156 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1157 }
1158
1159 /* For DTLS if this is the initial handshake, remember the client sequence
1160 * number to use it in our next message (RFC 6347 4.2.1) */
1161 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1162 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1163 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1164 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1165 #endif
1166 )
1167 {
1168 /* Epoch should be 0 for initial handshakes */
1169 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
1170 {
1171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1172 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1173 }
1174
1175 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
1176
1177 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1178 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
1179 {
1180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1181 ssl->next_record_offset = 0;
1182 ssl->in_left = 0;
1183 goto read_record_header;
1184 }
1185
1186 /* No MAC to check yet, so we can update right now */
1187 mbedtls_ssl_dtls_replay_update( ssl );
1188 #endif
1189 }
1190 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1191
1192 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
1193
1194 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1195 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1196 {
1197 /* Set by mbedtls_ssl_read_record() */
1198 msg_len = ssl->in_hslen;
1199 }
1200 else
1201 #endif
1202 {
1203 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN )
1204 {
1205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1206 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1207 }
1208
1209 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
1210 {
1211 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1212 return( ret );
1213 }
1214
1215 /* Done reading this record, get ready for the next one */
1216 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1217 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1218 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
1219 else
1220 #endif
1221 ssl->in_left = 0;
1222 }
1223
1224 buf = ssl->in_msg;
1225
1226 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
1227
1228 ssl->handshake->update_checksum( ssl, buf, msg_len );
1229
1230 /*
1231 * Handshake layer:
1232 * 0 . 0 handshake type
1233 * 1 . 3 handshake length
1234 * 4 . 5 DTLS only: message seqence number
1235 * 6 . 8 DTLS only: fragment offset
1236 * 9 . 11 DTLS only: fragment length
1237 */
1238 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
1239 {
1240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1241 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1242 }
1243
1244 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
1245
1246 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
1247 {
1248 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1249 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1250 }
1251
1252 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1253 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1254
1255 /* We don't support fragmentation of ClientHello (yet?) */
1256 if( buf[1] != 0 ||
1257 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
1258 {
1259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1260 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1261 }
1262
1263 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1264 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1265 {
1266 /*
1267 * Copy the client's handshake message_seq on initial handshakes,
1268 * check sequence number on renego.
1269 */
1270 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1271 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1272 {
1273 /* This couldn't be done in ssl_prepare_handshake_record() */
1274 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1275 ssl->in_msg[5];
1276
1277 if( cli_msg_seq != ssl->handshake->in_msg_seq )
1278 {
1279 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1280 "%d (expected %d)", cli_msg_seq,
1281 ssl->handshake->in_msg_seq ) );
1282 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1283 }
1284
1285 ssl->handshake->in_msg_seq++;
1286 }
1287 else
1288 #endif
1289 {
1290 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1291 ssl->in_msg[5];
1292 ssl->handshake->out_msg_seq = cli_msg_seq;
1293 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1294 }
1295
1296 /*
1297 * For now we don't support fragmentation, so make sure
1298 * fragment_offset == 0 and fragment_length == length
1299 */
1300 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1301 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
1302 {
1303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1304 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1305 }
1306 }
1307 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1308
1309 buf += mbedtls_ssl_hs_hdr_len( ssl );
1310 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
1311
1312 /*
1313 * ClientHello layer:
1314 * 0 . 1 protocol version
1315 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1316 * 34 . 35 session id length (1 byte)
1317 * 35 . 34+x session id
1318 * 35+x . 35+x DTLS only: cookie length (1 byte)
1319 * 36+x . .. DTLS only: cookie
1320 * .. . .. ciphersuite list length (2 bytes)
1321 * .. . .. ciphersuite list
1322 * .. . .. compression alg. list length (1 byte)
1323 * .. . .. compression alg. list
1324 * .. . .. extensions length (2 bytes, optional)
1325 * .. . .. extensions (optional)
1326 */
1327
1328 /*
1329 * Minimal length (with everything empty and extensions ommitted) is
1330 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1331 * read at least up to session id length without worrying.
1332 */
1333 if( msg_len < 38 )
1334 {
1335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1336 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1337 }
1338
1339 /*
1340 * Check and save the protocol version
1341 */
1342 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
1343
1344 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1345 ssl->conf->transport, buf );
1346
1347 ssl->handshake->max_major_ver = ssl->major_ver;
1348 ssl->handshake->max_minor_ver = ssl->minor_ver;
1349
1350 if( ssl->major_ver < ssl->conf->min_major_ver ||
1351 ssl->minor_ver < ssl->conf->min_minor_ver )
1352 {
1353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1354 " [%d:%d] < [%d:%d]",
1355 ssl->major_ver, ssl->minor_ver,
1356 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1357
1358 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1359 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1360
1361 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1362 }
1363
1364 if( ssl->major_ver > ssl->conf->max_major_ver )
1365 {
1366 ssl->major_ver = ssl->conf->max_major_ver;
1367 ssl->minor_ver = ssl->conf->max_minor_ver;
1368 }
1369 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
1370 ssl->minor_ver = ssl->conf->max_minor_ver;
1371
1372 /*
1373 * Save client random (inc. Unix time)
1374 */
1375 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
1376
1377 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
1378
1379 /*
1380 * Check the session ID length and save session ID
1381 */
1382 sess_len = buf[34];
1383
1384 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
1385 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
1386 {
1387 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1388 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1389 }
1390
1391 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
1392
1393 ssl->session_negotiate->id_len = sess_len;
1394 memset( ssl->session_negotiate->id, 0,
1395 sizeof( ssl->session_negotiate->id ) );
1396 memcpy( ssl->session_negotiate->id, buf + 35,
1397 ssl->session_negotiate->id_len );
1398
1399 /*
1400 * Check the cookie length and content
1401 */
1402 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1403 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1404 {
1405 cookie_offset = 35 + sess_len;
1406 cookie_len = buf[cookie_offset];
1407
1408 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
1409 {
1410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1411 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1412 }
1413
1414 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1415 buf + cookie_offset + 1, cookie_len );
1416
1417 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1418 if( ssl->conf->f_cookie_check != NULL
1419 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1420 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1421 #endif
1422 )
1423 {
1424 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
1425 buf + cookie_offset + 1, cookie_len,
1426 ssl->cli_id, ssl->cli_id_len ) != 0 )
1427 {
1428 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1429 ssl->handshake->verify_cookie_len = 1;
1430 }
1431 else
1432 {
1433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1434 ssl->handshake->verify_cookie_len = 0;
1435 }
1436 }
1437 else
1438 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1439 {
1440 /* We know we didn't send a cookie, so it should be empty */
1441 if( cookie_len != 0 )
1442 {
1443 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1444 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1445 }
1446
1447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1448 }
1449
1450 /*
1451 * Check the ciphersuitelist length (will be parsed later)
1452 */
1453 ciph_offset = cookie_offset + 1 + cookie_len;
1454 }
1455 else
1456 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1457 ciph_offset = 35 + sess_len;
1458
1459 ciph_len = ( buf[ciph_offset + 0] << 8 )
1460 | ( buf[ciph_offset + 1] );
1461
1462 if( ciph_len < 2 ||
1463 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1464 ( ciph_len % 2 ) != 0 )
1465 {
1466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1467 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1468 }
1469
1470 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1471 buf + ciph_offset + 2, ciph_len );
1472
1473 /*
1474 * Check the compression algorithms length and pick one
1475 */
1476 comp_offset = ciph_offset + 2 + ciph_len;
1477
1478 comp_len = buf[comp_offset];
1479
1480 if( comp_len < 1 ||
1481 comp_len > 16 ||
1482 comp_len + comp_offset + 1 > msg_len )
1483 {
1484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1485 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1486 }
1487
1488 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1489 buf + comp_offset + 1, comp_len );
1490
1491 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1492 #if defined(MBEDTLS_ZLIB_SUPPORT)
1493 for( i = 0; i < comp_len; ++i )
1494 {
1495 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
1496 {
1497 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1498 break;
1499 }
1500 }
1501 #endif
1502
1503 /* See comments in ssl_write_client_hello() */
1504 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1505 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1506 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1507 #endif
1508
1509 /* Do not parse the extensions if the protocol is SSLv3 */
1510 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1511 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
1512 {
1513 #endif
1514 /*
1515 * Check the extension length
1516 */
1517 ext_offset = comp_offset + 1 + comp_len;
1518 if( msg_len > ext_offset )
1519 {
1520 if( msg_len < ext_offset + 2 )
1521 {
1522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1523 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1524 }
1525
1526 ext_len = ( buf[ext_offset + 0] << 8 )
1527 | ( buf[ext_offset + 1] );
1528
1529 if( ( ext_len > 0 && ext_len < 4 ) ||
1530 msg_len != ext_offset + 2 + ext_len )
1531 {
1532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1533 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1534 }
1535 }
1536 else
1537 ext_len = 0;
1538
1539 ext = buf + ext_offset + 2;
1540 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
1541
1542 while( ext_len != 0 )
1543 {
1544 unsigned int ext_id = ( ( ext[0] << 8 )
1545 | ( ext[1] ) );
1546 unsigned int ext_size = ( ( ext[2] << 8 )
1547 | ( ext[3] ) );
1548
1549 if( ext_size + 4 > ext_len )
1550 {
1551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1552 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1553 }
1554 switch( ext_id )
1555 {
1556 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1557 case MBEDTLS_TLS_EXT_SERVERNAME:
1558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1559 if( ssl->conf->f_sni == NULL )
1560 break;
1561
1562 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1563 if( ret != 0 )
1564 return( ret );
1565 break;
1566 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1567
1568 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1569 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1570 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1571 renegotiation_info_seen = 1;
1572 #endif
1573
1574 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1575 if( ret != 0 )
1576 return( ret );
1577 break;
1578
1579 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1580 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1581 case MBEDTLS_TLS_EXT_SIG_ALG:
1582 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1583 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1584 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1585 break;
1586 #endif
1587
1588 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1589 if( ret != 0 )
1590 return( ret );
1591 break;
1592 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1593 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1594
1595 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1596 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1597 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1598 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1599
1600 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1601 if( ret != 0 )
1602 return( ret );
1603 break;
1604
1605 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1607 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1608
1609 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1610 if( ret != 0 )
1611 return( ret );
1612 break;
1613 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1614 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1615
1616 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1617 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1618 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1619
1620 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
1621 if( ret != 0 )
1622 return( ret );
1623 break;
1624 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1625
1626 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1627 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1628 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1629
1630 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1631 if( ret != 0 )
1632 return( ret );
1633 break;
1634 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1635
1636 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1637 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1639
1640 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1641 if( ret != 0 )
1642 return( ret );
1643 break;
1644 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1645
1646 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1647 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1649
1650 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1651 if( ret != 0 )
1652 return( ret );
1653 break;
1654 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1655
1656 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1657 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1658 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1659
1660 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1661 if( ret != 0 )
1662 return( ret );
1663 break;
1664 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1665
1666 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1667 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1669
1670 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1671 if( ret != 0 )
1672 return( ret );
1673 break;
1674 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1675
1676 #if defined(MBEDTLS_SSL_ALPN)
1677 case MBEDTLS_TLS_EXT_ALPN:
1678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1679
1680 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1681 if( ret != 0 )
1682 return( ret );
1683 break;
1684 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1685
1686 default:
1687 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1688 ext_id ) );
1689 }
1690
1691 ext_len -= 4 + ext_size;
1692 ext += 4 + ext_size;
1693
1694 if( ext_len > 0 && ext_len < 4 )
1695 {
1696 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1697 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1698 }
1699 }
1700 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1701 }
1702 #endif
1703
1704 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1705 for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
1706 {
1707 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1708 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1709 {
1710 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1711
1712 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1713 {
1714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1715
1716 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1717 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1718
1719 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1720 }
1721
1722 break;
1723 }
1724 }
1725 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1726
1727 /*
1728 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1729 */
1730 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1731 {
1732 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1733 {
1734 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1735 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1736 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1737 {
1738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1739
1740 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1741 return( ret );
1742
1743 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1744 }
1745 #endif
1746 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1747 break;
1748 }
1749 }
1750
1751 /*
1752 * Renegotiation security checks
1753 */
1754 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1755 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1756 {
1757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1758 handshake_failure = 1;
1759 }
1760 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1761 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1762 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1763 renegotiation_info_seen == 0 )
1764 {
1765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1766 handshake_failure = 1;
1767 }
1768 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1769 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1770 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1771 {
1772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1773 handshake_failure = 1;
1774 }
1775 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1776 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1777 renegotiation_info_seen == 1 )
1778 {
1779 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1780 handshake_failure = 1;
1781 }
1782 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1783
1784 if( handshake_failure == 1 )
1785 {
1786 if( ( ret = mbedtls_ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
1787 return( ret );
1788
1789 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1790 }
1791
1792 /*
1793 * Search for a matching ciphersuite
1794 * (At the end because we need information from the EC-based extensions
1795 * and certificate from the SNI callback triggered by the SNI extension.)
1796 */
1797 got_common_suite = 0;
1798 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1799 ciphersuite_info = NULL;
1800 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1801 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1802 {
1803 for( i = 0; ciphersuites[i] != 0; i++ )
1804 #else
1805 for( i = 0; ciphersuites[i] != 0; i++ )
1806 {
1807 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1808 #endif
1809 {
1810 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1811 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1812 continue;
1813
1814 got_common_suite = 1;
1815
1816 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1817 &ciphersuite_info ) ) != 0 )
1818 return( ret );
1819
1820 if( ciphersuite_info != NULL )
1821 goto have_ciphersuite;
1822 }
1823 }
1824
1825 if( got_common_suite )
1826 {
1827 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1828 "but none of them usable" ) );
1829 mbedtls_ssl_send_fatal_handshake_failure( ssl );
1830 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1831 }
1832 else
1833 {
1834 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1835 mbedtls_ssl_send_fatal_handshake_failure( ssl );
1836 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1837 }
1838
1839 have_ciphersuite:
1840 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1841
1842 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1843 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1844
1845 ssl->state++;
1846
1847 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1848 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1849 mbedtls_ssl_recv_flight_completed( ssl );
1850 #endif
1851
1852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1853
1854 return( 0 );
1855 }
1856
1857 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1858 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1859 unsigned char *buf,
1860 size_t *olen )
1861 {
1862 unsigned char *p = buf;
1863
1864 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
1865 {
1866 *olen = 0;
1867 return;
1868 }
1869
1870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1871
1872 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
1873 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
1874
1875 *p++ = 0x00;
1876 *p++ = 0x00;
1877
1878 *olen = 4;
1879 }
1880 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1881
1882 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1883 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1884 unsigned char *buf,
1885 size_t *olen )
1886 {
1887 unsigned char *p = buf;
1888 const mbedtls_ssl_ciphersuite_t *suite = NULL;
1889 const mbedtls_cipher_info_t *cipher = NULL;
1890
1891 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1892 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1893 {
1894 *olen = 0;
1895 return;
1896 }
1897
1898 /*
1899 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1900 * from a client and then selects a stream or Authenticated Encryption
1901 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1902 * encrypt-then-MAC response extension back to the client."
1903 */
1904 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
1905 ssl->session_negotiate->ciphersuite ) ) == NULL ||
1906 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
1907 cipher->mode != MBEDTLS_MODE_CBC )
1908 {
1909 *olen = 0;
1910 return;
1911 }
1912
1913 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
1914
1915 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
1916 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
1917
1918 *p++ = 0x00;
1919 *p++ = 0x00;
1920
1921 *olen = 4;
1922 }
1923 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1924
1925 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1926 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
1927 unsigned char *buf,
1928 size_t *olen )
1929 {
1930 unsigned char *p = buf;
1931
1932 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1933 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1934 {
1935 *olen = 0;
1936 return;
1937 }
1938
1939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
1940 "extension" ) );
1941
1942 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
1943 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
1944
1945 *p++ = 0x00;
1946 *p++ = 0x00;
1947
1948 *olen = 4;
1949 }
1950 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1951
1952 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1953 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
1954 unsigned char *buf,
1955 size_t *olen )
1956 {
1957 unsigned char *p = buf;
1958
1959 if( ssl->handshake->new_session_ticket == 0 )
1960 {
1961 *olen = 0;
1962 return;
1963 }
1964
1965 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1966
1967 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
1968 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
1969
1970 *p++ = 0x00;
1971 *p++ = 0x00;
1972
1973 *olen = 4;
1974 }
1975 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1976
1977 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
1978 unsigned char *buf,
1979 size_t *olen )
1980 {
1981 unsigned char *p = buf;
1982
1983 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
1984 {
1985 *olen = 0;
1986 return;
1987 }
1988
1989 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1990
1991 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
1992 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
1993
1994 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1995 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1996 {
1997 *p++ = 0x00;
1998 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
1999 *p++ = ssl->verify_data_len * 2 & 0xFF;
2000
2001 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
2002 p += ssl->verify_data_len;
2003 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
2004 p += ssl->verify_data_len;
2005 }
2006 else
2007 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2008 {
2009 *p++ = 0x00;
2010 *p++ = 0x01;
2011 *p++ = 0x00;
2012 }
2013
2014 *olen = p - buf;
2015 }
2016
2017 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2018 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
2019 unsigned char *buf,
2020 size_t *olen )
2021 {
2022 unsigned char *p = buf;
2023
2024 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
2025 {
2026 *olen = 0;
2027 return;
2028 }
2029
2030 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2031
2032 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
2033 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
2034
2035 *p++ = 0x00;
2036 *p++ = 1;
2037
2038 *p++ = ssl->session_negotiate->mfl_code;
2039
2040 *olen = 5;
2041 }
2042 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2043
2044 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2045 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2046 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
2047 unsigned char *buf,
2048 size_t *olen )
2049 {
2050 unsigned char *p = buf;
2051 ((void) ssl);
2052
2053 if( ( ssl->handshake->cli_exts &
2054 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2055 {
2056 *olen = 0;
2057 return;
2058 }
2059
2060 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2061
2062 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
2063 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
2064
2065 *p++ = 0x00;
2066 *p++ = 2;
2067
2068 *p++ = 1;
2069 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2070
2071 *olen = 6;
2072 }
2073 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2074
2075 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2076 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
2077 unsigned char *buf,
2078 size_t *olen )
2079 {
2080 int ret;
2081 unsigned char *p = buf;
2082 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
2083 size_t kkpp_len;
2084
2085 *olen = 0;
2086
2087 /* Skip costly computation if not needed */
2088 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
2089 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2090 return;
2091
2092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2093
2094 if( end - p < 4 )
2095 {
2096 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2097 return;
2098 }
2099
2100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
2101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
2102
2103 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
2104 p + 2, end - p - 2, &kkpp_len,
2105 ssl->conf->f_rng, ssl->conf->p_rng );
2106 if( ret != 0 )
2107 {
2108 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
2109 return;
2110 }
2111
2112 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
2113 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
2114
2115 *olen = kkpp_len + 4;
2116 }
2117 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2118
2119 #if defined(MBEDTLS_SSL_ALPN )
2120 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2121 unsigned char *buf, size_t *olen )
2122 {
2123 if( ssl->alpn_chosen == NULL )
2124 {
2125 *olen = 0;
2126 return;
2127 }
2128
2129 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2130
2131 /*
2132 * 0 . 1 ext identifier
2133 * 2 . 3 ext length
2134 * 4 . 5 protocol list length
2135 * 6 . 6 protocol name length
2136 * 7 . 7+n protocol name
2137 */
2138 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
2139 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
2140
2141 *olen = 7 + strlen( ssl->alpn_chosen );
2142
2143 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2144 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2145
2146 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2147 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2148
2149 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2150
2151 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2152 }
2153 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2154
2155 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2156 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
2157 {
2158 int ret;
2159 unsigned char *p = ssl->out_msg + 4;
2160 unsigned char *cookie_len_byte;
2161
2162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2163
2164 /*
2165 * struct {
2166 * ProtocolVersion server_version;
2167 * opaque cookie<0..2^8-1>;
2168 * } HelloVerifyRequest;
2169 */
2170
2171 /* The RFC is not clear on this point, but sending the actual negotiated
2172 * version looks like the most interoperable thing to do. */
2173 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2174 ssl->conf->transport, p );
2175 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
2176 p += 2;
2177
2178 /* If we get here, f_cookie_check is not null */
2179 if( ssl->conf->f_cookie_write == NULL )
2180 {
2181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2182 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2183 }
2184
2185 /* Skip length byte until we know the length */
2186 cookie_len_byte = p++;
2187
2188 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
2189 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN,
2190 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
2191 {
2192 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
2193 return( ret );
2194 }
2195
2196 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
2197
2198 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
2199
2200 ssl->out_msglen = p - ssl->out_msg;
2201 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2202 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2203
2204 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2205
2206 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
2207 {
2208 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2209 return( ret );
2210 }
2211
2212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2213
2214 return( 0 );
2215 }
2216 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2217
2218 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
2219 {
2220 #if defined(MBEDTLS_HAVE_TIME)
2221 mbedtls_time_t t;
2222 #endif
2223 int ret;
2224 size_t olen, ext_len = 0, n;
2225 unsigned char *buf, *p;
2226
2227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2228
2229 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2230 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2231 ssl->handshake->verify_cookie_len != 0 )
2232 {
2233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2234 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2235
2236 return( ssl_write_hello_verify_request( ssl ) );
2237 }
2238 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2239
2240 if( ssl->conf->f_rng == NULL )
2241 {
2242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2243 return( MBEDTLS_ERR_SSL_NO_RNG );
2244 }
2245
2246 /*
2247 * 0 . 0 handshake type
2248 * 1 . 3 handshake length
2249 * 4 . 5 protocol version
2250 * 6 . 9 UNIX time()
2251 * 10 . 37 random bytes
2252 */
2253 buf = ssl->out_msg;
2254 p = buf + 4;
2255
2256 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2257 ssl->conf->transport, p );
2258 p += 2;
2259
2260 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2261 buf[4], buf[5] ) );
2262
2263 #if defined(MBEDTLS_HAVE_TIME)
2264 t = mbedtls_time( NULL );
2265 *p++ = (unsigned char)( t >> 24 );
2266 *p++ = (unsigned char)( t >> 16 );
2267 *p++ = (unsigned char)( t >> 8 );
2268 *p++ = (unsigned char)( t );
2269
2270 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
2271 #else
2272 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
2273 return( ret );
2274
2275 p += 4;
2276 #endif /* MBEDTLS_HAVE_TIME */
2277
2278 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
2279 return( ret );
2280
2281 p += 28;
2282
2283 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
2284
2285 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2286
2287 /*
2288 * Resume is 0 by default, see ssl_handshake_init().
2289 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2290 * If not, try looking up session ID in our cache.
2291 */
2292 if( ssl->handshake->resume == 0 &&
2293 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2294 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
2295 #endif
2296 ssl->session_negotiate->id_len != 0 &&
2297 ssl->conf->f_get_cache != NULL &&
2298 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
2299 {
2300 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2301 ssl->handshake->resume = 1;
2302 }
2303
2304 if( ssl->handshake->resume == 0 )
2305 {
2306 /*
2307 * New session, create a new session id,
2308 * unless we're about to issue a session ticket
2309 */
2310 ssl->state++;
2311
2312 #if defined(MBEDTLS_HAVE_TIME)
2313 ssl->session_negotiate->start = mbedtls_time( NULL );
2314 #endif
2315
2316 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2317 if( ssl->handshake->new_session_ticket != 0 )
2318 {
2319 ssl->session_negotiate->id_len = n = 0;
2320 memset( ssl->session_negotiate->id, 0, 32 );
2321 }
2322 else
2323 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2324 {
2325 ssl->session_negotiate->id_len = n = 32;
2326 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
2327 n ) ) != 0 )
2328 return( ret );
2329 }
2330 }
2331 else
2332 {
2333 /*
2334 * Resuming a session
2335 */
2336 n = ssl->session_negotiate->id_len;
2337 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2338
2339 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2340 {
2341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2342 return( ret );
2343 }
2344 }
2345
2346 /*
2347 * 38 . 38 session id length
2348 * 39 . 38+n session id
2349 * 39+n . 40+n chosen ciphersuite
2350 * 41+n . 41+n chosen compression alg.
2351 * 42+n . 43+n extensions length
2352 * 44+n . 43+n+m extensions
2353 */
2354 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2355 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
2356 p += ssl->session_negotiate->id_len;
2357
2358 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2359 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2361 ssl->handshake->resume ? "a" : "no" ) );
2362
2363 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2364 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2365 *p++ = (unsigned char)( ssl->session_negotiate->compression );
2366
2367 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2368 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
2369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2370 ssl->session_negotiate->compression ) );
2371
2372 /* Do not write the extensions if the protocol is SSLv3 */
2373 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2374 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
2375 {
2376 #endif
2377
2378 /*
2379 * First write extensions, then the total length
2380 */
2381 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2382 ext_len += olen;
2383
2384 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2385 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2386 ext_len += olen;
2387 #endif
2388
2389 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2390 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2391 ext_len += olen;
2392 #endif
2393
2394 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2395 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2396 ext_len += olen;
2397 #endif
2398
2399 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2400 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2401 ext_len += olen;
2402 #endif
2403
2404 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2405 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2406 ext_len += olen;
2407 #endif
2408
2409 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2410 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2411 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2412 ext_len += olen;
2413 #endif
2414
2415 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2416 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
2417 ext_len += olen;
2418 #endif
2419
2420 #if defined(MBEDTLS_SSL_ALPN)
2421 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2422 ext_len += olen;
2423 #endif
2424
2425 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
2426
2427 if( ext_len > 0 )
2428 {
2429 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2430 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2431 p += ext_len;
2432 }
2433
2434 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2435 }
2436 #endif
2437
2438 ssl->out_msglen = p - buf;
2439 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2440 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2441
2442 ret = mbedtls_ssl_write_record( ssl );
2443
2444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2445
2446 return( ret );
2447 }
2448
2449 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2450 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2451 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2452 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2453 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
2454 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2455 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2456 {
2457 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2458
2459 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2460
2461 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2462 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2463 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2464 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2465 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2466 {
2467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2468 ssl->state++;
2469 return( 0 );
2470 }
2471
2472 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2473 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2474 }
2475 #else
2476 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2477 {
2478 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2479 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
2480 size_t dn_size, total_dn_size; /* excluding length bytes */
2481 size_t ct_len, sa_len; /* including length bytes */
2482 unsigned char *buf, *p;
2483 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
2484 const mbedtls_x509_crt *crt;
2485 int authmode;
2486
2487 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2488
2489 ssl->state++;
2490
2491 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2492 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2493 authmode = ssl->handshake->sni_authmode;
2494 else
2495 #endif
2496 authmode = ssl->conf->authmode;
2497
2498 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2499 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2500 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2501 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2502 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
2503 authmode == MBEDTLS_SSL_VERIFY_NONE )
2504 {
2505 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2506 return( 0 );
2507 }
2508
2509 /*
2510 * 0 . 0 handshake type
2511 * 1 . 3 handshake length
2512 * 4 . 4 cert type count
2513 * 5 .. m-1 cert types
2514 * m .. m+1 sig alg length (TLS 1.2 only)
2515 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2516 * n .. n+1 length of all DNs
2517 * n+2 .. n+3 length of DN 1
2518 * n+4 .. ... Distinguished Name #1
2519 * ... .. ... length of DN 2, etc.
2520 */
2521 buf = ssl->out_msg;
2522 p = buf + 4;
2523
2524 /*
2525 * Supported certificate types
2526 *
2527 * ClientCertificateType certificate_types<1..2^8-1>;
2528 * enum { (255) } ClientCertificateType;
2529 */
2530 ct_len = 0;
2531
2532 #if defined(MBEDTLS_RSA_C)
2533 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2534 #endif
2535 #if defined(MBEDTLS_ECDSA_C)
2536 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2537 #endif
2538
2539 p[0] = (unsigned char) ct_len++;
2540 p += ct_len;
2541
2542 sa_len = 0;
2543 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2544 /*
2545 * Add signature_algorithms for verify (TLS 1.2)
2546 *
2547 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2548 *
2549 * struct {
2550 * HashAlgorithm hash;
2551 * SignatureAlgorithm signature;
2552 * } SignatureAndHashAlgorithm;
2553 *
2554 * enum { (255) } HashAlgorithm;
2555 * enum { (255) } SignatureAlgorithm;
2556 */
2557 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2558 {
2559 const int *cur;
2560
2561 /*
2562 * Supported signature algorithms
2563 */
2564 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
2565 {
2566 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
2567
2568 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
2569 continue;
2570
2571 #if defined(MBEDTLS_RSA_C)
2572 p[2 + sa_len++] = hash;
2573 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2574 #endif
2575 #if defined(MBEDTLS_ECDSA_C)
2576 p[2 + sa_len++] = hash;
2577 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2578 #endif
2579 }
2580
2581 p[0] = (unsigned char)( sa_len >> 8 );
2582 p[1] = (unsigned char)( sa_len );
2583 sa_len += 2;
2584 p += sa_len;
2585 }
2586 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2587
2588 /*
2589 * DistinguishedName certificate_authorities<0..2^16-1>;
2590 * opaque DistinguishedName<1..2^16-1>;
2591 */
2592 p += 2;
2593 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2594 if( ssl->handshake->sni_ca_chain != NULL )
2595 crt = ssl->handshake->sni_ca_chain;
2596 else
2597 #endif
2598 crt = ssl->conf->ca_chain;
2599
2600 total_dn_size = 0;
2601 while( crt != NULL && crt->version != 0 )
2602 {
2603 dn_size = crt->subject_raw.len;
2604
2605 if( end < p ||
2606 (size_t)( end - p ) < dn_size ||
2607 (size_t)( end - p ) < 2 + dn_size )
2608 {
2609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2610 break;
2611 }
2612
2613 *p++ = (unsigned char)( dn_size >> 8 );
2614 *p++ = (unsigned char)( dn_size );
2615 memcpy( p, crt->subject_raw.p, dn_size );
2616 p += dn_size;
2617
2618 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
2619
2620 total_dn_size += 2 + dn_size;
2621 crt = crt->next;
2622 }
2623
2624 ssl->out_msglen = p - buf;
2625 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2626 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2627 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2628 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2629
2630 ret = mbedtls_ssl_write_record( ssl );
2631
2632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2633
2634 return( ret );
2635 }
2636 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2637 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2638 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
2639 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2640 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
2641 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2642
2643 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2644 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2645 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2646 {
2647 int ret;
2648
2649 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
2650 {
2651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2652 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2653 }
2654
2655 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
2656 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
2657 MBEDTLS_ECDH_OURS ) ) != 0 )
2658 {
2659 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2660 return( ret );
2661 }
2662
2663 return( 0 );
2664 }
2665 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2666 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2667
2668 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
2669 {
2670 int ret;
2671 size_t n = 0;
2672 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2673 ssl->transform_negotiate->ciphersuite_info;
2674
2675 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2676 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2677 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2678 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2679 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2680 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2681 unsigned char *p = ssl->out_msg + 4;
2682 unsigned char *dig_signed = p;
2683 size_t dig_signed_len = 0, len;
2684 ((void) dig_signed);
2685 ((void) dig_signed_len);
2686 ((void) len);
2687 #endif
2688
2689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2690
2691 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2692 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2693 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2694 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
2695 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2696 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2697 {
2698 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2699 ssl->state++;
2700 return( 0 );
2701 }
2702 #endif
2703
2704 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2706 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2708 {
2709 ssl_get_ecdh_params_from_cert( ssl );
2710
2711 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2712 ssl->state++;
2713 return( 0 );
2714 }
2715 #endif
2716
2717 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2718 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2719 {
2720 size_t jlen;
2721 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN;
2722
2723 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
2724 p, end - p, &jlen, ssl->conf->f_rng, ssl->conf->p_rng );
2725 if( ret != 0 )
2726 {
2727 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2728 return( ret );
2729 }
2730
2731 p += jlen;
2732 n += jlen;
2733 }
2734 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2735
2736 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2737 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2738 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2739 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2740 {
2741 /* Note: we don't support identity hints, until someone asks
2742 * for them. */
2743 *(p++) = 0x00;
2744 *(p++) = 0x00;
2745
2746 n += 2;
2747 }
2748 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2749 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2750
2751 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2752 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2753 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2754 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2755 {
2756 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
2757 {
2758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
2759 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2760 }
2761
2762 /*
2763 * Ephemeral DH parameters:
2764 *
2765 * struct {
2766 * opaque dh_p<1..2^16-1>;
2767 * opaque dh_g<1..2^16-1>;
2768 * opaque dh_Ys<1..2^16-1>;
2769 * } ServerDHParams;
2770 */
2771 if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 ||
2772 ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 )
2773 {
2774 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret );
2775 return( ret );
2776 }
2777
2778 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx,
2779 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2780 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2781 {
2782 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
2783 return( ret );
2784 }
2785
2786 dig_signed = p;
2787 dig_signed_len = len;
2788
2789 p += len;
2790 n += len;
2791
2792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2793 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2794 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2795 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2796 }
2797 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2798 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2799
2800 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2801 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2802 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2803 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2804 {
2805 /*
2806 * Ephemeral ECDH parameters:
2807 *
2808 * struct {
2809 * ECParameters curve_params;
2810 * ECPoint public;
2811 * } ServerECDHParams;
2812 */
2813 const mbedtls_ecp_curve_info **curve = NULL;
2814 const mbedtls_ecp_group_id *gid;
2815
2816 /* Match our preference list against the offered curves */
2817 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
2818 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
2819 if( (*curve)->grp_id == *gid )
2820 goto curve_matching_done;
2821
2822 curve_matching_done:
2823 if( curve == NULL || *curve == NULL )
2824 {
2825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2826 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
2827 }
2828
2829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
2830
2831 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
2832 (*curve)->grp_id ) ) != 0 )
2833 {
2834 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
2835 return( ret );
2836 }
2837
2838 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len,
2839 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n,
2840 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2841 {
2842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
2843 return( ret );
2844 }
2845
2846 dig_signed = p;
2847 dig_signed_len = len;
2848
2849 p += len;
2850 n += len;
2851
2852 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
2853 }
2854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2855
2856 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2857 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2858 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2859 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2860 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2861 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2862 {
2863 size_t signature_len = 0;
2864 unsigned int hashlen = 0;
2865 unsigned char hash[64];
2866 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2867
2868 /*
2869 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2870 */
2871 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2872 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2873 {
2874 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->handshake->sig_alg );
2875
2876 if( md_alg == MBEDTLS_MD_NONE )
2877 {
2878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2879 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2880 }
2881 }
2882 else
2883 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2884 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2885 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2886 if( ciphersuite_info->key_exchange ==
2887 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2888 {
2889 md_alg = MBEDTLS_MD_SHA1;
2890 }
2891 else
2892 #endif
2893 {
2894 md_alg = MBEDTLS_MD_NONE;
2895 }
2896
2897 /*
2898 * Compute the hash to be signed
2899 */
2900 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2901 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2902 if( md_alg == MBEDTLS_MD_NONE )
2903 {
2904 mbedtls_md5_context mbedtls_md5;
2905 mbedtls_sha1_context mbedtls_sha1;
2906
2907 mbedtls_md5_init( &mbedtls_md5 );
2908 mbedtls_sha1_init( &mbedtls_sha1 );
2909
2910 /*
2911 * digitally-signed struct {
2912 * opaque md5_hash[16];
2913 * opaque sha_hash[20];
2914 * };
2915 *
2916 * md5_hash
2917 * MD5(ClientHello.random + ServerHello.random
2918 * + ServerParams);
2919 * sha_hash
2920 * SHA(ClientHello.random + ServerHello.random
2921 * + ServerParams);
2922 */
2923 mbedtls_md5_starts( &mbedtls_md5 );
2924 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
2925 mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
2926 mbedtls_md5_finish( &mbedtls_md5, hash );
2927
2928 mbedtls_sha1_starts( &mbedtls_sha1 );
2929 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 );
2930 mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len );
2931 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 );
2932
2933 hashlen = 36;
2934
2935 mbedtls_md5_free( &mbedtls_md5 );
2936 mbedtls_sha1_free( &mbedtls_sha1 );
2937 }
2938 else
2939 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2940 MBEDTLS_SSL_PROTO_TLS1_1 */
2941 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2942 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2943 if( md_alg != MBEDTLS_MD_NONE )
2944 {
2945 mbedtls_md_context_t ctx;
2946 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
2947
2948 mbedtls_md_init( &ctx );
2949
2950 /* Info from md_alg will be used instead */
2951 hashlen = 0;
2952
2953 /*
2954 * digitally-signed struct {
2955 * opaque client_random[32];
2956 * opaque server_random[32];
2957 * ServerDHParams params;
2958 * };
2959 */
2960 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
2961 {
2962 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
2963 return( ret );
2964 }
2965
2966 mbedtls_md_starts( &ctx );
2967 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 );
2968 mbedtls_md_update( &ctx, dig_signed, dig_signed_len );
2969 mbedtls_md_finish( &ctx, hash );
2970 mbedtls_md_free( &ctx );
2971 }
2972 else
2973 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2974 MBEDTLS_SSL_PROTO_TLS1_2 */
2975 {
2976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2977 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2978 }
2979
2980 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen :
2981 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
2982
2983 /*
2984 * Make the signature
2985 */
2986 if( mbedtls_ssl_own_key( ssl ) == NULL )
2987 {
2988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2989 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
2990 }
2991
2992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2993 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2994 {
2995 *(p++) = ssl->handshake->sig_alg;
2996 *(p++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
2997
2998 n += 2;
2999 }
3000 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3001
3002 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen,
3003 p + 2 , &signature_len,
3004 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3005 {
3006 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3007 return( ret );
3008 }
3009
3010 *(p++) = (unsigned char)( signature_len >> 8 );
3011 *(p++) = (unsigned char)( signature_len );
3012 n += 2;
3013
3014 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len );
3015
3016 n += signature_len;
3017 }
3018 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
3019 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3020 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3021
3022 ssl->out_msglen = 4 + n;
3023 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3024 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3025
3026 ssl->state++;
3027
3028 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3029 {
3030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3031 return( ret );
3032 }
3033
3034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3035
3036 return( 0 );
3037 }
3038
3039 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
3040 {
3041 int ret;
3042
3043 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3044
3045 ssl->out_msglen = 4;
3046 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3047 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3048
3049 ssl->state++;
3050
3051 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3052 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3053 mbedtls_ssl_send_flight_completed( ssl );
3054 #endif
3055
3056 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3057 {
3058 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3059 return( ret );
3060 }
3061
3062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3063
3064 return( 0 );
3065 }
3066
3067 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3068 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3069 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
3070 const unsigned char *end )
3071 {
3072 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3073 size_t n;
3074
3075 /*
3076 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3077 */
3078 if( *p + 2 > end )
3079 {
3080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3081 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3082 }
3083
3084 n = ( (*p)[0] << 8 ) | (*p)[1];
3085 *p += 2;
3086
3087 if( *p + n > end )
3088 {
3089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3090 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3091 }
3092
3093 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
3094 {
3095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
3096 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3097 }
3098
3099 *p += n;
3100
3101 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
3102
3103 return( ret );
3104 }
3105 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3106 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3107
3108 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3109 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3110 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
3111 const unsigned char *p,
3112 const unsigned char *end,
3113 size_t pms_offset )
3114 {
3115 int ret;
3116 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) );
3117 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3118 unsigned char ver[2];
3119 unsigned char fake_pms[48], peer_pms[48];
3120 unsigned char mask;
3121 size_t i, peer_pmslen;
3122 unsigned int diff;
3123
3124 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) )
3125 {
3126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3127 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3128 }
3129
3130 /*
3131 * Decrypt the premaster using own private RSA key
3132 */
3133 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3134 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3135 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
3136 {
3137 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
3138 *p++ != ( ( len ) & 0xFF ) )
3139 {
3140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3141 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3142 }
3143 }
3144 #endif
3145
3146 if( p + len != end )
3147 {
3148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3149 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3150 }
3151
3152 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
3153 ssl->handshake->max_minor_ver,
3154 ssl->conf->transport, ver );
3155
3156 /*
3157 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3158 * must not cause the connection to end immediately; instead, send a
3159 * bad_record_mac later in the handshake.
3160 * Also, avoid data-dependant branches here to protect against
3161 * timing-based variants.
3162 */
3163 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
3164 if( ret != 0 )
3165 return( ret );
3166
3167 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len,
3168 peer_pms, &peer_pmslen,
3169 sizeof( peer_pms ),
3170 ssl->conf->f_rng, ssl->conf->p_rng );
3171
3172 diff = (unsigned int) ret;
3173 diff |= peer_pmslen ^ 48;
3174 diff |= peer_pms[0] ^ ver[0];
3175 diff |= peer_pms[1] ^ ver[1];
3176
3177 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3178 if( diff != 0 )
3179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3180 #endif
3181
3182 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
3183 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
3184 {
3185 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3186 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3187 }
3188 ssl->handshake->pmslen = 48;
3189
3190 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3191 /* MSVC has a warning about unary minus on unsigned, but this is
3192 * well-defined and precisely what we want to do here */
3193 #if defined(_MSC_VER)
3194 #pragma warning( push )
3195 #pragma warning( disable : 4146 )
3196 #endif
3197 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3198 #if defined(_MSC_VER)
3199 #pragma warning( pop )
3200 #endif
3201
3202 for( i = 0; i < ssl->handshake->pmslen; i++ )
3203 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
3204
3205 return( 0 );
3206 }
3207 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3208 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3209
3210 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3211 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
3212 const unsigned char *end )
3213 {
3214 int ret = 0;
3215 size_t n;
3216
3217 if( ssl->conf->f_psk == NULL &&
3218 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
3219 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
3220 {
3221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3222 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3223 }
3224
3225 /*
3226 * Receive client pre-shared key identity name
3227 */
3228 if( *p + 2 > end )
3229 {
3230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3231 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3232 }
3233
3234 n = ( (*p)[0] << 8 ) | (*p)[1];
3235 *p += 2;
3236
3237 if( n < 1 || n > 65535 || *p + n > end )
3238 {
3239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3240 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3241 }
3242
3243 if( ssl->conf->f_psk != NULL )
3244 {
3245 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
3246 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3247 }
3248 else
3249 {
3250 /* Identity is not a big secret since clients send it in the clear,
3251 * but treat it carefully anyway, just in case */
3252 if( n != ssl->conf->psk_identity_len ||
3253 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
3254 {
3255 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3256 }
3257 }
3258
3259 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
3260 {
3261 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
3262 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
3263 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3264 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
3265 {
3266 return( ret );
3267 }
3268
3269 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
3270 }
3271
3272 *p += n;
3273
3274 return( 0 );
3275 }
3276 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3277
3278 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
3279 {
3280 int ret;
3281 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3282 unsigned char *p, *end;
3283
3284 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3285
3286 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3287
3288 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
3289 {
3290 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3291 return( ret );
3292 }
3293
3294 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3295 end = ssl->in_msg + ssl->in_hslen;
3296
3297 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3298 {
3299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3301 }
3302
3303 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
3304 {
3305 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3306 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3307 }
3308
3309 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3310 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3311 {
3312 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3313 {
3314 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3315 return( ret );
3316 }
3317
3318 if( p != end )
3319 {
3320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3321 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3322 }
3323
3324 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3325 ssl->handshake->premaster,
3326 MBEDTLS_PREMASTER_SIZE,
3327 &ssl->handshake->pmslen,
3328 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3329 {
3330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3331 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3332 }
3333
3334 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3335 }
3336 else
3337 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3338 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3339 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3340 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3341 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3342 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3344 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3345 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3346 {
3347 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3348 p, end - p) ) != 0 )
3349 {
3350 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3352 }
3353
3354 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3355
3356 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3357 &ssl->handshake->pmslen,
3358 ssl->handshake->premaster,
3359 MBEDTLS_MPI_MAX_SIZE,
3360 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3361 {
3362 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3363 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3364 }
3365
3366 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
3367 }
3368 else
3369 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3370 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3371 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3372 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3373 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3374 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3375 {
3376 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3377 {
3378 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3379 return( ret );
3380 }
3381
3382 if( p != end )
3383 {
3384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3385 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3386 }
3387
3388 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3389 ciphersuite_info->key_exchange ) ) != 0 )
3390 {
3391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3392 return( ret );
3393 }
3394 }
3395 else
3396 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3397 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3398 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3399 {
3400 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3401 {
3402 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3403 return( ret );
3404 }
3405
3406 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
3407 {
3408 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
3409 return( ret );
3410 }
3411
3412 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3413 ciphersuite_info->key_exchange ) ) != 0 )
3414 {
3415 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3416 return( ret );
3417 }
3418 }
3419 else
3420 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3421 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3422 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3423 {
3424 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3425 {
3426 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3427 return( ret );
3428 }
3429 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3430 {
3431 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3432 return( ret );
3433 }
3434
3435 if( p != end )
3436 {
3437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3438 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3439 }
3440
3441 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3442 ciphersuite_info->key_exchange ) ) != 0 )
3443 {
3444 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3445 return( ret );
3446 }
3447 }
3448 else
3449 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3450 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3451 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3452 {
3453 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3454 {
3455 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3456 return( ret );
3457 }
3458
3459 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3460 p, end - p ) ) != 0 )
3461 {
3462 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3463 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3464 }
3465
3466 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
3467
3468 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3469 ciphersuite_info->key_exchange ) ) != 0 )
3470 {
3471 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3472 return( ret );
3473 }
3474 }
3475 else
3476 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3477 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3478 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3479 {
3480 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
3481 {
3482 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
3483 return( ret );
3484 }
3485 }
3486 else
3487 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3488 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3489 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3490 {
3491 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
3492 p, end - p );
3493 if( ret != 0 )
3494 {
3495 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
3496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3497 }
3498
3499 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3500 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3501 ssl->conf->f_rng, ssl->conf->p_rng );
3502 if( ret != 0 )
3503 {
3504 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3505 return( ret );
3506 }
3507 }
3508 else
3509 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3510 {
3511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3512 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3513 }
3514
3515 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3516 {
3517 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3518 return( ret );
3519 }
3520
3521 ssl->state++;
3522
3523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3524
3525 return( 0 );
3526 }
3527
3528 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3529 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3530 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3531 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3532 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3533 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3534 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
3535 {
3536 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3537
3538 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3539
3540 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3541 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3542 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3543 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3544 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3545 {
3546 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3547 ssl->state++;
3548 return( 0 );
3549 }
3550
3551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3552 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3553 }
3554 #else
3555 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
3556 {
3557 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3558 size_t i, sig_len;
3559 unsigned char hash[48];
3560 unsigned char *hash_start = hash;
3561 size_t hashlen;
3562 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3563 mbedtls_pk_type_t pk_alg;
3564 #endif
3565 mbedtls_md_type_t md_alg;
3566 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3567
3568 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3569
3570 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3571 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3572 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3573 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3574 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
3575 ssl->session_negotiate->peer_cert == NULL )
3576 {
3577 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3578 ssl->state++;
3579 return( 0 );
3580 }
3581
3582 /* Read the message without adding it to the checksum */
3583 do {
3584
3585 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 )
3586 {
3587 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret );
3588 return( ret );
3589 }
3590
3591 ret = mbedtls_ssl_handle_message_type( ssl );
3592
3593 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret );
3594
3595 if( 0 != ret )
3596 {
3597 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
3598 return( ret );
3599 }
3600
3601 ssl->state++;
3602
3603 /* Process the message contents */
3604 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
3605 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
3606 {
3607 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3608 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3609 }
3610
3611 i = mbedtls_ssl_hs_hdr_len( ssl );
3612
3613 /*
3614 * struct {
3615 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3616 * opaque signature<0..2^16-1>;
3617 * } DigitallySigned;
3618 */
3619 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3620 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3621 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3622 {
3623 md_alg = MBEDTLS_MD_NONE;
3624 hashlen = 36;
3625
3626 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3627 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
3628 MBEDTLS_PK_ECDSA ) )
3629 {
3630 hash_start += 16;
3631 hashlen -= 16;
3632 md_alg = MBEDTLS_MD_SHA1;
3633 }
3634 }
3635 else
3636 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
3637 MBEDTLS_SSL_PROTO_TLS1_1 */
3638 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3639 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3640 {
3641 if( i + 2 > ssl->in_hslen )
3642 {
3643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3644 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3645 }
3646
3647 /*
3648 * Hash
3649 */
3650 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
3651
3652 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
3653 {
3654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3655 " for verify message" ) );
3656 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3657 }
3658
3659 #if !defined(MBEDTLS_MD_SHA1)
3660 if( MBEDTLS_MD_SHA1 == md_alg )
3661 hash_start += 16;
3662 #endif
3663
3664 /* Info from md_alg will be used instead */
3665 hashlen = 0;
3666
3667 i++;
3668
3669 /*
3670 * Signature
3671 */
3672 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
3673 == MBEDTLS_PK_NONE )
3674 {
3675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3676 " for verify message" ) );
3677 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3678 }
3679
3680 /*
3681 * Check the certificate's key type matches the signature alg
3682 */
3683 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
3684 {
3685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3686 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3687 }
3688
3689 i++;
3690 }
3691 else
3692 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3693 {
3694 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3695 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3696 }
3697
3698 if( i + 2 > ssl->in_hslen )
3699 {
3700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3701 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3702 }
3703
3704 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
3705 i += 2;
3706
3707 if( i + sig_len != ssl->in_hslen )
3708 {
3709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3710 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
3711 }
3712
3713 /* Calculate hash and verify signature */
3714 ssl->handshake->calc_verify( ssl, hash );
3715
3716 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
3717 md_alg, hash_start, hashlen,
3718 ssl->in_msg + i, sig_len ) ) != 0 )
3719 {
3720 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
3721 return( ret );
3722 }
3723
3724 mbedtls_ssl_update_handshake_status( ssl );
3725
3726 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3727
3728 return( ret );
3729 }
3730 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3731 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3732 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3733 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3734 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3735 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3736
3737 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3738 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
3739 {
3740 int ret;
3741 size_t tlen;
3742 uint32_t lifetime;
3743
3744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3745
3746 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3747 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
3748
3749 /*
3750 * struct {
3751 * uint32 ticket_lifetime_hint;
3752 * opaque ticket<0..2^16-1>;
3753 * } NewSessionTicket;
3754 *
3755 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3756 * 8 . 9 ticket_len (n)
3757 * 10 . 9+n ticket content
3758 */
3759
3760 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
3761 ssl->session_negotiate,
3762 ssl->out_msg + 10,
3763 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN,
3764 &tlen, &lifetime ) ) != 0 )
3765 {
3766 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
3767 tlen = 0;
3768 }
3769
3770 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
3771 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
3772 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
3773 ssl->out_msg[7] = ( lifetime ) & 0xFF;
3774
3775 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
3776 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
3777
3778 ssl->out_msglen = 10 + tlen;
3779
3780 /*
3781 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3782 * ChangeCipherSpec share the same state.
3783 */
3784 ssl->handshake->new_session_ticket = 0;
3785
3786 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 )
3787 {
3788 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3789 return( ret );
3790 }
3791
3792 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3793
3794 return( 0 );
3795 }
3796 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3797
3798 /*
3799 * SSL handshake -- server side -- single step
3800 */
3801 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
3802 {
3803 int ret = 0;
3804
3805 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3806 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3807
3808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
3809
3810 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3811 return( ret );
3812
3813 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3814 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3815 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3816 {
3817 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3818 return( ret );
3819 }
3820 #endif
3821
3822 switch( ssl->state )
3823 {
3824 case MBEDTLS_SSL_HELLO_REQUEST:
3825 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3826 break;
3827
3828 /*
3829 * <== ClientHello
3830 */
3831 case MBEDTLS_SSL_CLIENT_HELLO:
3832 ret = ssl_parse_client_hello( ssl );
3833 break;
3834
3835 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3836 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
3837 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3838 #endif
3839
3840 /*
3841 * ==> ServerHello
3842 * Certificate
3843 * ( ServerKeyExchange )
3844 * ( CertificateRequest )
3845 * ServerHelloDone
3846 */
3847 case MBEDTLS_SSL_SERVER_HELLO:
3848 ret = ssl_write_server_hello( ssl );
3849 break;
3850
3851 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3852 ret = mbedtls_ssl_write_certificate( ssl );
3853 break;
3854
3855 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3856 ret = ssl_write_server_key_exchange( ssl );
3857 break;
3858
3859 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3860 ret = ssl_write_certificate_request( ssl );
3861 break;
3862
3863 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3864 ret = ssl_write_server_hello_done( ssl );
3865 break;
3866
3867 /*
3868 * <== ( Certificate/Alert )
3869 * ClientKeyExchange
3870 * ( CertificateVerify )
3871 * ChangeCipherSpec
3872 * Finished
3873 */
3874 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3875 ret = mbedtls_ssl_parse_certificate( ssl );
3876 break;
3877
3878 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3879 ret = ssl_parse_client_key_exchange( ssl );
3880 break;
3881
3882 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3883 ret = ssl_parse_certificate_verify( ssl );
3884 break;
3885
3886 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3887 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3888 break;
3889
3890 case MBEDTLS_SSL_CLIENT_FINISHED:
3891 ret = mbedtls_ssl_parse_finished( ssl );
3892 break;
3893
3894 /*
3895 * ==> ( NewSessionTicket )
3896 * ChangeCipherSpec
3897 * Finished
3898 */
3899 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3900 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3901 if( ssl->handshake->new_session_ticket != 0 )
3902 ret = ssl_write_new_session_ticket( ssl );
3903 else
3904 #endif
3905 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3906 break;
3907
3908 case MBEDTLS_SSL_SERVER_FINISHED:
3909 ret = mbedtls_ssl_write_finished( ssl );
3910 break;
3911
3912 case MBEDTLS_SSL_FLUSH_BUFFERS:
3913 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3914 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3915 break;
3916
3917 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3918 mbedtls_ssl_handshake_wrapup( ssl );
3919 break;
3920
3921 default:
3922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3923 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3924 }
3925
3926 return( ret );
3927 }
3928 #endif /* MBEDTLS_SSL_SRV_C */
A free Windows-compatible Operating System