2 * SSLv3/TLSv1 server-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
25 #include MBEDTLS_CONFIG_FILE
28 #if defined(MBEDTLS_SSL_SRV_C)
30 #include "mbedtls/debug.h"
31 #include "mbedtls/ssl.h"
32 #include "mbedtls/ssl_internal.h"
36 #if defined(MBEDTLS_ECP_C)
37 #include "mbedtls/ecp.h"
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
44 #define mbedtls_calloc calloc
45 #define mbedtls_free free
48 #if defined(MBEDTLS_HAVE_TIME)
52 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
53 /* Implementation that should never be optimized out by the compiler */
54 static void mbedtls_zeroize( void *v
, size_t n
) {
55 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
59 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
60 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context
*ssl
,
61 const unsigned char *info
,
64 if( ssl
->conf
->endpoint
!= MBEDTLS_SSL_IS_SERVER
)
65 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
67 mbedtls_free( ssl
->cli_id
);
69 if( ( ssl
->cli_id
= mbedtls_calloc( 1, ilen
) ) == NULL
)
70 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
72 memcpy( ssl
->cli_id
, info
, ilen
);
73 ssl
->cli_id_len
= ilen
;
78 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config
*conf
,
79 mbedtls_ssl_cookie_write_t
*f_cookie_write
,
80 mbedtls_ssl_cookie_check_t
*f_cookie_check
,
83 conf
->f_cookie_write
= f_cookie_write
;
84 conf
->f_cookie_check
= f_cookie_check
;
85 conf
->p_cookie
= p_cookie
;
87 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
89 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
90 static int ssl_parse_servername_ext( mbedtls_ssl_context
*ssl
,
91 const unsigned char *buf
,
95 size_t servername_list_size
, hostname_len
;
96 const unsigned char *p
;
98 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
100 servername_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
101 if( servername_list_size
+ 2 != len
)
103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
104 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
108 while( servername_list_size
> 0 )
110 hostname_len
= ( ( p
[1] << 8 ) | p
[2] );
111 if( hostname_len
+ 3 > servername_list_size
)
113 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
114 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
117 if( p
[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
)
119 ret
= ssl
->conf
->f_sni( ssl
->conf
->p_sni
,
120 ssl
, p
+ 3, hostname_len
);
123 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret
);
124 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
125 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
);
126 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
131 servername_list_size
-= hostname_len
+ 3;
132 p
+= hostname_len
+ 3;
135 if( servername_list_size
!= 0 )
137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
138 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
143 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
145 static int ssl_parse_renegotiation_info( mbedtls_ssl_context
*ssl
,
146 const unsigned char *buf
,
151 #if defined(MBEDTLS_SSL_RENEGOTIATION)
152 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
154 /* Check verify-data in constant-time. The length OTOH is no secret */
155 if( len
!= 1 + ssl
->verify_data_len
||
156 buf
[0] != ssl
->verify_data_len
||
157 mbedtls_ssl_safer_memcmp( buf
+ 1, ssl
->peer_verify_data
,
158 ssl
->verify_data_len
) != 0 )
160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
162 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
165 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
169 #endif /* MBEDTLS_SSL_RENEGOTIATION */
171 if( len
!= 1 || buf
[0] != 0x0 )
173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
175 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
178 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
181 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
188 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
189 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context
*ssl
,
190 const unsigned char *buf
,
193 size_t sig_alg_list_size
;
194 const unsigned char *p
;
195 const unsigned char *end
= buf
+ len
;
199 sig_alg_list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
200 if( sig_alg_list_size
+ 2 != len
||
201 sig_alg_list_size
% 2 != 0 )
203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
204 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
208 * For now, ignore the SignatureAlgorithm part and rely on offered
209 * ciphersuites only for that part. To be fixed later.
211 * So, just look at the HashAlgorithm part.
213 for( md_cur
= ssl
->conf
->sig_hashes
; *md_cur
!= MBEDTLS_MD_NONE
; md_cur
++ ) {
214 for( p
= buf
+ 2; p
< end
; p
+= 2 ) {
215 if( *md_cur
== (int) mbedtls_ssl_md_alg_from_hash( p
[0] ) ) {
216 ssl
->handshake
->sig_alg
= p
[0];
222 /* Some key echanges do not need signatures at all */
223 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature_algorithm in common" ) );
227 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
228 ssl
->handshake
->sig_alg
) );
232 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
233 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
235 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
236 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
237 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context
*ssl
,
238 const unsigned char *buf
,
241 size_t list_size
, our_size
;
242 const unsigned char *p
;
243 const mbedtls_ecp_curve_info
*curve_info
, **curves
;
245 list_size
= ( ( buf
[0] << 8 ) | ( buf
[1] ) );
246 if( list_size
+ 2 != len
||
249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
250 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
253 /* Should never happen unless client duplicates the extension */
254 if( ssl
->handshake
->curves
!= NULL
)
256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
257 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
260 /* Don't allow our peer to make us allocate too much memory,
261 * and leave room for a final 0 */
262 our_size
= list_size
/ 2 + 1;
263 if( our_size
> MBEDTLS_ECP_DP_MAX
)
264 our_size
= MBEDTLS_ECP_DP_MAX
;
266 if( ( curves
= mbedtls_calloc( our_size
, sizeof( *curves
) ) ) == NULL
)
267 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
269 ssl
->handshake
->curves
= curves
;
272 while( list_size
> 0 && our_size
> 1 )
274 curve_info
= mbedtls_ecp_curve_info_from_tls_id( ( p
[0] << 8 ) | p
[1] );
276 if( curve_info
!= NULL
)
278 *curves
++ = curve_info
;
289 static int ssl_parse_supported_point_formats( mbedtls_ssl_context
*ssl
,
290 const unsigned char *buf
,
294 const unsigned char *p
;
297 if( list_size
+ 1 != len
)
299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
304 while( list_size
> 0 )
306 if( p
[0] == MBEDTLS_ECP_PF_UNCOMPRESSED
||
307 p
[0] == MBEDTLS_ECP_PF_COMPRESSED
)
309 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
310 ssl
->handshake
->ecdh_ctx
.point_format
= p
[0];
312 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
313 ssl
->handshake
->ecjpake_ctx
.point_format
= p
[0];
315 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p
[0] ) );
325 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
326 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
328 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
329 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context
*ssl
,
330 const unsigned char *buf
,
335 if( mbedtls_ecjpake_check( &ssl
->handshake
->ecjpake_ctx
) != 0 )
337 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
341 if( ( ret
= mbedtls_ecjpake_read_round_one( &ssl
->handshake
->ecjpake_ctx
,
344 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret
);
348 /* Only mark the extension as OK when we're sure it is */
349 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
;
353 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
355 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
356 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
357 const unsigned char *buf
,
360 if( len
!= 1 || buf
[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
)
362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
363 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
366 ssl
->session_negotiate
->mfl_code
= buf
[0];
370 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
372 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
373 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
374 const unsigned char *buf
,
379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
380 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
385 if( ssl
->conf
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_ENABLED
)
386 ssl
->session_negotiate
->trunc_hmac
= MBEDTLS_SSL_TRUNC_HMAC_ENABLED
;
390 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
392 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
393 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
394 const unsigned char *buf
,
399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
400 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
405 if( ssl
->conf
->encrypt_then_mac
== MBEDTLS_SSL_ETM_ENABLED
&&
406 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
408 ssl
->session_negotiate
->encrypt_then_mac
= MBEDTLS_SSL_ETM_ENABLED
;
413 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
415 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
416 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context
*ssl
,
417 const unsigned char *buf
,
422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
423 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
428 if( ssl
->conf
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_ENABLED
&&
429 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
431 ssl
->handshake
->extended_ms
= MBEDTLS_SSL_EXTENDED_MS_ENABLED
;
436 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
438 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
439 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context
*ssl
,
444 mbedtls_ssl_session session
;
446 mbedtls_ssl_session_init( &session
);
448 if( ssl
->conf
->f_ticket_parse
== NULL
||
449 ssl
->conf
->f_ticket_write
== NULL
)
454 /* Remember the client asked us to send a new ticket */
455 ssl
->handshake
->new_session_ticket
= 1;
457 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len
) );
462 #if defined(MBEDTLS_SSL_RENEGOTIATION)
463 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
465 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
468 #endif /* MBEDTLS_SSL_RENEGOTIATION */
471 * Failures are ok: just ignore the ticket and proceed.
473 if( ( ret
= ssl
->conf
->f_ticket_parse( ssl
->conf
->p_ticket
, &session
,
476 mbedtls_ssl_session_free( &session
);
478 if( ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
480 else if( ret
== MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
)
481 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
483 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret
);
489 * Keep the session ID sent by the client, since we MUST send it back to
490 * inform them we're accepting the ticket (RFC 5077 section 3.4)
492 session
.id_len
= ssl
->session_negotiate
->id_len
;
493 memcpy( &session
.id
, ssl
->session_negotiate
->id
, session
.id_len
);
495 mbedtls_ssl_session_free( ssl
->session_negotiate
);
496 memcpy( ssl
->session_negotiate
, &session
, sizeof( mbedtls_ssl_session
) );
498 /* Zeroize instead of free as we copied the content */
499 mbedtls_zeroize( &session
, sizeof( mbedtls_ssl_session
) );
501 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
503 ssl
->handshake
->resume
= 1;
505 /* Don't send a new ticket after all, this one is OK */
506 ssl
->handshake
->new_session_ticket
= 0;
510 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
512 #if defined(MBEDTLS_SSL_ALPN)
513 static int ssl_parse_alpn_ext( mbedtls_ssl_context
*ssl
,
514 const unsigned char *buf
, size_t len
)
516 size_t list_len
, cur_len
, ours_len
;
517 const unsigned char *theirs
, *start
, *end
;
520 /* If ALPN not configured, just ignore the extension */
521 if( ssl
->conf
->alpn_list
== NULL
)
525 * opaque ProtocolName<1..2^8-1>;
528 * ProtocolName protocol_name_list<2..2^16-1>
529 * } ProtocolNameList;
532 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
534 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
536 list_len
= ( buf
[0] << 8 ) | buf
[1];
537 if( list_len
!= len
- 2 )
538 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
541 * Use our order of preference
545 for( ours
= ssl
->conf
->alpn_list
; *ours
!= NULL
; ours
++ )
547 ours_len
= strlen( *ours
);
548 for( theirs
= start
; theirs
!= end
; theirs
+= cur_len
)
550 /* If the list is well formed, we should get equality first */
552 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
556 /* Empty strings MUST NOT be included */
558 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
560 if( cur_len
== ours_len
&&
561 memcmp( theirs
, *ours
, cur_len
) == 0 )
563 ssl
->alpn_chosen
= *ours
;
569 /* If we get there, no match was found */
570 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
571 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
);
572 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
574 #endif /* MBEDTLS_SSL_ALPN */
577 * Auxiliary functions for ServerHello parsing and related actions
580 #if defined(MBEDTLS_X509_CRT_PARSE_C)
582 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
584 #if defined(MBEDTLS_ECDSA_C)
585 static int ssl_check_key_curve( mbedtls_pk_context
*pk
,
586 const mbedtls_ecp_curve_info
**curves
)
588 const mbedtls_ecp_curve_info
**crv
= curves
;
589 mbedtls_ecp_group_id grp_id
= mbedtls_pk_ec( *pk
)->grp
.id
;
591 while( *crv
!= NULL
)
593 if( (*crv
)->grp_id
== grp_id
)
600 #endif /* MBEDTLS_ECDSA_C */
603 * Try picking a certificate for this ciphersuite,
604 * return 0 on success and -1 on failure.
606 static int ssl_pick_cert( mbedtls_ssl_context
*ssl
,
607 const mbedtls_ssl_ciphersuite_t
* ciphersuite_info
)
609 mbedtls_ssl_key_cert
*cur
, *list
, *fallback
= NULL
;
610 mbedtls_pk_type_t pk_alg
= mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info
);
613 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
614 if( ssl
->handshake
->sni_key_cert
!= NULL
)
615 list
= ssl
->handshake
->sni_key_cert
;
618 list
= ssl
->conf
->key_cert
;
620 if( pk_alg
== MBEDTLS_PK_NONE
)
623 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
627 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
631 for( cur
= list
; cur
!= NULL
; cur
= cur
->next
)
633 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
636 if( ! mbedtls_pk_can_do( cur
->key
, pk_alg
) )
638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
643 * This avoids sending the client a cert it'll reject based on
644 * keyUsage or other extensions.
646 * It also allows the user to provision different certificates for
647 * different uses based on keyUsage, eg if they want to avoid signing
648 * and decrypting with the same RSA key.
650 if( mbedtls_ssl_check_cert_usage( cur
->cert
, ciphersuite_info
,
651 MBEDTLS_SSL_IS_SERVER
, &flags
) != 0 )
653 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
654 "(extended) key usage extension" ) );
658 #if defined(MBEDTLS_ECDSA_C)
659 if( pk_alg
== MBEDTLS_PK_ECDSA
&&
660 ssl_check_key_curve( cur
->key
, ssl
->handshake
->curves
) != 0 )
662 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
668 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
669 * present them a SHA-higher cert rather than failing if it's the only
670 * one we got that satisfies the other conditions.
672 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_3
&&
673 cur
->cert
->sig_md
!= MBEDTLS_MD_SHA1
)
675 if( fallback
== NULL
)
678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
679 "sha-2 with pre-TLS 1.2 client" ) );
684 /* If we get there, we got a winner */
691 /* Do not update ssl->handshake->key_cert unless there is a match */
694 ssl
->handshake
->key_cert
= cur
;
695 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
696 ssl
->handshake
->key_cert
->cert
);
702 #endif /* MBEDTLS_X509_CRT_PARSE_C */
705 * Check if a given ciphersuite is suitable for use with our config/keys/etc
706 * Sets ciphersuite_info only if the suite matches.
708 static int ssl_ciphersuite_match( mbedtls_ssl_context
*ssl
, int suite_id
,
709 const mbedtls_ssl_ciphersuite_t
**ciphersuite_info
)
711 const mbedtls_ssl_ciphersuite_t
*suite_info
;
713 suite_info
= mbedtls_ssl_ciphersuite_from_id( suite_id
);
714 if( suite_info
== NULL
)
716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
717 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info
->name
) );
722 if( suite_info
->min_minor_ver
> ssl
->minor_ver
||
723 suite_info
->max_minor_ver
< ssl
->minor_ver
)
725 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
729 #if defined(MBEDTLS_SSL_PROTO_DTLS)
730 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
731 ( suite_info
->flags
& MBEDTLS_CIPHERSUITE_NODTLS
) )
735 #if defined(MBEDTLS_ARC4_C)
736 if( ssl
->conf
->arc4_disabled
== MBEDTLS_SSL_ARC4_DISABLED
&&
737 suite_info
->cipher
== MBEDTLS_CIPHER_ARC4_128
)
739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
744 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
745 if( suite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
&&
746 ( ssl
->handshake
->cli_exts
& MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK
) == 0 )
748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
749 "not configured or ext missing" ) );
755 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
756 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info
) &&
757 ( ssl
->handshake
->curves
== NULL
||
758 ssl
->handshake
->curves
[0] == NULL
) )
760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
761 "no common elliptic curve" ) );
766 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
767 /* If the ciphersuite requires a pre-shared key and we don't
768 * have one, skip it now rather than failing later */
769 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info
) &&
770 ssl
->conf
->f_psk
== NULL
&&
771 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
772 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
779 #if defined(MBEDTLS_X509_CRT_PARSE_C)
781 * Final check: if ciphersuite requires us to have a
782 * certificate/key of a particular type:
783 * - select the appropriate certificate if we have one, or
784 * - try the next ciphersuite if we don't
785 * This must be done last since we modify the key_cert list.
787 if( ssl_pick_cert( ssl
, suite_info
) != 0 )
789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
790 "no suitable certificate" ) );
795 *ciphersuite_info
= suite_info
;
799 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
800 static int ssl_parse_client_hello_v2( mbedtls_ssl_context
*ssl
)
802 int ret
, got_common_suite
;
805 unsigned int ciph_len
, sess_len
, chal_len
;
806 unsigned char *buf
, *p
;
807 const int *ciphersuites
;
808 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
810 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
812 #if defined(MBEDTLS_SSL_RENEGOTIATION)
813 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
817 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
820 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
822 #endif /* MBEDTLS_SSL_RENEGOTIATION */
826 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, 5 );
828 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
831 ( ( buf
[0] & 0x7F ) << 8 ) | buf
[1] ) );
832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
839 * 0 . 1 message length
843 * 3 . 4 protocol version
845 if( buf
[2] != MBEDTLS_SSL_HS_CLIENT_HELLO
||
846 buf
[3] != MBEDTLS_SSL_MAJOR_VERSION_3
)
848 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
849 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
852 n
= ( ( buf
[0] << 8 ) | buf
[1] ) & 0x7FFF;
854 if( n
< 17 || n
> 512 )
856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
857 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
860 ssl
->major_ver
= MBEDTLS_SSL_MAJOR_VERSION_3
;
861 ssl
->minor_ver
= ( buf
[4] <= ssl
->conf
->max_minor_ver
)
862 ? buf
[4] : ssl
->conf
->max_minor_ver
;
864 if( ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
866 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
867 " [%d:%d] < [%d:%d]",
868 ssl
->major_ver
, ssl
->minor_ver
,
869 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
871 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
872 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
873 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
876 ssl
->handshake
->max_major_ver
= buf
[3];
877 ssl
->handshake
->max_minor_ver
= buf
[4];
879 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 2 + n
) ) != 0 )
881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
885 ssl
->handshake
->update_checksum( ssl
, buf
+ 2, n
);
888 n
= ssl
->in_left
- 5;
891 * 0 . 1 ciphersuitelist length
892 * 2 . 3 session id length
893 * 4 . 5 challenge length
894 * 6 . .. ciphersuitelist
898 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, n
);
900 ciph_len
= ( buf
[0] << 8 ) | buf
[1];
901 sess_len
= ( buf
[2] << 8 ) | buf
[3];
902 chal_len
= ( buf
[4] << 8 ) | buf
[5];
904 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
905 ciph_len
, sess_len
, chal_len
) );
908 * Make sure each parameter length is valid
910 if( ciph_len
< 3 || ( ciph_len
% 3 ) != 0 )
912 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
913 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
919 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
922 if( chal_len
< 8 || chal_len
> 32 )
924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
925 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
928 if( n
!= 6 + ciph_len
+ sess_len
+ chal_len
)
930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
931 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
934 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
936 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
937 buf
+ 6 + ciph_len
, sess_len
);
938 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
939 buf
+ 6 + ciph_len
+ sess_len
, chal_len
);
941 p
= buf
+ 6 + ciph_len
;
942 ssl
->session_negotiate
->id_len
= sess_len
;
943 memset( ssl
->session_negotiate
->id
, 0,
944 sizeof( ssl
->session_negotiate
->id
) );
945 memcpy( ssl
->session_negotiate
->id
, p
, ssl
->session_negotiate
->id_len
);
948 memset( ssl
->handshake
->randbytes
, 0, 64 );
949 memcpy( ssl
->handshake
->randbytes
+ 32 - chal_len
, p
, chal_len
);
952 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
954 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
956 if( p
[0] == 0 && p
[1] == 0 && p
[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
958 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
959 #if defined(MBEDTLS_SSL_RENEGOTIATION)
960 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
963 "during renegotiation" ) );
965 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
968 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
970 #endif /* MBEDTLS_SSL_RENEGOTIATION */
971 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
976 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
977 for( i
= 0, p
= buf
+ 6; i
< ciph_len
; i
+= 3, p
+= 3 )
980 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
981 p
[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
985 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
987 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
989 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
990 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
992 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
998 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1000 got_common_suite
= 0;
1001 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1002 ciphersuite_info
= NULL
;
1003 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1004 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1006 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1008 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1010 for( j
= 0, p
= buf
+ 6; j
< ciph_len
; j
+= 3, p
+= 3 )
1014 p
[1] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1015 p
[2] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1018 got_common_suite
= 1;
1020 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1021 &ciphersuite_info
) ) != 0 )
1024 if( ciphersuite_info
!= NULL
)
1025 goto have_ciphersuite_v2
;
1029 if( got_common_suite
)
1031 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1032 "but none of them usable" ) );
1033 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
1037 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1038 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
1041 have_ciphersuite_v2
:
1042 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
1044 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
1045 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
1046 mbedtls_ssl_optimize_checksum( ssl
, ssl
->transform_negotiate
->ciphersuite_info
);
1049 * SSLv2 Client Hello relevant renegotiation security checks
1051 if( ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1052 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1056 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1059 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1065 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1069 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1071 static int ssl_parse_client_hello( mbedtls_ssl_context
*ssl
)
1073 int ret
, got_common_suite
;
1075 size_t ciph_offset
, comp_offset
, ext_offset
;
1076 size_t msg_len
, ciph_len
, sess_len
, comp_len
, ext_len
;
1077 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1078 size_t cookie_offset
, cookie_len
;
1080 unsigned char *buf
, *p
, *ext
;
1081 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1082 int renegotiation_info_seen
= 0;
1084 int handshake_failure
= 0;
1085 const int *ciphersuites
;
1086 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
1089 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1091 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1095 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1096 * otherwise read it ourselves manually in order to support SSLv2
1097 * ClientHello, which doesn't use the same record layer format.
1099 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1100 if( ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1103 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, 5 ) ) != 0 )
1105 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1112 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1113 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1114 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_STREAM
)
1116 if( ( buf
[0] & 0x80 ) != 0 )
1117 return ssl_parse_client_hello_v2( ssl
);
1120 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf
, mbedtls_ssl_hdr_len( ssl
) );
1123 * SSLv3/TLS Client Hello
1126 * 0 . 0 message type
1127 * 1 . 2 protocol version
1128 * 3 . 11 DTLS: epoch + record sequence number
1129 * 3 . 4 message length
1131 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1134 if( buf
[0] != MBEDTLS_SSL_MSG_HANDSHAKE
)
1136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1137 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1141 ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1] ) );
1143 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1146 mbedtls_ssl_read_version( &major
, &minor
, ssl
->conf
->transport
, buf
+ 1 );
1148 /* According to RFC 5246 Appendix E.1, the version here is typically
1149 * "{03,00}, the lowest version number supported by the client, [or] the
1150 * value of ClientHello.client_version", so the only meaningful check here
1151 * is the major version shouldn't be less than 3 */
1152 if( major
< MBEDTLS_SSL_MAJOR_VERSION_3
)
1154 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1155 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1158 /* For DTLS if this is the initial handshake, remember the client sequence
1159 * number to use it in our next message (RFC 6347 4.2.1) */
1160 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1161 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
1162 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1163 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1167 /* Epoch should be 0 for initial handshakes */
1168 if( ssl
->in_ctr
[0] != 0 || ssl
->in_ctr
[1] != 0 )
1170 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1171 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1174 memcpy( ssl
->out_ctr
+ 2, ssl
->in_ctr
+ 2, 6 );
1176 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1177 if( mbedtls_ssl_dtls_replay_check( ssl
) != 0 )
1179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1180 ssl
->next_record_offset
= 0;
1182 goto read_record_header
;
1185 /* No MAC to check yet, so we can update right now */
1186 mbedtls_ssl_dtls_replay_update( ssl
);
1189 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1191 msg_len
= ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1];
1193 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1194 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1196 /* Set by mbedtls_ssl_read_record() */
1197 msg_len
= ssl
->in_hslen
;
1202 if( msg_len
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
1204 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1205 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1208 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, mbedtls_ssl_hdr_len( ssl
) + msg_len
) ) != 0 )
1210 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
1214 /* Done reading this record, get ready for the next one */
1215 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1216 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1217 ssl
->next_record_offset
= msg_len
+ mbedtls_ssl_hdr_len( ssl
);
1225 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf
, msg_len
);
1227 ssl
->handshake
->update_checksum( ssl
, buf
, msg_len
);
1231 * 0 . 0 handshake type
1232 * 1 . 3 handshake length
1233 * 4 . 5 DTLS only: message seqence number
1234 * 6 . 8 DTLS only: fragment offset
1235 * 9 . 11 DTLS only: fragment length
1237 if( msg_len
< mbedtls_ssl_hs_hdr_len( ssl
) )
1239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1240 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1243 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf
[0] ) );
1245 if( buf
[0] != MBEDTLS_SSL_HS_CLIENT_HELLO
)
1247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1248 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1251 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1252 ( buf
[1] << 16 ) | ( buf
[2] << 8 ) | buf
[3] ) );
1254 /* We don't support fragmentation of ClientHello (yet?) */
1256 msg_len
!= mbedtls_ssl_hs_hdr_len( ssl
) + ( ( buf
[2] << 8 ) | buf
[3] ) )
1258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1259 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1262 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1263 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1266 * Copy the client's handshake message_seq on initial handshakes,
1267 * check sequence number on renego.
1269 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1270 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1272 /* This couldn't be done in ssl_prepare_handshake_record() */
1273 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1276 if( cli_msg_seq
!= ssl
->handshake
->in_msg_seq
)
1278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1279 "%d (expected %d)", cli_msg_seq
,
1280 ssl
->handshake
->in_msg_seq
) );
1281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1284 ssl
->handshake
->in_msg_seq
++;
1289 unsigned int cli_msg_seq
= ( ssl
->in_msg
[4] << 8 ) |
1291 ssl
->handshake
->out_msg_seq
= cli_msg_seq
;
1292 ssl
->handshake
->in_msg_seq
= cli_msg_seq
+ 1;
1296 * For now we don't support fragmentation, so make sure
1297 * fragment_offset == 0 and fragment_length == length
1299 if( ssl
->in_msg
[6] != 0 || ssl
->in_msg
[7] != 0 || ssl
->in_msg
[8] != 0 ||
1300 memcmp( ssl
->in_msg
+ 1, ssl
->in_msg
+ 9, 3 ) != 0 )
1302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1303 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
1306 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1308 buf
+= mbedtls_ssl_hs_hdr_len( ssl
);
1309 msg_len
-= mbedtls_ssl_hs_hdr_len( ssl
);
1312 * ClientHello layer:
1313 * 0 . 1 protocol version
1314 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1315 * 34 . 35 session id length (1 byte)
1316 * 35 . 34+x session id
1317 * 35+x . 35+x DTLS only: cookie length (1 byte)
1318 * 36+x . .. DTLS only: cookie
1319 * .. . .. ciphersuite list length (2 bytes)
1320 * .. . .. ciphersuite list
1321 * .. . .. compression alg. list length (1 byte)
1322 * .. . .. compression alg. list
1323 * .. . .. extensions length (2 bytes, optional)
1324 * .. . .. extensions (optional)
1328 * Minimal length (with everything empty and extensions ommitted) is
1329 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1330 * read at least up to session id length without worrying.
1334 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1335 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1339 * Check and save the protocol version
1341 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf
, 2 );
1343 mbedtls_ssl_read_version( &ssl
->major_ver
, &ssl
->minor_ver
,
1344 ssl
->conf
->transport
, buf
);
1346 ssl
->handshake
->max_major_ver
= ssl
->major_ver
;
1347 ssl
->handshake
->max_minor_ver
= ssl
->minor_ver
;
1349 if( ssl
->major_ver
< ssl
->conf
->min_major_ver
||
1350 ssl
->minor_ver
< ssl
->conf
->min_minor_ver
)
1352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1353 " [%d:%d] < [%d:%d]",
1354 ssl
->major_ver
, ssl
->minor_ver
,
1355 ssl
->conf
->min_major_ver
, ssl
->conf
->min_minor_ver
) );
1357 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1358 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
);
1360 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
);
1363 if( ssl
->major_ver
> ssl
->conf
->max_major_ver
)
1365 ssl
->major_ver
= ssl
->conf
->max_major_ver
;
1366 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1368 else if( ssl
->minor_ver
> ssl
->conf
->max_minor_ver
)
1369 ssl
->minor_ver
= ssl
->conf
->max_minor_ver
;
1372 * Save client random (inc. Unix time)
1374 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf
+ 2, 32 );
1376 memcpy( ssl
->handshake
->randbytes
, buf
+ 2, 32 );
1379 * Check the session ID length and save session ID
1383 if( sess_len
> sizeof( ssl
->session_negotiate
->id
) ||
1384 sess_len
+ 34 + 2 > msg_len
) /* 2 for cipherlist length field */
1386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1387 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1390 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf
+ 35, sess_len
);
1392 ssl
->session_negotiate
->id_len
= sess_len
;
1393 memset( ssl
->session_negotiate
->id
, 0,
1394 sizeof( ssl
->session_negotiate
->id
) );
1395 memcpy( ssl
->session_negotiate
->id
, buf
+ 35,
1396 ssl
->session_negotiate
->id_len
);
1399 * Check the cookie length and content
1401 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1402 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1404 cookie_offset
= 35 + sess_len
;
1405 cookie_len
= buf
[cookie_offset
];
1407 if( cookie_offset
+ 1 + cookie_len
+ 2 > msg_len
)
1409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1410 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1413 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1414 buf
+ cookie_offset
+ 1, cookie_len
);
1416 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1417 if( ssl
->conf
->f_cookie_check
!= NULL
1418 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1419 && ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
1423 if( ssl
->conf
->f_cookie_check( ssl
->conf
->p_cookie
,
1424 buf
+ cookie_offset
+ 1, cookie_len
,
1425 ssl
->cli_id
, ssl
->cli_id_len
) != 0 )
1427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1428 ssl
->handshake
->verify_cookie_len
= 1;
1432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1433 ssl
->handshake
->verify_cookie_len
= 0;
1437 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1439 /* We know we didn't send a cookie, so it should be empty */
1440 if( cookie_len
!= 0 )
1442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1443 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1450 * Check the ciphersuitelist length (will be parsed later)
1452 ciph_offset
= cookie_offset
+ 1 + cookie_len
;
1455 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1456 ciph_offset
= 35 + sess_len
;
1458 ciph_len
= ( buf
[ciph_offset
+ 0] << 8 )
1459 | ( buf
[ciph_offset
+ 1] );
1462 ciph_len
+ 2 + ciph_offset
+ 1 > msg_len
|| /* 1 for comp. alg. len */
1463 ( ciph_len
% 2 ) != 0 )
1465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1466 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1469 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1470 buf
+ ciph_offset
+ 2, ciph_len
);
1473 * Check the compression algorithms length and pick one
1475 comp_offset
= ciph_offset
+ 2 + ciph_len
;
1477 comp_len
= buf
[comp_offset
];
1481 comp_len
+ comp_offset
+ 1 > msg_len
)
1483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1484 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1487 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1488 buf
+ comp_offset
+ 1, comp_len
);
1490 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1491 #if defined(MBEDTLS_ZLIB_SUPPORT)
1492 for( i
= 0; i
< comp_len
; ++i
)
1494 if( buf
[comp_offset
+ 1 + i
] == MBEDTLS_SSL_COMPRESS_DEFLATE
)
1496 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_DEFLATE
;
1502 /* See comments in ssl_write_client_hello() */
1503 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1504 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1505 ssl
->session_negotiate
->compression
= MBEDTLS_SSL_COMPRESS_NULL
;
1509 * Check the extension length
1511 ext_offset
= comp_offset
+ 1 + comp_len
;
1512 if( msg_len
> ext_offset
)
1514 if( msg_len
< ext_offset
+ 2 )
1516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1520 ext_len
= ( buf
[ext_offset
+ 0] << 8 )
1521 | ( buf
[ext_offset
+ 1] );
1523 if( ( ext_len
> 0 && ext_len
< 4 ) ||
1524 msg_len
!= ext_offset
+ 2 + ext_len
)
1526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1527 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1533 ext
= buf
+ ext_offset
+ 2;
1534 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext
, ext_len
);
1536 while( ext_len
!= 0 )
1538 unsigned int ext_id
= ( ( ext
[0] << 8 )
1540 unsigned int ext_size
= ( ( ext
[2] << 8 )
1543 if( ext_size
+ 4 > ext_len
)
1545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1546 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1550 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1551 case MBEDTLS_TLS_EXT_SERVERNAME
:
1552 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1553 if( ssl
->conf
->f_sni
== NULL
)
1556 ret
= ssl_parse_servername_ext( ssl
, ext
+ 4, ext_size
);
1560 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1562 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
:
1563 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1564 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1565 renegotiation_info_seen
= 1;
1568 ret
= ssl_parse_renegotiation_info( ssl
, ext
+ 4, ext_size
);
1573 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1574 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1575 case MBEDTLS_TLS_EXT_SIG_ALG
:
1576 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1577 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1578 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1582 ret
= ssl_parse_signature_algorithms_ext( ssl
, ext
+ 4, ext_size
);
1586 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1587 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1589 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1590 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1591 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
:
1592 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1594 ret
= ssl_parse_supported_elliptic_curves( ssl
, ext
+ 4, ext_size
);
1599 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
:
1600 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1601 ssl
->handshake
->cli_exts
|= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
;
1603 ret
= ssl_parse_supported_point_formats( ssl
, ext
+ 4, ext_size
);
1607 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1608 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1610 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1611 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP
:
1612 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1614 ret
= ssl_parse_ecjpake_kkpp( ssl
, ext
+ 4, ext_size
);
1618 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1620 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1621 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
:
1622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1624 ret
= ssl_parse_max_fragment_length_ext( ssl
, ext
+ 4, ext_size
);
1628 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1630 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1631 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC
:
1632 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1634 ret
= ssl_parse_truncated_hmac_ext( ssl
, ext
+ 4, ext_size
);
1638 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1640 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1641 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
:
1642 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1644 ret
= ssl_parse_encrypt_then_mac_ext( ssl
, ext
+ 4, ext_size
);
1648 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1650 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1651 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
:
1652 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1654 ret
= ssl_parse_extended_ms_ext( ssl
, ext
+ 4, ext_size
);
1658 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1660 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1661 case MBEDTLS_TLS_EXT_SESSION_TICKET
:
1662 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1664 ret
= ssl_parse_session_ticket_ext( ssl
, ext
+ 4, ext_size
);
1668 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1670 #if defined(MBEDTLS_SSL_ALPN)
1671 case MBEDTLS_TLS_EXT_ALPN
:
1672 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1674 ret
= ssl_parse_alpn_ext( ssl
, ext
+ 4, ext_size
);
1678 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1681 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1685 ext_len
-= 4 + ext_size
;
1686 ext
+= 4 + ext_size
;
1688 if( ext_len
> 0 && ext_len
< 4 )
1690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1691 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1695 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1696 for( i
= 0, p
= buf
+ 41 + sess_len
; i
< ciph_len
; i
+= 2, p
+= 2 )
1698 if( p
[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
>> 8 ) & 0xff ) &&
1699 p
[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE
) & 0xff ) )
1701 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1703 if( ssl
->minor_ver
< ssl
->conf
->max_minor_ver
)
1705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1707 mbedtls_ssl_send_alert_message( ssl
, MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
1708 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
);
1710 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1716 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1719 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1721 for( i
= 0, p
= buf
+ ciph_offset
+ 2; i
< ciph_len
; i
+= 2, p
+= 2 )
1723 if( p
[0] == 0 && p
[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
)
1725 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1726 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1727 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
1729 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
1731 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1734 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1737 ssl
->secure_renegotiation
= MBEDTLS_SSL_SECURE_RENEGOTIATION
;
1743 * Renegotiation security checks
1745 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1746 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
)
1748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1749 handshake_failure
= 1;
1751 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1752 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1753 ssl
->secure_renegotiation
== MBEDTLS_SSL_SECURE_RENEGOTIATION
&&
1754 renegotiation_info_seen
== 0 )
1756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1757 handshake_failure
= 1;
1759 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1760 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1761 ssl
->conf
->allow_legacy_renegotiation
== MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
)
1763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1764 handshake_failure
= 1;
1766 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
1767 ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
1768 renegotiation_info_seen
== 1 )
1770 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1771 handshake_failure
= 1;
1773 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1775 if( handshake_failure
== 1 )
1777 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
1780 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
1784 * Search for a matching ciphersuite
1785 * (At the end because we need information from the EC-based extensions
1786 * and certificate from the SNI callback triggered by the SNI extension.)
1788 got_common_suite
= 0;
1789 ciphersuites
= ssl
->conf
->ciphersuite_list
[ssl
->minor_ver
];
1790 ciphersuite_info
= NULL
;
1791 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1792 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1794 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1796 for( i
= 0; ciphersuites
[i
] != 0; i
++ )
1798 for( j
= 0, p
= buf
+ ciph_offset
+ 2; j
< ciph_len
; j
+= 2, p
+= 2 )
1801 if( p
[0] != ( ( ciphersuites
[i
] >> 8 ) & 0xFF ) ||
1802 p
[1] != ( ( ciphersuites
[i
] ) & 0xFF ) )
1805 got_common_suite
= 1;
1807 if( ( ret
= ssl_ciphersuite_match( ssl
, ciphersuites
[i
],
1808 &ciphersuite_info
) ) != 0 )
1811 if( ciphersuite_info
!= NULL
)
1812 goto have_ciphersuite
;
1816 if( got_common_suite
)
1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1819 "but none of them usable" ) );
1820 mbedtls_ssl_send_fatal_handshake_failure( ssl
);
1821 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
);
1825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1826 mbedtls_ssl_send_fatal_handshake_failure( ssl
);
1827 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
1831 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info
->name
) );
1833 ssl
->session_negotiate
->ciphersuite
= ciphersuites
[i
];
1834 ssl
->transform_negotiate
->ciphersuite_info
= ciphersuite_info
;
1835 mbedtls_ssl_optimize_checksum( ssl
, ssl
->transform_negotiate
->ciphersuite_info
);
1839 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1840 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
1841 mbedtls_ssl_recv_flight_completed( ssl
);
1844 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1849 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1850 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context
*ssl
,
1854 unsigned char *p
= buf
;
1856 if( ssl
->session_negotiate
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_DISABLED
)
1862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
1864 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
>> 8 ) & 0xFF );
1865 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC
) & 0xFF );
1872 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1874 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1875 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context
*ssl
,
1879 unsigned char *p
= buf
;
1880 const mbedtls_ssl_ciphersuite_t
*suite
= NULL
;
1881 const mbedtls_cipher_info_t
*cipher
= NULL
;
1883 if( ssl
->session_negotiate
->encrypt_then_mac
== MBEDTLS_SSL_EXTENDED_MS_DISABLED
||
1884 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1891 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
1892 * from a client and then selects a stream or Authenticated Encryption
1893 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
1894 * encrypt-then-MAC response extension back to the client."
1896 if( ( suite
= mbedtls_ssl_ciphersuite_from_id(
1897 ssl
->session_negotiate
->ciphersuite
) ) == NULL
||
1898 ( cipher
= mbedtls_cipher_info_from_type( suite
->cipher
) ) == NULL
||
1899 cipher
->mode
!= MBEDTLS_MODE_CBC
)
1905 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
1907 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
>> 8 ) & 0xFF );
1908 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
) & 0xFF );
1915 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1917 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1918 static void ssl_write_extended_ms_ext( mbedtls_ssl_context
*ssl
,
1922 unsigned char *p
= buf
;
1924 if( ssl
->handshake
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_DISABLED
||
1925 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
1934 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
>> 8 ) & 0xFF );
1935 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
) & 0xFF );
1942 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1944 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1945 static void ssl_write_session_ticket_ext( mbedtls_ssl_context
*ssl
,
1949 unsigned char *p
= buf
;
1951 if( ssl
->handshake
->new_session_ticket
== 0 )
1957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
1959 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
>> 8 ) & 0xFF );
1960 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET
) & 0xFF );
1967 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1969 static void ssl_write_renegotiation_ext( mbedtls_ssl_context
*ssl
,
1973 unsigned char *p
= buf
;
1975 if( ssl
->secure_renegotiation
!= MBEDTLS_SSL_SECURE_RENEGOTIATION
)
1981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
1983 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
>> 8 ) & 0xFF );
1984 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
) & 0xFF );
1986 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1987 if( ssl
->renego_status
!= MBEDTLS_SSL_INITIAL_HANDSHAKE
)
1990 *p
++ = ( ssl
->verify_data_len
* 2 + 1 ) & 0xFF;
1991 *p
++ = ssl
->verify_data_len
* 2 & 0xFF;
1993 memcpy( p
, ssl
->peer_verify_data
, ssl
->verify_data_len
);
1994 p
+= ssl
->verify_data_len
;
1995 memcpy( p
, ssl
->own_verify_data
, ssl
->verify_data_len
);
1996 p
+= ssl
->verify_data_len
;
1999 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2009 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2010 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context
*ssl
,
2014 unsigned char *p
= buf
;
2016 if( ssl
->session_negotiate
->mfl_code
== MBEDTLS_SSL_MAX_FRAG_LEN_NONE
)
2022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2024 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
>> 8 ) & 0xFF );
2025 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
) & 0xFF );
2030 *p
++ = ssl
->session_negotiate
->mfl_code
;
2034 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2036 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2037 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2038 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context
*ssl
,
2042 unsigned char *p
= buf
;
2045 if( ( ssl
->handshake
->cli_exts
&
2046 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
) == 0 )
2052 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2054 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
>> 8 ) & 0xFF );
2055 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
) & 0xFF );
2061 *p
++ = MBEDTLS_ECP_PF_UNCOMPRESSED
;
2065 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2067 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2068 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context
*ssl
,
2073 unsigned char *p
= buf
;
2074 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2079 /* Skip costly computation if not needed */
2080 if( ssl
->transform_negotiate
->ciphersuite_info
->key_exchange
!=
2081 MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2084 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2092 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
>> 8 ) & 0xFF );
2093 *p
++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP
) & 0xFF );
2095 ret
= mbedtls_ecjpake_write_round_one( &ssl
->handshake
->ecjpake_ctx
,
2096 p
+ 2, end
- p
- 2, &kkpp_len
,
2097 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2100 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret
);
2104 *p
++ = (unsigned char)( ( kkpp_len
>> 8 ) & 0xFF );
2105 *p
++ = (unsigned char)( ( kkpp_len
) & 0xFF );
2107 *olen
= kkpp_len
+ 4;
2109 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2111 #if defined(MBEDTLS_SSL_ALPN )
2112 static void ssl_write_alpn_ext( mbedtls_ssl_context
*ssl
,
2113 unsigned char *buf
, size_t *olen
)
2115 if( ssl
->alpn_chosen
== NULL
)
2121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2124 * 0 . 1 ext identifier
2126 * 4 . 5 protocol list length
2127 * 6 . 6 protocol name length
2128 * 7 . 7+n protocol name
2130 buf
[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
>> 8 ) & 0xFF );
2131 buf
[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN
) & 0xFF );
2133 *olen
= 7 + strlen( ssl
->alpn_chosen
);
2135 buf
[2] = (unsigned char)( ( ( *olen
- 4 ) >> 8 ) & 0xFF );
2136 buf
[3] = (unsigned char)( ( ( *olen
- 4 ) ) & 0xFF );
2138 buf
[4] = (unsigned char)( ( ( *olen
- 6 ) >> 8 ) & 0xFF );
2139 buf
[5] = (unsigned char)( ( ( *olen
- 6 ) ) & 0xFF );
2141 buf
[6] = (unsigned char)( ( ( *olen
- 7 ) ) & 0xFF );
2143 memcpy( buf
+ 7, ssl
->alpn_chosen
, *olen
- 7 );
2145 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2147 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2148 static int ssl_write_hello_verify_request( mbedtls_ssl_context
*ssl
)
2151 unsigned char *p
= ssl
->out_msg
+ 4;
2152 unsigned char *cookie_len_byte
;
2154 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2158 * ProtocolVersion server_version;
2159 * opaque cookie<0..2^8-1>;
2160 * } HelloVerifyRequest;
2163 /* The RFC is not clear on this point, but sending the actual negotiated
2164 * version looks like the most interoperable thing to do. */
2165 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2166 ssl
->conf
->transport
, p
);
2167 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p
, 2 );
2170 /* If we get here, f_cookie_check is not null */
2171 if( ssl
->conf
->f_cookie_write
== NULL
)
2173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2174 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2177 /* Skip length byte until we know the length */
2178 cookie_len_byte
= p
++;
2180 if( ( ret
= ssl
->conf
->f_cookie_write( ssl
->conf
->p_cookie
,
2181 &p
, ssl
->out_buf
+ MBEDTLS_SSL_BUFFER_LEN
,
2182 ssl
->cli_id
, ssl
->cli_id_len
) ) != 0 )
2184 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret
);
2188 *cookie_len_byte
= (unsigned char)( p
- ( cookie_len_byte
+ 1 ) );
2190 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte
+ 1, *cookie_len_byte
);
2192 ssl
->out_msglen
= p
- ssl
->out_msg
;
2193 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2194 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
;
2196 ssl
->state
= MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
;
2198 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
2200 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
2204 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2208 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2210 static int ssl_write_server_hello( mbedtls_ssl_context
*ssl
)
2212 #if defined(MBEDTLS_HAVE_TIME)
2216 size_t olen
, ext_len
= 0, n
;
2217 unsigned char *buf
, *p
;
2219 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2221 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2222 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
2223 ssl
->handshake
->verify_cookie_len
!= 0 )
2225 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2226 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2228 return( ssl_write_hello_verify_request( ssl
) );
2230 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2232 if( ssl
->conf
->f_rng
== NULL
)
2234 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2235 return( MBEDTLS_ERR_SSL_NO_RNG
);
2239 * 0 . 0 handshake type
2240 * 1 . 3 handshake length
2241 * 4 . 5 protocol version
2243 * 10 . 37 random bytes
2248 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2249 ssl
->conf
->transport
, p
);
2252 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2255 #if defined(MBEDTLS_HAVE_TIME)
2257 *p
++ = (unsigned char)( t
>> 24 );
2258 *p
++ = (unsigned char)( t
>> 16 );
2259 *p
++ = (unsigned char)( t
>> 8 );
2260 *p
++ = (unsigned char)( t
);
2262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t
) );
2264 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 4 ) ) != 0 )
2268 #endif /* MBEDTLS_HAVE_TIME */
2270 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, p
, 28 ) ) != 0 )
2275 memcpy( ssl
->handshake
->randbytes
+ 32, buf
+ 6, 32 );
2277 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf
+ 6, 32 );
2280 * Resume is 0 by default, see ssl_handshake_init().
2281 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2282 * If not, try looking up session ID in our cache.
2284 if( ssl
->handshake
->resume
== 0 &&
2285 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2286 ssl
->renego_status
== MBEDTLS_SSL_INITIAL_HANDSHAKE
&&
2288 ssl
->session_negotiate
->id_len
!= 0 &&
2289 ssl
->conf
->f_get_cache
!= NULL
&&
2290 ssl
->conf
->f_get_cache( ssl
->conf
->p_cache
, ssl
->session_negotiate
) == 0 )
2292 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2293 ssl
->handshake
->resume
= 1;
2296 if( ssl
->handshake
->resume
== 0 )
2299 * New session, create a new session id,
2300 * unless we're about to issue a session ticket
2304 #if defined(MBEDTLS_HAVE_TIME)
2305 ssl
->session_negotiate
->start
= time( NULL
);
2308 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2309 if( ssl
->handshake
->new_session_ticket
!= 0 )
2311 ssl
->session_negotiate
->id_len
= n
= 0;
2312 memset( ssl
->session_negotiate
->id
, 0, 32 );
2315 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2317 ssl
->session_negotiate
->id_len
= n
= 32;
2318 if( ( ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, ssl
->session_negotiate
->id
,
2326 * Resuming a session
2328 n
= ssl
->session_negotiate
->id_len
;
2329 ssl
->state
= MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
;
2331 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
2333 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
2339 * 38 . 38 session id length
2340 * 39 . 38+n session id
2341 * 39+n . 40+n chosen ciphersuite
2342 * 41+n . 41+n chosen compression alg.
2343 * 42+n . 43+n extensions length
2344 * 44+n . 43+n+m extensions
2346 *p
++ = (unsigned char) ssl
->session_negotiate
->id_len
;
2347 memcpy( p
, ssl
->session_negotiate
->id
, ssl
->session_negotiate
->id_len
);
2348 p
+= ssl
->session_negotiate
->id_len
;
2350 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n
) );
2351 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf
+ 39, n
);
2352 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2353 ssl
->handshake
->resume
? "a" : "no" ) );
2355 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
>> 8 );
2356 *p
++ = (unsigned char)( ssl
->session_negotiate
->ciphersuite
);
2357 *p
++ = (unsigned char)( ssl
->session_negotiate
->compression
);
2359 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2360 mbedtls_ssl_get_ciphersuite_name( ssl
->session_negotiate
->ciphersuite
) ) );
2361 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2362 ssl
->session_negotiate
->compression
) );
2365 * First write extensions, then the total length
2367 ssl_write_renegotiation_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2370 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2371 ssl_write_max_fragment_length_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2375 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2376 ssl_write_truncated_hmac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2380 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2381 ssl_write_encrypt_then_mac_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2385 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2386 ssl_write_extended_ms_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2390 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2391 ssl_write_session_ticket_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2395 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2396 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2397 ssl_write_supported_point_formats_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2401 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2402 ssl_write_ecjpake_kkpp_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2406 #if defined(MBEDTLS_SSL_ALPN)
2407 ssl_write_alpn_ext( ssl
, p
+ 2 + ext_len
, &olen
);
2411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len
) );
2415 *p
++ = (unsigned char)( ( ext_len
>> 8 ) & 0xFF );
2416 *p
++ = (unsigned char)( ( ext_len
) & 0xFF );
2420 ssl
->out_msglen
= p
- buf
;
2421 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2422 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO
;
2424 ret
= mbedtls_ssl_write_record( ssl
);
2426 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2431 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2432 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2433 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2434 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2435 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2437 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
2439 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2441 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2442 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2443 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2444 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2445 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2453 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2456 static int ssl_write_certificate_request( mbedtls_ssl_context
*ssl
)
2458 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
2459 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
2460 size_t dn_size
, total_dn_size
; /* excluding length bytes */
2461 size_t ct_len
, sa_len
; /* including length bytes */
2462 unsigned char *buf
, *p
;
2463 const unsigned char * const end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2464 const mbedtls_x509_crt
*crt
;
2467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2471 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2472 if( ssl
->handshake
->sni_authmode
!= MBEDTLS_SSL_VERIFY_UNSET
)
2473 authmode
= ssl
->handshake
->sni_authmode
;
2476 authmode
= ssl
->conf
->authmode
;
2478 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2479 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
2480 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2481 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
2482 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
2483 authmode
== MBEDTLS_SSL_VERIFY_NONE
)
2485 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2490 * 0 . 0 handshake type
2491 * 1 . 3 handshake length
2492 * 4 . 4 cert type count
2493 * 5 .. m-1 cert types
2494 * m .. m+1 sig alg length (TLS 1.2 only)
2495 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2496 * n .. n+1 length of all DNs
2497 * n+2 .. n+3 length of DN 1
2498 * n+4 .. ... Distinguished Name #1
2499 * ... .. ... length of DN 2, etc.
2505 * Supported certificate types
2507 * ClientCertificateType certificate_types<1..2^8-1>;
2508 * enum { (255) } ClientCertificateType;
2512 #if defined(MBEDTLS_RSA_C)
2513 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
;
2515 #if defined(MBEDTLS_ECDSA_C)
2516 p
[1 + ct_len
++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
;
2519 p
[0] = (unsigned char) ct_len
++;
2523 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2525 * Add signature_algorithms for verify (TLS 1.2)
2527 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2530 * HashAlgorithm hash;
2531 * SignatureAlgorithm signature;
2532 * } SignatureAndHashAlgorithm;
2534 * enum { (255) } HashAlgorithm;
2535 * enum { (255) } SignatureAlgorithm;
2537 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2540 * Only use current running hash algorithm that is already required
2541 * for requested ciphersuite.
2543 ssl
->handshake
->verify_sig_alg
= MBEDTLS_SSL_HASH_SHA256
;
2545 if( ssl
->transform_negotiate
->ciphersuite_info
->mac
==
2548 ssl
->handshake
->verify_sig_alg
= MBEDTLS_SSL_HASH_SHA384
;
2552 * Supported signature algorithms
2554 #if defined(MBEDTLS_RSA_C)
2555 p
[2 + sa_len
++] = ssl
->handshake
->verify_sig_alg
;
2556 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_RSA
;
2558 #if defined(MBEDTLS_ECDSA_C)
2559 p
[2 + sa_len
++] = ssl
->handshake
->verify_sig_alg
;
2560 p
[2 + sa_len
++] = MBEDTLS_SSL_SIG_ECDSA
;
2563 p
[0] = (unsigned char)( sa_len
>> 8 );
2564 p
[1] = (unsigned char)( sa_len
);
2568 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2571 * DistinguishedName certificate_authorities<0..2^16-1>;
2572 * opaque DistinguishedName<1..2^16-1>;
2575 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2576 if( ssl
->handshake
->sni_ca_chain
!= NULL
)
2577 crt
= ssl
->handshake
->sni_ca_chain
;
2580 crt
= ssl
->conf
->ca_chain
;
2583 while( crt
!= NULL
&& crt
->version
!= 0 )
2585 dn_size
= crt
->subject_raw
.len
;
2588 (size_t)( end
- p
) < dn_size
||
2589 (size_t)( end
- p
) < 2 + dn_size
)
2591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2595 *p
++ = (unsigned char)( dn_size
>> 8 );
2596 *p
++ = (unsigned char)( dn_size
);
2597 memcpy( p
, crt
->subject_raw
.p
, dn_size
);
2600 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p
- dn_size
, dn_size
);
2602 total_dn_size
+= 2 + dn_size
;
2606 ssl
->out_msglen
= p
- buf
;
2607 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
2608 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
;
2609 ssl
->out_msg
[4 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
>> 8 );
2610 ssl
->out_msg
[5 + ct_len
+ sa_len
] = (unsigned char)( total_dn_size
);
2612 ret
= mbedtls_ssl_write_record( ssl
);
2614 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2618 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2619 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2620 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2621 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2623 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2624 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2625 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context
*ssl
)
2629 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_ECKEY
) )
2631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2632 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
);
2635 if( ( ret
= mbedtls_ecdh_get_params( &ssl
->handshake
->ecdh_ctx
,
2636 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl
) ),
2637 MBEDTLS_ECDH_OURS
) ) != 0 )
2639 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret
);
2645 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2646 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2648 static int ssl_write_server_key_exchange( mbedtls_ssl_context
*ssl
)
2652 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
=
2653 ssl
->transform_negotiate
->ciphersuite_info
;
2655 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2656 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2657 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2658 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2659 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2660 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2661 unsigned char *p
= ssl
->out_msg
+ 4;
2662 unsigned char *dig_signed
= p
;
2663 size_t dig_signed_len
= 0, len
;
2664 ((void) dig_signed
);
2665 ((void) dig_signed_len
);
2669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
2671 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2672 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2673 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2674 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA
||
2675 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
2676 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
2678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2684 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2685 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2686 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA
||
2687 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
)
2689 ssl_get_ecdh_params_from_cert( ssl
);
2691 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
2697 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2698 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
2701 const unsigned char *end
= ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
;
2703 ret
= mbedtls_ecjpake_write_round_two( &ssl
->handshake
->ecjpake_ctx
,
2704 p
, end
- p
, &jlen
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
2707 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret
);
2714 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2716 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2717 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2718 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
2719 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
2721 /* TODO: Support identity hints */
2727 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2728 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2730 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2731 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2732 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
||
2733 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
2735 if( ssl
->conf
->dhm_P
.p
== NULL
|| ssl
->conf
->dhm_G
.p
== NULL
)
2737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
2738 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2742 * Ephemeral DH parameters:
2745 * opaque dh_p<1..2^16-1>;
2746 * opaque dh_g<1..2^16-1>;
2747 * opaque dh_Ys<1..2^16-1>;
2750 if( ( ret
= mbedtls_mpi_copy( &ssl
->handshake
->dhm_ctx
.P
, &ssl
->conf
->dhm_P
) ) != 0 ||
2751 ( ret
= mbedtls_mpi_copy( &ssl
->handshake
->dhm_ctx
.G
, &ssl
->conf
->dhm_G
) ) != 0 )
2753 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret
);
2757 if( ( ret
= mbedtls_dhm_make_params( &ssl
->handshake
->dhm_ctx
,
2758 (int) mbedtls_mpi_size( &ssl
->handshake
->dhm_ctx
.P
),
2759 p
, &len
, ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2761 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret
);
2766 dig_signed_len
= len
;
2771 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl
->handshake
->dhm_ctx
.X
);
2772 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl
->handshake
->dhm_ctx
.P
);
2773 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl
->handshake
->dhm_ctx
.G
);
2774 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl
->handshake
->dhm_ctx
.GX
);
2776 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2777 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2779 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
2780 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
2781 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
||
2782 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
2785 * Ephemeral ECDH parameters:
2788 * ECParameters curve_params;
2790 * } ServerECDHParams;
2792 const mbedtls_ecp_curve_info
**curve
= NULL
;
2793 const mbedtls_ecp_group_id
*gid
;
2795 /* Match our preference list against the offered curves */
2796 for( gid
= ssl
->conf
->curve_list
; *gid
!= MBEDTLS_ECP_DP_NONE
; gid
++ )
2797 for( curve
= ssl
->handshake
->curves
; *curve
!= NULL
; curve
++ )
2798 if( (*curve
)->grp_id
== *gid
)
2799 goto curve_matching_done
;
2801 curve_matching_done
:
2802 if( curve
== NULL
|| *curve
== NULL
)
2804 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
2805 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
);
2808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve
)->name
) );
2810 if( ( ret
= mbedtls_ecp_group_load( &ssl
->handshake
->ecdh_ctx
.grp
,
2811 (*curve
)->grp_id
) ) != 0 )
2813 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret
);
2817 if( ( ret
= mbedtls_ecdh_make_params( &ssl
->handshake
->ecdh_ctx
, &len
,
2818 p
, MBEDTLS_SSL_MAX_CONTENT_LEN
- n
,
2819 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2821 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret
);
2826 dig_signed_len
= len
;
2831 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl
->handshake
->ecdh_ctx
.Q
);
2833 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
2835 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2836 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2837 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2838 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
||
2839 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
2840 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
)
2842 size_t signature_len
= 0;
2843 unsigned int hashlen
= 0;
2844 unsigned char hash
[64];
2845 mbedtls_md_type_t md_alg
= MBEDTLS_MD_NONE
;
2848 * Choose hash algorithm. NONE means MD5 + SHA1 here.
2850 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2851 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2853 md_alg
= mbedtls_ssl_md_alg_from_hash( ssl
->handshake
->sig_alg
);
2855 if( md_alg
== MBEDTLS_MD_NONE
)
2857 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2858 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2862 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2863 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2864 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2865 if( ciphersuite_info
->key_exchange
==
2866 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
)
2868 md_alg
= MBEDTLS_MD_SHA1
;
2873 md_alg
= MBEDTLS_MD_NONE
;
2877 * Compute the hash to be signed
2879 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2880 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2881 if( md_alg
== MBEDTLS_MD_NONE
)
2883 mbedtls_md5_context mbedtls_md5
;
2884 mbedtls_sha1_context mbedtls_sha1
;
2886 mbedtls_md5_init( &mbedtls_md5
);
2887 mbedtls_sha1_init( &mbedtls_sha1
);
2890 * digitally-signed struct {
2891 * opaque md5_hash[16];
2892 * opaque sha_hash[20];
2896 * MD5(ClientHello.random + ServerHello.random
2899 * SHA(ClientHello.random + ServerHello.random
2902 mbedtls_md5_starts( &mbedtls_md5
);
2903 mbedtls_md5_update( &mbedtls_md5
, ssl
->handshake
->randbytes
, 64 );
2904 mbedtls_md5_update( &mbedtls_md5
, dig_signed
, dig_signed_len
);
2905 mbedtls_md5_finish( &mbedtls_md5
, hash
);
2907 mbedtls_sha1_starts( &mbedtls_sha1
);
2908 mbedtls_sha1_update( &mbedtls_sha1
, ssl
->handshake
->randbytes
, 64 );
2909 mbedtls_sha1_update( &mbedtls_sha1
, dig_signed
, dig_signed_len
);
2910 mbedtls_sha1_finish( &mbedtls_sha1
, hash
+ 16 );
2914 mbedtls_md5_free( &mbedtls_md5
);
2915 mbedtls_sha1_free( &mbedtls_sha1
);
2918 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2919 MBEDTLS_SSL_PROTO_TLS1_1 */
2920 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2921 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2922 if( md_alg
!= MBEDTLS_MD_NONE
)
2924 mbedtls_md_context_t ctx
;
2925 const mbedtls_md_info_t
*md_info
= mbedtls_md_info_from_type( md_alg
);
2927 mbedtls_md_init( &ctx
);
2929 /* Info from md_alg will be used instead */
2933 * digitally-signed struct {
2934 * opaque client_random[32];
2935 * opaque server_random[32];
2936 * ServerDHParams params;
2939 if( ( ret
= mbedtls_md_setup( &ctx
, md_info
, 0 ) ) != 0 )
2941 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret
);
2945 mbedtls_md_starts( &ctx
);
2946 mbedtls_md_update( &ctx
, ssl
->handshake
->randbytes
, 64 );
2947 mbedtls_md_update( &ctx
, dig_signed
, dig_signed_len
);
2948 mbedtls_md_finish( &ctx
, hash
);
2949 mbedtls_md_free( &ctx
);
2952 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2953 MBEDTLS_SSL_PROTO_TLS1_2 */
2955 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2956 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2959 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash
, hashlen
!= 0 ? hashlen
:
2960 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg
) ) ) );
2963 * Make the signature
2965 if( mbedtls_ssl_own_key( ssl
) == NULL
)
2967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
2968 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
2971 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2972 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
2974 *(p
++) = ssl
->handshake
->sig_alg
;
2975 *(p
++) = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl
) );
2979 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2981 if( ( ret
= mbedtls_pk_sign( mbedtls_ssl_own_key( ssl
), md_alg
, hash
, hashlen
,
2982 p
+ 2 , &signature_len
,
2983 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
2985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret
);
2989 *(p
++) = (unsigned char)( signature_len
>> 8 );
2990 *(p
++) = (unsigned char)( signature_len
);
2993 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p
, signature_len
);
2997 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||
2998 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2999 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3001 ssl
->out_msglen
= 4 + n
;
3002 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3003 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
;
3007 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3009 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3013 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3018 static int ssl_write_server_hello_done( mbedtls_ssl_context
*ssl
)
3022 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3024 ssl
->out_msglen
= 4;
3025 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3026 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE
;
3030 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3031 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3032 mbedtls_ssl_send_flight_completed( ssl
);
3035 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3037 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3046 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3047 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3048 static int ssl_parse_client_dh_public( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3049 const unsigned char *end
)
3051 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3055 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3060 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3063 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3068 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3069 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3072 if( ( ret
= mbedtls_dhm_read_public( &ssl
->handshake
->dhm_ctx
, *p
, n
) ) != 0 )
3074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret
);
3075 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3080 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl
->handshake
->dhm_ctx
.GY
);
3084 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3085 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3087 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3088 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3089 static int ssl_parse_encrypted_pms( mbedtls_ssl_context
*ssl
,
3090 const unsigned char *p
,
3091 const unsigned char *end
,
3095 size_t len
= mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl
) );
3096 unsigned char *pms
= ssl
->handshake
->premaster
+ pms_offset
;
3097 unsigned char ver
[2];
3098 unsigned char fake_pms
[48], peer_pms
[48];
3100 size_t i
, peer_pmslen
;
3103 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl
), MBEDTLS_PK_RSA
) )
3105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3106 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3110 * Decrypt the premaster using own private RSA key
3112 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3113 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3114 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
3116 if( *p
++ != ( ( len
>> 8 ) & 0xFF ) ||
3117 *p
++ != ( ( len
) & 0xFF ) )
3119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3120 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3125 if( p
+ len
!= end
)
3127 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3128 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3131 mbedtls_ssl_write_version( ssl
->handshake
->max_major_ver
,
3132 ssl
->handshake
->max_minor_ver
,
3133 ssl
->conf
->transport
, ver
);
3136 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3137 * must not cause the connection to end immediately; instead, send a
3138 * bad_record_mac later in the handshake.
3139 * Also, avoid data-dependant branches here to protect against
3140 * timing-based variants.
3142 ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, fake_pms
, sizeof( fake_pms
) );
3146 ret
= mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl
), p
, len
,
3147 peer_pms
, &peer_pmslen
,
3149 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3151 diff
= (unsigned int) ret
;
3152 diff
|= peer_pmslen
^ 48;
3153 diff
|= peer_pms
[0] ^ ver
[0];
3154 diff
|= peer_pms
[1] ^ ver
[1];
3156 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3161 if( sizeof( ssl
->handshake
->premaster
) < pms_offset
||
3162 sizeof( ssl
->handshake
->premaster
) - pms_offset
< 48 )
3164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3165 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3167 ssl
->handshake
->pmslen
= 48;
3169 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3170 /* MSVC has a warning about unary minus on unsigned, but this is
3171 * well-defined and precisely what we want to do here */
3172 #if defined(_MSC_VER)
3173 #pragma warning( push )
3174 #pragma warning( disable : 4146 )
3176 mask
= - ( ( diff
| - diff
) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3177 #if defined(_MSC_VER)
3178 #pragma warning( pop )
3181 for( i
= 0; i
< ssl
->handshake
->pmslen
; i
++ )
3182 pms
[i
] = ( mask
& fake_pms
[i
] ) | ( (~mask
) & peer_pms
[i
] );
3186 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3187 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3189 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3190 static int ssl_parse_client_psk_identity( mbedtls_ssl_context
*ssl
, unsigned char **p
,
3191 const unsigned char *end
)
3196 if( ssl
->conf
->f_psk
== NULL
&&
3197 ( ssl
->conf
->psk
== NULL
|| ssl
->conf
->psk_identity
== NULL
||
3198 ssl
->conf
->psk_identity_len
== 0 || ssl
->conf
->psk_len
== 0 ) )
3200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3201 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
);
3205 * Receive client pre-shared key identity name
3209 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3210 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3213 n
= ( (*p
)[0] << 8 ) | (*p
)[1];
3216 if( n
< 1 || n
> 65535 || *p
+ n
> end
)
3218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3219 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3222 if( ssl
->conf
->f_psk
!= NULL
)
3224 if( ssl
->conf
->f_psk( ssl
->conf
->p_psk
, ssl
, *p
, n
) != 0 )
3225 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3229 /* Identity is not a big secret since clients send it in the clear,
3230 * but treat it carefully anyway, just in case */
3231 if( n
!= ssl
->conf
->psk_identity_len
||
3232 mbedtls_ssl_safer_memcmp( ssl
->conf
->psk_identity
, *p
, n
) != 0 )
3234 ret
= MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
;
3238 if( ret
== MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
)
3240 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p
, n
);
3241 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
3242 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3243 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
) ) != 0 )
3248 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
);
3255 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3257 static int ssl_parse_client_key_exchange( mbedtls_ssl_context
*ssl
)
3260 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
;
3261 unsigned char *p
, *end
;
3263 ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3265 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3267 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
3269 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
3273 p
= ssl
->in_msg
+ mbedtls_ssl_hs_hdr_len( ssl
);
3274 end
= ssl
->in_msg
+ ssl
->in_hslen
;
3276 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
)
3278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3279 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3282 if( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
)
3284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3285 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3288 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3289 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_RSA
)
3291 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3293 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3300 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3303 if( ( ret
= mbedtls_dhm_calc_secret( &ssl
->handshake
->dhm_ctx
,
3304 ssl
->handshake
->premaster
,
3305 MBEDTLS_PREMASTER_SIZE
,
3306 &ssl
->handshake
->pmslen
,
3307 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3309 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret
);
3310 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3313 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl
->handshake
->dhm_ctx
.K
);
3316 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3317 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3318 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3319 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3320 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3321 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
||
3322 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
||
3323 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA
||
3324 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
)
3326 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3327 p
, end
- p
) ) != 0 )
3329 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3330 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3333 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3335 if( ( ret
= mbedtls_ecdh_calc_secret( &ssl
->handshake
->ecdh_ctx
,
3336 &ssl
->handshake
->pmslen
,
3337 ssl
->handshake
->premaster
,
3338 MBEDTLS_MPI_MAX_SIZE
,
3339 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
3341 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret
);
3342 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
);
3345 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl
->handshake
->ecdh_ctx
.z
);
3348 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3349 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3350 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3351 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3352 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3353 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
)
3355 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3357 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3364 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3367 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3368 ciphersuite_info
->key_exchange
) ) != 0 )
3370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3375 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3376 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3377 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
3379 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3381 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3385 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 2 ) ) != 0 )
3387 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret
);
3391 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3392 ciphersuite_info
->key_exchange
) ) != 0 )
3394 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3399 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3400 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3401 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
3403 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3405 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3408 if( ( ret
= ssl_parse_client_dh_public( ssl
, &p
, end
) ) != 0 )
3410 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret
);
3416 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3417 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
);
3420 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3421 ciphersuite_info
->key_exchange
) ) != 0 )
3423 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3428 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3429 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3430 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
3432 if( ( ret
= ssl_parse_client_psk_identity( ssl
, &p
, end
) ) != 0 )
3434 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret
);
3438 if( ( ret
= mbedtls_ecdh_read_public( &ssl
->handshake
->ecdh_ctx
,
3439 p
, end
- p
) ) != 0 )
3441 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret
);
3442 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
);
3445 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl
->handshake
->ecdh_ctx
.Qp
);
3447 if( ( ret
= mbedtls_ssl_psk_derive_premaster( ssl
,
3448 ciphersuite_info
->key_exchange
) ) != 0 )
3450 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret
);
3455 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3456 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3457 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA
)
3459 if( ( ret
= ssl_parse_encrypted_pms( ssl
, p
, end
, 0 ) ) != 0 )
3461 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret
);
3466 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3467 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3468 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3470 ret
= mbedtls_ecjpake_read_round_two( &ssl
->handshake
->ecjpake_ctx
,
3474 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret
);
3475 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
);
3478 ret
= mbedtls_ecjpake_derive_secret( &ssl
->handshake
->ecjpake_ctx
,
3479 ssl
->handshake
->premaster
, 32, &ssl
->handshake
->pmslen
,
3480 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
);
3483 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret
);
3488 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3491 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3494 if( ( ret
= mbedtls_ssl_derive_keys( ssl
) ) != 0 )
3496 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret
);
3502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3507 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3508 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3509 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3510 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3511 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3513 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3515 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3517 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3518 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3519 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3520 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3521 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
3523 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3529 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3532 static int ssl_parse_certificate_verify( mbedtls_ssl_context
*ssl
)
3534 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
3536 unsigned char hash
[48];
3537 unsigned char *hash_start
= hash
;
3539 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3540 mbedtls_pk_type_t pk_alg
;
3542 mbedtls_md_type_t md_alg
;
3543 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
3545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
3547 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
3548 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
||
3549 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
3550 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
3551 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
||
3552 ssl
->session_negotiate
->peer_cert
== NULL
)
3554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
3559 /* Needs to be done before read_record() to exclude current message */
3560 ssl
->handshake
->calc_verify( ssl
, hash
);
3562 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
3564 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
3570 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
||
3571 ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
)
3573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3574 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3577 i
= mbedtls_ssl_hs_hdr_len( ssl
);
3581 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
3582 * opaque signature<0..2^16-1>;
3583 * } DigitallySigned;
3585 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3586 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3587 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_3
)
3589 md_alg
= MBEDTLS_MD_NONE
;
3592 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
3593 if( mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
,
3594 MBEDTLS_PK_ECDSA
) )
3598 md_alg
= MBEDTLS_MD_SHA1
;
3602 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
3603 MBEDTLS_SSL_PROTO_TLS1_1 */
3604 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3605 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
3607 if( i
+ 2 > ssl
->in_hslen
)
3609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3610 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3616 if( ssl
->in_msg
[i
] != ssl
->handshake
->verify_sig_alg
)
3618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3619 " for verify message" ) );
3620 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3623 md_alg
= mbedtls_ssl_md_alg_from_hash( ssl
->handshake
->verify_sig_alg
);
3625 /* Info from md_alg will be used instead */
3633 if( ( pk_alg
= mbedtls_ssl_pk_alg_from_sig( ssl
->in_msg
[i
] ) )
3634 == MBEDTLS_PK_NONE
)
3636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
3637 " for verify message" ) );
3638 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3642 * Check the certificate's key type matches the signature alg
3644 if( ! mbedtls_pk_can_do( &ssl
->session_negotiate
->peer_cert
->pk
, pk_alg
) )
3646 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
3647 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3653 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3655 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3656 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3659 if( i
+ 2 > ssl
->in_hslen
)
3661 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3662 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3665 sig_len
= ( ssl
->in_msg
[i
] << 8 ) | ssl
->in_msg
[i
+1];
3668 if( i
+ sig_len
!= ssl
->in_hslen
)
3670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
3671 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
);
3674 if( ( ret
= mbedtls_pk_verify( &ssl
->session_negotiate
->peer_cert
->pk
,
3675 md_alg
, hash_start
, hashlen
,
3676 ssl
->in_msg
+ i
, sig_len
) ) != 0 )
3678 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret
);
3682 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
3686 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3687 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3688 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
3690 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3691 static int ssl_write_new_session_ticket( mbedtls_ssl_context
*ssl
)
3697 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
3699 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
3700 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET
;
3704 * uint32 ticket_lifetime_hint;
3705 * opaque ticket<0..2^16-1>;
3706 * } NewSessionTicket;
3708 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
3709 * 8 . 9 ticket_len (n)
3710 * 10 . 9+n ticket content
3713 if( ( ret
= ssl
->conf
->f_ticket_write( ssl
->conf
->p_ticket
,
3714 ssl
->session_negotiate
,
3716 ssl
->out_msg
+ MBEDTLS_SSL_MAX_CONTENT_LEN
,
3717 &tlen
, &lifetime
) ) != 0 )
3719 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret
);
3723 ssl
->out_msg
[4] = ( lifetime
>> 24 ) & 0xFF;
3724 ssl
->out_msg
[5] = ( lifetime
>> 16 ) & 0xFF;
3725 ssl
->out_msg
[6] = ( lifetime
>> 8 ) & 0xFF;
3726 ssl
->out_msg
[7] = ( lifetime
) & 0xFF;
3728 ssl
->out_msg
[8] = (unsigned char)( ( tlen
>> 8 ) & 0xFF );
3729 ssl
->out_msg
[9] = (unsigned char)( ( tlen
) & 0xFF );
3731 ssl
->out_msglen
= 10 + tlen
;
3734 * Morally equivalent to updating ssl->state, but NewSessionTicket and
3735 * ChangeCipherSpec share the same state.
3737 ssl
->handshake
->new_session_ticket
= 0;
3739 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
3741 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
3745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
3749 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3752 * SSL handshake -- server side -- single step
3754 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context
*ssl
)
3758 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
|| ssl
->handshake
== NULL
)
3759 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
3761 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl
->state
) );
3763 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
3766 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3767 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
3768 ssl
->handshake
->retransmit_state
== MBEDTLS_SSL_RETRANS_SENDING
)
3770 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
3775 switch( ssl
->state
)
3777 case MBEDTLS_SSL_HELLO_REQUEST
:
3778 ssl
->state
= MBEDTLS_SSL_CLIENT_HELLO
;
3784 case MBEDTLS_SSL_CLIENT_HELLO
:
3785 ret
= ssl_parse_client_hello( ssl
);
3788 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3789 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
:
3790 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
);
3796 * ( ServerKeyExchange )
3797 * ( CertificateRequest )
3800 case MBEDTLS_SSL_SERVER_HELLO
:
3801 ret
= ssl_write_server_hello( ssl
);
3804 case MBEDTLS_SSL_SERVER_CERTIFICATE
:
3805 ret
= mbedtls_ssl_write_certificate( ssl
);
3808 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE
:
3809 ret
= ssl_write_server_key_exchange( ssl
);
3812 case MBEDTLS_SSL_CERTIFICATE_REQUEST
:
3813 ret
= ssl_write_certificate_request( ssl
);
3816 case MBEDTLS_SSL_SERVER_HELLO_DONE
:
3817 ret
= ssl_write_server_hello_done( ssl
);
3821 * <== ( Certificate/Alert )
3823 * ( CertificateVerify )
3827 case MBEDTLS_SSL_CLIENT_CERTIFICATE
:
3828 ret
= mbedtls_ssl_parse_certificate( ssl
);
3831 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
:
3832 ret
= ssl_parse_client_key_exchange( ssl
);
3835 case MBEDTLS_SSL_CERTIFICATE_VERIFY
:
3836 ret
= ssl_parse_certificate_verify( ssl
);
3839 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
:
3840 ret
= mbedtls_ssl_parse_change_cipher_spec( ssl
);
3843 case MBEDTLS_SSL_CLIENT_FINISHED
:
3844 ret
= mbedtls_ssl_parse_finished( ssl
);
3848 * ==> ( NewSessionTicket )
3852 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
:
3853 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3854 if( ssl
->handshake
->new_session_ticket
!= 0 )
3855 ret
= ssl_write_new_session_ticket( ssl
);
3858 ret
= mbedtls_ssl_write_change_cipher_spec( ssl
);
3861 case MBEDTLS_SSL_SERVER_FINISHED
:
3862 ret
= mbedtls_ssl_write_finished( ssl
);
3865 case MBEDTLS_SSL_FLUSH_BUFFERS
:
3866 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3867 ssl
->state
= MBEDTLS_SSL_HANDSHAKE_WRAPUP
;
3870 case MBEDTLS_SSL_HANDSHAKE_WRAPUP
:
3871 mbedtls_ssl_handshake_wrapup( ssl
);
3875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl
->state
) );
3876 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
3881 #endif /* MBEDTLS_SSL_SRV_C */