2 * SSLv3/TLSv1 server-side functions
\r
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
\r
5 * SPDX-License-Identifier: Apache-2.0
\r
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
8 * not use this file except in compliance with the License.
\r
9 * You may obtain a copy of the License at
\r
11 * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * Unless required by applicable law or agreed to in writing, software
\r
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * See the License for the specific language governing permissions and
\r
17 * limitations under the License.
\r
19 * This file is part of mbed TLS (https://tls.mbed.org)
\r
22 #if !defined(MBEDTLS_CONFIG_FILE)
\r
23 #include "mbedtls/config.h"
\r
25 #include MBEDTLS_CONFIG_FILE
\r
28 #if defined(MBEDTLS_SSL_SRV_C)
\r
30 #if defined(MBEDTLS_PLATFORM_C)
\r
31 #include "mbedtls/platform.h"
\r
34 #define mbedtls_calloc calloc
\r
35 #define mbedtls_free free
\r
38 #include "mbedtls/debug.h"
\r
39 #include "mbedtls/ssl.h"
\r
40 #include "mbedtls/ssl_internal.h"
\r
41 #include "mbedtls/platform_util.h"
\r
45 #if defined(MBEDTLS_ECP_C)
\r
46 #include "mbedtls/ecp.h"
\r
49 #if defined(MBEDTLS_HAVE_TIME)
\r
50 #include "mbedtls/platform_time.h"
\r
53 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
\r
54 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
\r
55 const unsigned char *info,
\r
58 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
\r
59 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
\r
61 mbedtls_free( ssl->cli_id );
\r
63 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
\r
64 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
\r
66 memcpy( ssl->cli_id, info, ilen );
\r
67 ssl->cli_id_len = ilen;
\r
72 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
\r
73 mbedtls_ssl_cookie_write_t *f_cookie_write,
\r
74 mbedtls_ssl_cookie_check_t *f_cookie_check,
\r
77 conf->f_cookie_write = f_cookie_write;
\r
78 conf->f_cookie_check = f_cookie_check;
\r
79 conf->p_cookie = p_cookie;
\r
81 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
\r
83 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
84 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
\r
85 const unsigned char *buf,
\r
89 size_t servername_list_size, hostname_len;
\r
90 const unsigned char *p;
\r
92 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
\r
96 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
97 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
98 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
99 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
101 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
\r
102 if( servername_list_size + 2 != len )
\r
104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
105 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
107 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
111 while( servername_list_size > 2 )
\r
113 hostname_len = ( ( p[1] << 8 ) | p[2] );
\r
114 if( hostname_len + 3 > servername_list_size )
\r
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
117 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
118 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
119 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
122 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
\r
124 ret = ssl->conf->f_sni( ssl->conf->p_sni,
\r
125 ssl, p + 3, hostname_len );
\r
128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
\r
129 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
130 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
\r
131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
136 servername_list_size -= hostname_len + 3;
\r
137 p += hostname_len + 3;
\r
140 if( servername_list_size != 0 )
\r
142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
143 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
144 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
150 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
\r
152 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
\r
153 static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
\r
155 if( conf->f_psk != NULL )
\r
158 if( conf->psk_identity_len == 0 || conf->psk_identity == NULL )
\r
161 if( conf->psk != NULL && conf->psk_len != 0 )
\r
164 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
165 if( conf->psk_opaque != 0 )
\r
167 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
172 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
173 static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
\r
175 if( ssl->conf->f_psk != NULL )
\r
177 /* If we've used a callback to select the PSK,
\r
178 * the static configuration is irrelevant. */
\r
180 if( ssl->handshake->psk_opaque != 0 )
\r
186 if( ssl->conf->psk_opaque != 0 )
\r
191 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
192 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
\r
194 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
\r
195 const unsigned char *buf,
\r
198 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
199 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
201 /* Check verify-data in constant-time. The length OTOH is no secret */
\r
202 if( len != 1 + ssl->verify_data_len ||
\r
203 buf[0] != ssl->verify_data_len ||
\r
204 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
\r
205 ssl->verify_data_len ) != 0 )
\r
207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
\r
208 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
209 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
210 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
214 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
216 if( len != 1 || buf[0] != 0x0 )
\r
218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
\r
219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
220 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
224 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
\r
230 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
231 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
234 * Status of the implementation of signature-algorithms extension:
\r
236 * Currently, we are only considering the signature-algorithm extension
\r
237 * to pick a ciphersuite which allows us to send the ServerKeyExchange
\r
238 * message with a signature-hash combination that the user allows.
\r
240 * We do *not* check whether all certificates in our certificate
\r
241 * chain are signed with an allowed signature-hash pair.
\r
242 * This needs to be done at a later stage.
\r
245 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
\r
246 const unsigned char *buf,
\r
249 size_t sig_alg_list_size;
\r
251 const unsigned char *p;
\r
252 const unsigned char *end = buf + len;
\r
254 mbedtls_md_type_t md_cur;
\r
255 mbedtls_pk_type_t sig_cur;
\r
258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
263 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
\r
264 if( sig_alg_list_size + 2 != len ||
\r
265 sig_alg_list_size % 2 != 0 )
\r
267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
268 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
269 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
270 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
273 /* Currently we only guarantee signing the ServerKeyExchange message according
\r
274 * to the constraints specified in this extension (see above), so it suffices
\r
275 * to remember only one suitable hash for each possible signature algorithm.
\r
277 * This will change when we also consider certificate signatures,
\r
278 * in which case we will need to remember the whole signature-hash
\r
279 * pair list from the extension.
\r
282 for( p = buf + 2; p < end; p += 2 )
\r
284 /* Silently ignore unknown signature or hash algorithms. */
\r
286 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
\r
288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
\r
289 " unknown sig alg encoding %d", p[1] ) );
\r
293 /* Check if we support the hash the user proposes */
\r
294 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
\r
295 if( md_cur == MBEDTLS_MD_NONE )
\r
297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
\r
298 " unknown hash alg encoding %d", p[0] ) );
\r
302 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
\r
304 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
\r
305 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
\r
306 " match sig %d and hash %d",
\r
307 sig_cur, md_cur ) );
\r
311 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
\r
312 "hash alg %d not supported", md_cur ) );
\r
318 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
319 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
321 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
\r
322 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
323 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
\r
324 const unsigned char *buf,
\r
327 size_t list_size, our_size;
\r
328 const unsigned char *p;
\r
329 const mbedtls_ecp_curve_info *curve_info, **curves;
\r
332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
333 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
334 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
335 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
337 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
\r
338 if( list_size + 2 != len ||
\r
339 list_size % 2 != 0 )
\r
341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
342 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
343 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
344 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
347 /* Should never happen unless client duplicates the extension */
\r
348 if( ssl->handshake->curves != NULL )
\r
350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
352 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
353 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
356 /* Don't allow our peer to make us allocate too much memory,
\r
357 * and leave room for a final 0 */
\r
358 our_size = list_size / 2 + 1;
\r
359 if( our_size > MBEDTLS_ECP_DP_MAX )
\r
360 our_size = MBEDTLS_ECP_DP_MAX;
\r
362 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
\r
364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
365 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
\r
366 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
\r
369 ssl->handshake->curves = curves;
\r
372 while( list_size > 0 && our_size > 1 )
\r
374 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
\r
376 if( curve_info != NULL )
\r
378 *curves++ = curve_info;
\r
389 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
\r
390 const unsigned char *buf,
\r
394 const unsigned char *p;
\r
396 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
\r
398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
400 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
401 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
403 list_size = buf[0];
\r
406 while( list_size > 0 )
\r
408 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
\r
409 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
\r
411 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
\r
412 ssl->handshake->ecdh_ctx.point_format = p[0];
\r
414 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
415 ssl->handshake->ecjpake_ctx.point_format = p[0];
\r
417 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
\r
427 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
\r
428 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
430 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
431 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
\r
432 const unsigned char *buf,
\r
437 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
\r
439 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
\r
443 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
\r
444 buf, len ) ) != 0 )
\r
446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
\r
447 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
448 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
452 /* Only mark the extension as OK when we're sure it is */
\r
453 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
\r
457 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
459 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
\r
460 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
\r
461 const unsigned char *buf,
\r
464 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
\r
466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
468 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
469 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
472 ssl->session_negotiate->mfl_code = buf[0];
\r
476 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
\r
478 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
479 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
\r
480 const unsigned char *buf,
\r
483 size_t peer_cid_len;
\r
485 /* CID extension only makes sense in DTLS */
\r
486 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
490 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
491 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
495 * Quoting draft-ietf-tls-dtls-connection-id-05
\r
496 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
\r
499 * opaque cid<0..2^8-1>;
\r
505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
506 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
507 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
508 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
511 peer_cid_len = *buf++;
\r
514 if( len != peer_cid_len )
\r
516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
517 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
518 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
519 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
522 /* Ignore CID if the user has disabled its use. */
\r
523 if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
\r
525 /* Leave ssl->handshake->cid_in_use in its default
\r
526 * value of MBEDTLS_SSL_CID_DISABLED. */
\r
527 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) );
\r
531 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
\r
533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
535 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
539 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
\r
540 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
\r
541 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
\r
543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
\r
544 MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len );
\r
548 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
\r
550 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
\r
551 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
\r
552 const unsigned char *buf,
\r
557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
558 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
559 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
565 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
\r
566 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
\r
570 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
\r
572 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
\r
573 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
\r
574 const unsigned char *buf,
\r
579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
580 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
587 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
\r
588 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
\r
590 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
\r
595 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
\r
597 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
\r
598 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
\r
599 const unsigned char *buf,
\r
604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
605 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
607 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
612 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
\r
613 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
\r
615 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
\r
620 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
\r
622 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
623 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
\r
624 unsigned char *buf,
\r
628 mbedtls_ssl_session session;
\r
630 mbedtls_ssl_session_init( &session );
\r
632 if( ssl->conf->f_ticket_parse == NULL ||
\r
633 ssl->conf->f_ticket_write == NULL )
\r
638 /* Remember the client asked us to send a new ticket */
\r
639 ssl->handshake->new_session_ticket = 1;
\r
641 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
\r
646 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
647 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
\r
652 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
655 * Failures are ok: just ignore the ticket and proceed.
\r
657 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
\r
658 buf, len ) ) != 0 )
\r
660 mbedtls_ssl_session_free( &session );
\r
662 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
\r
663 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
\r
664 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
\r
665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
\r
667 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
\r
673 * Keep the session ID sent by the client, since we MUST send it back to
\r
674 * inform them we're accepting the ticket (RFC 5077 section 3.4)
\r
676 session.id_len = ssl->session_negotiate->id_len;
\r
677 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
\r
679 mbedtls_ssl_session_free( ssl->session_negotiate );
\r
680 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
\r
682 /* Zeroize instead of free as we copied the content */
\r
683 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
\r
685 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
\r
687 ssl->handshake->resume = 1;
\r
689 /* Don't send a new ticket after all, this one is OK */
\r
690 ssl->handshake->new_session_ticket = 0;
\r
694 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
696 #if defined(MBEDTLS_SSL_ALPN)
\r
697 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
\r
698 const unsigned char *buf, size_t len )
\r
700 size_t list_len, cur_len, ours_len;
\r
701 const unsigned char *theirs, *start, *end;
\r
704 /* If ALPN not configured, just ignore the extension */
\r
705 if( ssl->conf->alpn_list == NULL )
\r
709 * opaque ProtocolName<1..2^8-1>;
\r
712 * ProtocolName protocol_name_list<2..2^16-1>
\r
713 * } ProtocolNameList;
\r
716 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
\r
719 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
720 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
721 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
724 list_len = ( buf[0] << 8 ) | buf[1];
\r
725 if( list_len != len - 2 )
\r
727 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
729 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
733 * Validate peer's list (lengths)
\r
737 for( theirs = start; theirs != end; theirs += cur_len )
\r
739 cur_len = *theirs++;
\r
741 /* Current identifier must fit in list */
\r
742 if( cur_len > (size_t)( end - theirs ) )
\r
744 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
745 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
746 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
749 /* Empty strings MUST NOT be included */
\r
752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
753 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
\r
754 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
759 * Use our order of preference
\r
761 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
\r
763 ours_len = strlen( *ours );
\r
764 for( theirs = start; theirs != end; theirs += cur_len )
\r
766 cur_len = *theirs++;
\r
768 if( cur_len == ours_len &&
\r
769 memcmp( theirs, *ours, cur_len ) == 0 )
\r
771 ssl->alpn_chosen = *ours;
\r
777 /* If we get there, no match was found */
\r
778 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
779 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
\r
780 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
782 #endif /* MBEDTLS_SSL_ALPN */
\r
785 * Auxiliary functions for ServerHello parsing and related actions
\r
788 #if defined(MBEDTLS_X509_CRT_PARSE_C)
\r
790 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
\r
792 #if defined(MBEDTLS_ECDSA_C)
\r
793 static int ssl_check_key_curve( mbedtls_pk_context *pk,
\r
794 const mbedtls_ecp_curve_info **curves )
\r
796 const mbedtls_ecp_curve_info **crv = curves;
\r
797 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
\r
799 while( *crv != NULL )
\r
801 if( (*crv)->grp_id == grp_id )
\r
808 #endif /* MBEDTLS_ECDSA_C */
\r
811 * Try picking a certificate for this ciphersuite,
\r
812 * return 0 on success and -1 on failure.
\r
814 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
\r
815 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
\r
817 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
\r
818 mbedtls_pk_type_t pk_alg =
\r
819 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
\r
822 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
823 if( ssl->handshake->sni_key_cert != NULL )
\r
824 list = ssl->handshake->sni_key_cert;
\r
827 list = ssl->conf->key_cert;
\r
829 if( pk_alg == MBEDTLS_PK_NONE )
\r
832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
\r
836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
\r
840 for( cur = list; cur != NULL; cur = cur->next )
\r
842 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
\r
845 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
\r
847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
\r
852 * This avoids sending the client a cert it'll reject based on
\r
853 * keyUsage or other extensions.
\r
855 * It also allows the user to provision different certificates for
\r
856 * different uses based on keyUsage, eg if they want to avoid signing
\r
857 * and decrypting with the same RSA key.
\r
859 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
\r
860 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
\r
862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
\r
863 "(extended) key usage extension" ) );
\r
867 #if defined(MBEDTLS_ECDSA_C)
\r
868 if( pk_alg == MBEDTLS_PK_ECDSA &&
\r
869 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
\r
871 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
\r
877 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
\r
878 * present them a SHA-higher cert rather than failing if it's the only
\r
879 * one we got that satisfies the other conditions.
\r
881 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
\r
882 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
\r
884 if( fallback == NULL )
\r
887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
\r
888 "sha-2 with pre-TLS 1.2 client" ) );
\r
893 /* If we get there, we got a winner */
\r
900 /* Do not update ssl->handshake->key_cert unless there is a match */
\r
903 ssl->handshake->key_cert = cur;
\r
904 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
\r
905 ssl->handshake->key_cert->cert );
\r
911 #endif /* MBEDTLS_X509_CRT_PARSE_C */
\r
914 * Check if a given ciphersuite is suitable for use with our config/keys/etc
\r
915 * Sets ciphersuite_info only if the suite matches.
\r
917 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
\r
918 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
\r
920 const mbedtls_ssl_ciphersuite_t *suite_info;
\r
922 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
923 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
924 mbedtls_pk_type_t sig_type;
\r
927 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
\r
928 if( suite_info == NULL )
\r
930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
931 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
\r
936 if( suite_info->min_minor_ver > ssl->minor_ver ||
\r
937 suite_info->max_minor_ver < ssl->minor_ver )
\r
939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
\r
943 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
944 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
\r
945 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
\r
949 #if defined(MBEDTLS_ARC4_C)
\r
950 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
\r
951 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
\r
953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
\r
958 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
959 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
\r
960 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
\r
962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
\r
963 "not configured or ext missing" ) );
\r
969 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
\r
970 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
\r
971 ( ssl->handshake->curves == NULL ||
\r
972 ssl->handshake->curves[0] == NULL ) )
\r
974 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
\r
975 "no common elliptic curve" ) );
\r
980 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
\r
981 /* If the ciphersuite requires a pre-shared key and we don't
\r
982 * have one, skip it now rather than failing later */
\r
983 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
\r
984 ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
\r
986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
\r
991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
993 /* If the ciphersuite requires signing, check whether
\r
994 * a suitable hash algorithm is present. */
\r
995 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
997 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
\r
998 if( sig_type != MBEDTLS_PK_NONE &&
\r
999 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
\r
1001 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
\r
1002 "for signature algorithm %d", sig_type ) );
\r
1007 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
1008 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
1010 #if defined(MBEDTLS_X509_CRT_PARSE_C)
\r
1012 * Final check: if ciphersuite requires us to have a
\r
1013 * certificate/key of a particular type:
\r
1014 * - select the appropriate certificate if we have one, or
\r
1015 * - try the next ciphersuite if we don't
\r
1016 * This must be done last since we modify the key_cert list.
\r
1018 if( ssl_pick_cert( ssl, suite_info ) != 0 )
\r
1020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
\r
1021 "no suitable certificate" ) );
\r
1026 *ciphersuite_info = suite_info;
\r
1030 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
\r
1031 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
\r
1033 int ret, got_common_suite;
\r
1034 unsigned int i, j;
\r
1036 unsigned int ciph_len, sess_len, chal_len;
\r
1037 unsigned char *buf, *p;
\r
1038 const int *ciphersuites;
\r
1039 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
\r
1041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
\r
1043 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1044 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
1046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
\r
1047 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1048 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
1049 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1051 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
1053 buf = ssl->in_hdr;
\r
1055 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
\r
1057 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
\r
1059 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
\r
1060 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
\r
1061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
\r
1062 buf[3], buf[4] ) );
\r
1065 * SSLv2 Client Hello
\r
1068 * 0 . 1 message length
\r
1071 * 2 . 2 message type
\r
1072 * 3 . 4 protocol version
\r
1074 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
\r
1075 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
\r
1077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1078 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1081 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
\r
1083 if( n < 17 || n > 512 )
\r
1085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1086 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1089 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
\r
1090 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
\r
1091 ? buf[4] : ssl->conf->max_minor_ver;
\r
1093 if( ssl->minor_ver < ssl->conf->min_minor_ver )
\r
1095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
\r
1096 " [%d:%d] < [%d:%d]",
\r
1097 ssl->major_ver, ssl->minor_ver,
\r
1098 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
\r
1100 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1101 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
\r
1102 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
\r
1105 ssl->handshake->max_major_ver = buf[3];
\r
1106 ssl->handshake->max_minor_ver = buf[4];
\r
1108 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
\r
1110 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
\r
1114 ssl->handshake->update_checksum( ssl, buf + 2, n );
\r
1116 buf = ssl->in_msg;
\r
1117 n = ssl->in_left - 5;
\r
1120 * 0 . 1 ciphersuitelist length
\r
1121 * 2 . 3 session id length
\r
1122 * 4 . 5 challenge length
\r
1123 * 6 . .. ciphersuitelist
\r
1124 * .. . .. session id
\r
1125 * .. . .. challenge
\r
1127 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
\r
1129 ciph_len = ( buf[0] << 8 ) | buf[1];
\r
1130 sess_len = ( buf[2] << 8 ) | buf[3];
\r
1131 chal_len = ( buf[4] << 8 ) | buf[5];
\r
1133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
\r
1134 ciph_len, sess_len, chal_len ) );
\r
1137 * Make sure each parameter length is valid
\r
1139 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
\r
1141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1142 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1145 if( sess_len > 32 )
\r
1147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1148 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1151 if( chal_len < 8 || chal_len > 32 )
\r
1153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1154 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1157 if( n != 6 + ciph_len + sess_len + chal_len )
\r
1159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1160 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1163 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
\r
1164 buf + 6, ciph_len );
\r
1165 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
\r
1166 buf + 6 + ciph_len, sess_len );
\r
1167 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
\r
1168 buf + 6 + ciph_len + sess_len, chal_len );
\r
1170 p = buf + 6 + ciph_len;
\r
1171 ssl->session_negotiate->id_len = sess_len;
\r
1172 memset( ssl->session_negotiate->id, 0,
\r
1173 sizeof( ssl->session_negotiate->id ) );
\r
1174 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
\r
1177 memset( ssl->handshake->randbytes, 0, 64 );
\r
1178 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
\r
1181 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
\r
1183 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
\r
1185 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
\r
1187 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
\r
1188 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1189 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
\r
1191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
\r
1192 "during renegotiation" ) );
\r
1194 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1195 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
1196 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1198 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
1199 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
\r
1204 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
\r
1205 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
\r
1208 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
\r
1209 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
\r
1211 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
\r
1213 if( ssl->minor_ver < ssl->conf->max_minor_ver )
\r
1215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
\r
1217 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1218 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
\r
1220 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1226 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
\r
1228 got_common_suite = 0;
\r
1229 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
\r
1230 ciphersuite_info = NULL;
\r
1231 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
\r
1232 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
\r
1233 for( i = 0; ciphersuites[i] != 0; i++ )
\r
1235 for( i = 0; ciphersuites[i] != 0; i++ )
\r
1236 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
\r
1240 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
\r
1241 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
\r
1244 got_common_suite = 1;
\r
1246 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
\r
1247 &ciphersuite_info ) ) != 0 )
\r
1250 if( ciphersuite_info != NULL )
\r
1251 goto have_ciphersuite_v2;
\r
1254 if( got_common_suite )
\r
1256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
\r
1257 "but none of them usable" ) );
\r
1258 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
\r
1262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
\r
1263 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
\r
1266 have_ciphersuite_v2:
\r
1267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
\r
1269 ssl->session_negotiate->ciphersuite = ciphersuites[i];
\r
1270 ssl->handshake->ciphersuite_info = ciphersuite_info;
\r
1273 * SSLv2 Client Hello relevant renegotiation security checks
\r
1275 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
\r
1276 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
\r
1278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
\r
1279 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1280 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
1281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
\r
1291 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
\r
1293 /* This function doesn't alert on errors that happen early during
\r
1294 ClientHello parsing because they might indicate that the client is
\r
1295 not talking SSL/TLS at all and would not understand our alert. */
\r
1296 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
\r
1298 int ret, got_common_suite;
\r
1300 size_t ciph_offset, comp_offset, ext_offset;
\r
1301 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
\r
1302 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1303 size_t cookie_offset, cookie_len;
\r
1305 unsigned char *buf, *p, *ext;
\r
1306 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1307 int renegotiation_info_seen = 0;
\r
1309 int handshake_failure = 0;
\r
1310 const int *ciphersuites;
\r
1311 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
\r
1314 /* If there is no signature-algorithm extension present,
\r
1315 * we need to fall back to the default values for allowed
\r
1316 * signature-hash pairs. */
\r
1317 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
1318 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
1319 int sig_hash_alg_ext_present = 0;
\r
1320 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
1321 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
1323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
\r
1325 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
\r
1326 read_record_header:
\r
1329 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
\r
1330 * otherwise read it ourselves manually in order to support SSLv2
\r
1331 * ClientHello, which doesn't use the same record layer format.
\r
1333 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1334 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
1337 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
\r
1339 /* No alert on a read error. */
\r
1340 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
\r
1345 buf = ssl->in_hdr;
\r
1347 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
\r
1348 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1349 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
\r
1351 if( ( buf[0] & 0x80 ) != 0 )
\r
1352 return( ssl_parse_client_hello_v2( ssl ) );
\r
1355 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) );
\r
1358 * SSLv3/TLS Client Hello
\r
1361 * 0 . 0 message type
\r
1362 * 1 . 2 protocol version
\r
1363 * 3 . 11 DTLS: epoch + record sequence number
\r
1364 * 3 . 4 message length
\r
1366 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
\r
1369 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
\r
1371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
\r
1376 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
\r
1378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
\r
1379 buf[1], buf[2] ) );
\r
1381 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
\r
1383 /* According to RFC 5246 Appendix E.1, the version here is typically
\r
1384 * "{03,00}, the lowest version number supported by the client, [or] the
\r
1385 * value of ClientHello.client_version", so the only meaningful check here
\r
1386 * is the major version shouldn't be less than 3 */
\r
1387 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
\r
1389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1390 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1393 /* For DTLS if this is the initial handshake, remember the client sequence
\r
1394 * number to use it in our next message (RFC 6347 4.2.1) */
\r
1395 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1396 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
\r
1397 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1398 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
\r
1402 /* Epoch should be 0 for initial handshakes */
\r
1403 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
\r
1405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1406 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1409 memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
\r
1411 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
\r
1412 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
\r
1414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
\r
1415 ssl->next_record_offset = 0;
\r
1417 goto read_record_header;
\r
1420 /* No MAC to check yet, so we can update right now */
\r
1421 mbedtls_ssl_dtls_replay_update( ssl );
\r
1424 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
1426 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
\r
1428 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1429 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
1431 /* Set by mbedtls_ssl_read_record() */
\r
1432 msg_len = ssl->in_hslen;
\r
1437 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
\r
1439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1443 if( ( ret = mbedtls_ssl_fetch_input( ssl,
\r
1444 mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 )
\r
1446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
\r
1450 /* Done reading this record, get ready for the next one */
\r
1451 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1452 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
1453 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl );
\r
1459 buf = ssl->in_msg;
\r
1461 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
\r
1463 ssl->handshake->update_checksum( ssl, buf, msg_len );
\r
1466 * Handshake layer:
\r
1467 * 0 . 0 handshake type
\r
1468 * 1 . 3 handshake length
\r
1469 * 4 . 5 DTLS only: message seqence number
\r
1470 * 6 . 8 DTLS only: fragment offset
\r
1471 * 9 . 11 DTLS only: fragment length
\r
1473 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
\r
1475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1476 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
\r
1481 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
\r
1483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1484 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
\r
1488 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
\r
1490 /* We don't support fragmentation of ClientHello (yet?) */
\r
1491 if( buf[1] != 0 ||
\r
1492 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
\r
1494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1495 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1498 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1499 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
1502 * Copy the client's handshake message_seq on initial handshakes,
\r
1503 * check sequence number on renego.
\r
1505 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1506 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
\r
1508 /* This couldn't be done in ssl_prepare_handshake_record() */
\r
1509 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
\r
1512 if( cli_msg_seq != ssl->handshake->in_msg_seq )
\r
1514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
\r
1515 "%d (expected %d)", cli_msg_seq,
\r
1516 ssl->handshake->in_msg_seq ) );
\r
1517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1520 ssl->handshake->in_msg_seq++;
\r
1525 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
\r
1527 ssl->handshake->out_msg_seq = cli_msg_seq;
\r
1528 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
\r
1532 * For now we don't support fragmentation, so make sure
\r
1533 * fragment_offset == 0 and fragment_length == length
\r
1535 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
\r
1536 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
\r
1538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
\r
1539 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
\r
1542 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
1544 buf += mbedtls_ssl_hs_hdr_len( ssl );
\r
1545 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
\r
1548 * ClientHello layer:
\r
1549 * 0 . 1 protocol version
\r
1550 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
\r
1551 * 34 . 35 session id length (1 byte)
\r
1552 * 35 . 34+x session id
\r
1553 * 35+x . 35+x DTLS only: cookie length (1 byte)
\r
1554 * 36+x . .. DTLS only: cookie
\r
1555 * .. . .. ciphersuite list length (2 bytes)
\r
1556 * .. . .. ciphersuite list
\r
1557 * .. . .. compression alg. list length (1 byte)
\r
1558 * .. . .. compression alg. list
\r
1559 * .. . .. extensions length (2 bytes, optional)
\r
1560 * .. . .. extensions (optional)
\r
1564 * Minimal length (with everything empty and extensions omitted) is
\r
1565 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
\r
1566 * read at least up to session id length without worrying.
\r
1568 if( msg_len < 38 )
\r
1570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1571 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1575 * Check and save the protocol version
\r
1577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
\r
1579 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
\r
1580 ssl->conf->transport, buf );
\r
1582 ssl->handshake->max_major_ver = ssl->major_ver;
\r
1583 ssl->handshake->max_minor_ver = ssl->minor_ver;
\r
1585 if( ssl->major_ver < ssl->conf->min_major_ver ||
\r
1586 ssl->minor_ver < ssl->conf->min_minor_ver )
\r
1588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
\r
1589 " [%d:%d] < [%d:%d]",
\r
1590 ssl->major_ver, ssl->minor_ver,
\r
1591 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
\r
1592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1593 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
\r
1594 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
\r
1597 if( ssl->major_ver > ssl->conf->max_major_ver )
\r
1599 ssl->major_ver = ssl->conf->max_major_ver;
\r
1600 ssl->minor_ver = ssl->conf->max_minor_ver;
\r
1602 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
\r
1603 ssl->minor_ver = ssl->conf->max_minor_ver;
\r
1606 * Save client random (inc. Unix time)
\r
1608 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
\r
1610 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
\r
1613 * Check the session ID length and save session ID
\r
1615 sess_len = buf[34];
\r
1617 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
\r
1618 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
\r
1620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1621 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1626 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
\r
1628 ssl->session_negotiate->id_len = sess_len;
\r
1629 memset( ssl->session_negotiate->id, 0,
\r
1630 sizeof( ssl->session_negotiate->id ) );
\r
1631 memcpy( ssl->session_negotiate->id, buf + 35,
\r
1632 ssl->session_negotiate->id_len );
\r
1635 * Check the cookie length and content
\r
1637 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1638 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
1640 cookie_offset = 35 + sess_len;
\r
1641 cookie_len = buf[cookie_offset];
\r
1643 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
\r
1645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1646 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1647 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
\r
1648 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1651 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
\r
1652 buf + cookie_offset + 1, cookie_len );
\r
1654 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
\r
1655 if( ssl->conf->f_cookie_check != NULL
\r
1656 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1657 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
\r
1661 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
\r
1662 buf + cookie_offset + 1, cookie_len,
\r
1663 ssl->cli_id, ssl->cli_id_len ) != 0 )
\r
1665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
\r
1666 ssl->handshake->verify_cookie_len = 1;
\r
1670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
\r
1671 ssl->handshake->verify_cookie_len = 0;
\r
1675 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
\r
1677 /* We know we didn't send a cookie, so it should be empty */
\r
1678 if( cookie_len != 0 )
\r
1680 /* This may be an attacker's probe, so don't send an alert */
\r
1681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1682 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1685 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
\r
1689 * Check the ciphersuitelist length (will be parsed later)
\r
1691 ciph_offset = cookie_offset + 1 + cookie_len;
\r
1694 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
1695 ciph_offset = 35 + sess_len;
\r
1697 ciph_len = ( buf[ciph_offset + 0] << 8 )
\r
1698 | ( buf[ciph_offset + 1] );
\r
1700 if( ciph_len < 2 ||
\r
1701 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
\r
1702 ( ciph_len % 2 ) != 0 )
\r
1704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1705 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1706 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1707 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1710 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
\r
1711 buf + ciph_offset + 2, ciph_len );
\r
1714 * Check the compression algorithms length and pick one
\r
1716 comp_offset = ciph_offset + 2 + ciph_len;
\r
1718 comp_len = buf[comp_offset];
\r
1720 if( comp_len < 1 ||
\r
1722 comp_len + comp_offset + 1 > msg_len )
\r
1724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1725 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1726 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1727 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1730 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
\r
1731 buf + comp_offset + 1, comp_len );
\r
1733 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
\r
1734 #if defined(MBEDTLS_ZLIB_SUPPORT)
\r
1735 for( i = 0; i < comp_len; ++i )
\r
1737 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
\r
1739 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
\r
1745 /* See comments in ssl_write_client_hello() */
\r
1746 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
1747 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
1748 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
\r
1751 /* Do not parse the extensions if the protocol is SSLv3 */
\r
1752 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
1753 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
\r
1757 * Check the extension length
\r
1759 ext_offset = comp_offset + 1 + comp_len;
\r
1760 if( msg_len > ext_offset )
\r
1762 if( msg_len < ext_offset + 2 )
\r
1764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1766 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1767 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1770 ext_len = ( buf[ext_offset + 0] << 8 )
\r
1771 | ( buf[ext_offset + 1] );
\r
1773 if( ( ext_len > 0 && ext_len < 4 ) ||
\r
1774 msg_len != ext_offset + 2 + ext_len )
\r
1776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1777 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1778 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1779 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1785 ext = buf + ext_offset + 2;
\r
1786 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
\r
1788 while( ext_len != 0 )
\r
1790 unsigned int ext_id;
\r
1791 unsigned int ext_size;
\r
1792 if ( ext_len < 4 ) {
\r
1793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1794 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1795 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1796 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1798 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
\r
1799 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
\r
1801 if( ext_size + 4 > ext_len )
\r
1803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1804 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1805 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1806 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1810 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
1811 case MBEDTLS_TLS_EXT_SERVERNAME:
\r
1812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
\r
1813 if( ssl->conf->f_sni == NULL )
\r
1816 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
\r
1820 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
\r
1822 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
\r
1823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
\r
1824 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
1825 renegotiation_info_seen = 1;
\r
1828 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
\r
1833 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
1834 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
1835 case MBEDTLS_TLS_EXT_SIG_ALG:
\r
1836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
\r
1838 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
\r
1842 sig_hash_alg_ext_present = 1;
\r
1844 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
1845 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
1847 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
\r
1848 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
1849 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
\r
1850 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
\r
1852 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
\r
1857 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
\r
1858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
\r
1859 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
\r
1861 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
\r
1865 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
\r
1866 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
1868 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
1869 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
\r
1870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
\r
1872 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
\r
1876 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
1878 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
\r
1879 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
\r
1880 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
\r
1882 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
\r
1886 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
\r
1888 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
\r
1889 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
\r
1890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
\r
1892 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
\r
1896 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
\r
1898 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
1899 case MBEDTLS_TLS_EXT_CID:
\r
1900 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
\r
1902 ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size );
\r
1906 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
\r
1908 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
\r
1909 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
\r
1910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
\r
1912 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
\r
1916 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
\r
1918 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
\r
1919 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
\r
1920 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
\r
1922 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
\r
1926 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
\r
1928 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
1929 case MBEDTLS_TLS_EXT_SESSION_TICKET:
\r
1930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
\r
1932 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
\r
1936 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
1938 #if defined(MBEDTLS_SSL_ALPN)
\r
1939 case MBEDTLS_TLS_EXT_ALPN:
\r
1940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
\r
1942 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
\r
1946 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
1949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
\r
1953 ext_len -= 4 + ext_size;
\r
1954 ext += 4 + ext_size;
\r
1956 if( ext_len > 0 && ext_len < 4 )
\r
1958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
\r
1959 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
\r
1961 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1964 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
1968 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
\r
1969 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
\r
1971 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
\r
1972 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
\r
1974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
\r
1976 if( ssl->minor_ver < ssl->conf->max_minor_ver )
\r
1978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
\r
1980 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
1981 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
\r
1983 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
1989 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
\r
1991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
1992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
1995 * Try to fall back to default hash SHA1 if the client
\r
1996 * hasn't provided any preferred signature-hash combinations.
\r
1998 if( sig_hash_alg_ext_present == 0 )
\r
2000 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
\r
2002 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
\r
2003 md_default = MBEDTLS_MD_NONE;
\r
2005 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
\r
2008 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
\r
2009 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
\r
2012 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
\r
2014 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
\r
2016 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
\r
2018 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
\r
2019 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
2020 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
\r
2022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
\r
2023 "during renegotiation" ) );
\r
2024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
2025 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
2026 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
2029 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
\r
2035 * Renegotiation security checks
\r
2037 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
\r
2038 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
\r
2040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
\r
2041 handshake_failure = 1;
\r
2043 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
2044 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
\r
2045 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
\r
2046 renegotiation_info_seen == 0 )
\r
2048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
\r
2049 handshake_failure = 1;
\r
2051 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
\r
2052 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
\r
2053 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
\r
2055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
\r
2056 handshake_failure = 1;
\r
2058 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
\r
2059 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
\r
2060 renegotiation_info_seen == 1 )
\r
2062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
\r
2063 handshake_failure = 1;
\r
2065 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
2067 if( handshake_failure == 1 )
\r
2069 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
2070 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
2071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
\r
2075 * Search for a matching ciphersuite
\r
2076 * (At the end because we need information from the EC-based extensions
\r
2077 * and certificate from the SNI callback triggered by the SNI extension.)
\r
2079 got_common_suite = 0;
\r
2080 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
\r
2081 ciphersuite_info = NULL;
\r
2082 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
\r
2083 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
\r
2084 for( i = 0; ciphersuites[i] != 0; i++ )
\r
2086 for( i = 0; ciphersuites[i] != 0; i++ )
\r
2087 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
\r
2090 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
\r
2091 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
\r
2094 got_common_suite = 1;
\r
2096 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
\r
2097 &ciphersuite_info ) ) != 0 )
\r
2100 if( ciphersuite_info != NULL )
\r
2101 goto have_ciphersuite;
\r
2104 if( got_common_suite )
\r
2106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
\r
2107 "but none of them usable" ) );
\r
2108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
2109 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
2110 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
\r
2114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
\r
2115 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
2116 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
\r
2117 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
\r
2121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
\r
2123 ssl->session_negotiate->ciphersuite = ciphersuites[i];
\r
2124 ssl->handshake->ciphersuite_info = ciphersuite_info;
\r
2128 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
2129 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
2130 mbedtls_ssl_recv_flight_completed( ssl );
\r
2133 /* Debugging-only output for testsuite */
\r
2134 #if defined(MBEDTLS_DEBUG_C) && \
\r
2135 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
\r
2136 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
\r
2137 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
2139 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
\r
2140 if( sig_alg != MBEDTLS_PK_NONE )
\r
2142 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
\r
2144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
\r
2145 mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
\r
2149 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
\r
2150 "%d - should not happen", sig_alg ) );
\r
2155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
\r
2160 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
\r
2161 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
\r
2162 unsigned char *buf,
\r
2165 unsigned char *p = buf;
\r
2167 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
\r
2173 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
\r
2175 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
\r
2176 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
\r
2183 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
\r
2185 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
2186 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
\r
2187 unsigned char *buf,
\r
2190 unsigned char *p = buf;
\r
2192 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
\r
2196 /* Skip writing the extension if we don't want to use it or if
\r
2197 * the client hasn't offered it. */
\r
2198 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED )
\r
2201 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
\r
2202 * which is at most 255, so the increment cannot overflow. */
\r
2203 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
\r
2205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
\r
2209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
\r
2212 * Quoting draft-ietf-tls-dtls-connection-id-05
\r
2213 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
\r
2216 * opaque cid<0..2^8-1>;
\r
2220 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
\r
2221 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
\r
2222 ext_len = (size_t) ssl->own_cid_len + 1;
\r
2223 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
\r
2224 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
\r
2226 *p++ = (uint8_t) ssl->own_cid_len;
\r
2227 memcpy( p, ssl->own_cid, ssl->own_cid_len );
\r
2229 *olen = ssl->own_cid_len + 5;
\r
2231 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
\r
2233 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
\r
2234 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
\r
2235 unsigned char *buf,
\r
2238 unsigned char *p = buf;
\r
2239 const mbedtls_ssl_ciphersuite_t *suite = NULL;
\r
2240 const mbedtls_cipher_info_t *cipher = NULL;
\r
2242 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
\r
2243 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
\r
2250 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
\r
2251 * from a client and then selects a stream or Authenticated Encryption
\r
2252 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
\r
2253 * encrypt-then-MAC response extension back to the client."
\r
2255 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
\r
2256 ssl->session_negotiate->ciphersuite ) ) == NULL ||
\r
2257 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
\r
2258 cipher->mode != MBEDTLS_MODE_CBC )
\r
2264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
\r
2266 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
\r
2267 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
\r
2274 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
\r
2276 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
\r
2277 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
\r
2278 unsigned char *buf,
\r
2281 unsigned char *p = buf;
\r
2283 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
\r
2284 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
\r
2290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
\r
2293 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
\r
2294 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
\r
2301 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
\r
2303 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
2304 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
\r
2305 unsigned char *buf,
\r
2308 unsigned char *p = buf;
\r
2310 if( ssl->handshake->new_session_ticket == 0 )
\r
2316 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
\r
2318 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
\r
2319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
\r
2326 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
2328 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
\r
2329 unsigned char *buf,
\r
2332 unsigned char *p = buf;
\r
2334 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
\r
2340 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
\r
2342 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
\r
2343 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
\r
2345 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
2346 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
\r
2349 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
\r
2350 *p++ = ssl->verify_data_len * 2 & 0xFF;
\r
2352 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
\r
2353 p += ssl->verify_data_len;
\r
2354 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
\r
2355 p += ssl->verify_data_len;
\r
2358 #endif /* MBEDTLS_SSL_RENEGOTIATION */
\r
2368 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
\r
2369 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
\r
2370 unsigned char *buf,
\r
2373 unsigned char *p = buf;
\r
2375 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
\r
2381 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
\r
2383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
\r
2384 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
\r
2389 *p++ = ssl->session_negotiate->mfl_code;
\r
2393 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
\r
2395 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
\r
2396 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
2397 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
\r
2398 unsigned char *buf,
\r
2401 unsigned char *p = buf;
\r
2404 if( ( ssl->handshake->cli_exts &
\r
2405 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
\r
2411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
\r
2413 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
\r
2414 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
\r
2420 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
\r
2424 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
2426 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
2427 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
\r
2428 unsigned char *buf,
\r
2432 unsigned char *p = buf;
\r
2433 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
\r
2438 /* Skip costly computation if not needed */
\r
2439 if( ssl->handshake->ciphersuite_info->key_exchange !=
\r
2440 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
\r
2443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
\r
2447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
\r
2451 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
\r
2452 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
\r
2454 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
\r
2455 p + 2, end - p - 2, &kkpp_len,
\r
2456 ssl->conf->f_rng, ssl->conf->p_rng );
\r
2459 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
\r
2463 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
\r
2464 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
\r
2466 *olen = kkpp_len + 4;
\r
2468 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
2470 #if defined(MBEDTLS_SSL_ALPN )
\r
2471 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
\r
2472 unsigned char *buf, size_t *olen )
\r
2474 if( ssl->alpn_chosen == NULL )
\r
2480 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
\r
2483 * 0 . 1 ext identifier
\r
2484 * 2 . 3 ext length
\r
2485 * 4 . 5 protocol list length
\r
2486 * 6 . 6 protocol name length
\r
2487 * 7 . 7+n protocol name
\r
2489 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
\r
2490 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
\r
2492 *olen = 7 + strlen( ssl->alpn_chosen );
\r
2494 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
\r
2495 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
\r
2497 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
\r
2498 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
\r
2500 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
\r
2502 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
\r
2504 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
\r
2506 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
\r
2507 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
\r
2510 unsigned char *p = ssl->out_msg + 4;
\r
2511 unsigned char *cookie_len_byte;
\r
2513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
\r
2517 * ProtocolVersion server_version;
\r
2518 * opaque cookie<0..2^8-1>;
\r
2519 * } HelloVerifyRequest;
\r
2522 /* The RFC is not clear on this point, but sending the actual negotiated
\r
2523 * version looks like the most interoperable thing to do. */
\r
2524 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
\r
2525 ssl->conf->transport, p );
\r
2526 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
\r
2529 /* If we get here, f_cookie_check is not null */
\r
2530 if( ssl->conf->f_cookie_write == NULL )
\r
2532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
\r
2533 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
2536 /* Skip length byte until we know the length */
\r
2537 cookie_len_byte = p++;
\r
2539 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
\r
2540 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
\r
2541 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
\r
2543 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
\r
2547 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
\r
2549 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
\r
2551 ssl->out_msglen = p - ssl->out_msg;
\r
2552 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
2553 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
\r
2555 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
\r
2557 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
\r
2559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
\r
2563 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
2564 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
\r
2565 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
\r
2567 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
\r
2570 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
2572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
\r
2576 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
\r
2578 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
\r
2580 #if defined(MBEDTLS_HAVE_TIME)
\r
2584 size_t olen, ext_len = 0, n;
\r
2585 unsigned char *buf, *p;
\r
2587 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
\r
2589 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
\r
2590 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
\r
2591 ssl->handshake->verify_cookie_len != 0 )
\r
2593 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
\r
2594 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
\r
2596 return( ssl_write_hello_verify_request( ssl ) );
\r
2598 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
\r
2600 if( ssl->conf->f_rng == NULL )
\r
2602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
\r
2603 return( MBEDTLS_ERR_SSL_NO_RNG );
\r
2607 * 0 . 0 handshake type
\r
2608 * 1 . 3 handshake length
\r
2609 * 4 . 5 protocol version
\r
2610 * 6 . 9 UNIX time()
\r
2611 * 10 . 37 random bytes
\r
2613 buf = ssl->out_msg;
\r
2616 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
\r
2617 ssl->conf->transport, p );
\r
2620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
\r
2621 buf[4], buf[5] ) );
\r
2623 #if defined(MBEDTLS_HAVE_TIME)
\r
2624 t = mbedtls_time( NULL );
\r
2625 *p++ = (unsigned char)( t >> 24 );
\r
2626 *p++ = (unsigned char)( t >> 16 );
\r
2627 *p++ = (unsigned char)( t >> 8 );
\r
2628 *p++ = (unsigned char)( t );
\r
2630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
\r
2632 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
\r
2636 #endif /* MBEDTLS_HAVE_TIME */
\r
2638 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
\r
2643 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
\r
2645 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
\r
2648 * Resume is 0 by default, see ssl_handshake_init().
\r
2649 * It may be already set to 1 by ssl_parse_session_ticket_ext().
\r
2650 * If not, try looking up session ID in our cache.
\r
2652 if( ssl->handshake->resume == 0 &&
\r
2653 #if defined(MBEDTLS_SSL_RENEGOTIATION)
\r
2654 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
\r
2656 ssl->session_negotiate->id_len != 0 &&
\r
2657 ssl->conf->f_get_cache != NULL &&
\r
2658 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
\r
2660 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
\r
2661 ssl->handshake->resume = 1;
\r
2664 if( ssl->handshake->resume == 0 )
\r
2667 * New session, create a new session id,
\r
2668 * unless we're about to issue a session ticket
\r
2672 #if defined(MBEDTLS_HAVE_TIME)
\r
2673 ssl->session_negotiate->start = mbedtls_time( NULL );
\r
2676 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
2677 if( ssl->handshake->new_session_ticket != 0 )
\r
2679 ssl->session_negotiate->id_len = n = 0;
\r
2680 memset( ssl->session_negotiate->id, 0, 32 );
\r
2683 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
2685 ssl->session_negotiate->id_len = n = 32;
\r
2686 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
\r
2694 * Resuming a session
\r
2696 n = ssl->session_negotiate->id_len;
\r
2697 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
\r
2699 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
\r
2701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
\r
2707 * 38 . 38 session id length
\r
2708 * 39 . 38+n session id
\r
2709 * 39+n . 40+n chosen ciphersuite
\r
2710 * 41+n . 41+n chosen compression alg.
\r
2711 * 42+n . 43+n extensions length
\r
2712 * 44+n . 43+n+m extensions
\r
2714 *p++ = (unsigned char) ssl->session_negotiate->id_len;
\r
2715 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
\r
2716 p += ssl->session_negotiate->id_len;
\r
2718 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
\r
2719 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
\r
2720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
\r
2721 ssl->handshake->resume ? "a" : "no" ) );
\r
2723 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
\r
2724 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
\r
2725 *p++ = (unsigned char)( ssl->session_negotiate->compression );
\r
2727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
\r
2728 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
\r
2729 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
\r
2730 ssl->session_negotiate->compression ) );
\r
2732 /* Do not write the extensions if the protocol is SSLv3 */
\r
2733 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
2734 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
\r
2739 * First write extensions, then the total length
\r
2741 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
\r
2744 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
\r
2745 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
\r
2749 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
\r
2750 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
\r
2754 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
\r
2755 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
\r
2759 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
\r
2760 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
\r
2764 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
\r
2765 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
\r
2769 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
2770 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
\r
2774 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
\r
2775 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
2776 if ( mbedtls_ssl_ciphersuite_uses_ec(
\r
2777 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
\r
2779 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
\r
2784 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
2785 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
\r
2789 #if defined(MBEDTLS_SSL_ALPN)
\r
2790 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
\r
2794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
\r
2798 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
\r
2799 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
\r
2803 #if defined(MBEDTLS_SSL_PROTO_SSL3)
\r
2807 ssl->out_msglen = p - buf;
\r
2808 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
2809 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
\r
2811 ret = mbedtls_ssl_write_handshake_msg( ssl );
\r
2813 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
\r
2818 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
\r
2819 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
\r
2821 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
2822 ssl->handshake->ciphersuite_info;
\r
2824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
\r
2826 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
\r
2828 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
\r
2833 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
2834 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
2836 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
\r
2837 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
\r
2839 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
\r
2840 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
2841 ssl->handshake->ciphersuite_info;
\r
2842 size_t dn_size, total_dn_size; /* excluding length bytes */
\r
2843 size_t ct_len, sa_len; /* including length bytes */
\r
2844 unsigned char *buf, *p;
\r
2845 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
\r
2846 const mbedtls_x509_crt *crt;
\r
2849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
\r
2853 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
2854 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
\r
2855 authmode = ssl->handshake->sni_authmode;
\r
2858 authmode = ssl->conf->authmode;
\r
2860 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
\r
2861 authmode == MBEDTLS_SSL_VERIFY_NONE )
\r
2863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
\r
2868 * 0 . 0 handshake type
\r
2869 * 1 . 3 handshake length
\r
2870 * 4 . 4 cert type count
\r
2871 * 5 .. m-1 cert types
\r
2872 * m .. m+1 sig alg length (TLS 1.2 only)
\r
2873 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
\r
2874 * n .. n+1 length of all DNs
\r
2875 * n+2 .. n+3 length of DN 1
\r
2876 * n+4 .. ... Distinguished Name #1
\r
2877 * ... .. ... length of DN 2, etc.
\r
2879 buf = ssl->out_msg;
\r
2883 * Supported certificate types
\r
2885 * ClientCertificateType certificate_types<1..2^8-1>;
\r
2886 * enum { (255) } ClientCertificateType;
\r
2890 #if defined(MBEDTLS_RSA_C)
\r
2891 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
\r
2893 #if defined(MBEDTLS_ECDSA_C)
\r
2894 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
\r
2897 p[0] = (unsigned char) ct_len++;
\r
2901 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
2903 * Add signature_algorithms for verify (TLS 1.2)
\r
2905 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
\r
2908 * HashAlgorithm hash;
\r
2909 * SignatureAlgorithm signature;
\r
2910 * } SignatureAndHashAlgorithm;
\r
2912 * enum { (255) } HashAlgorithm;
\r
2913 * enum { (255) } SignatureAlgorithm;
\r
2915 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
2920 * Supported signature algorithms
\r
2922 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
\r
2924 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
\r
2926 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
\r
2929 #if defined(MBEDTLS_RSA_C)
\r
2930 p[2 + sa_len++] = hash;
\r
2931 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
\r
2933 #if defined(MBEDTLS_ECDSA_C)
\r
2934 p[2 + sa_len++] = hash;
\r
2935 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
\r
2939 p[0] = (unsigned char)( sa_len >> 8 );
\r
2940 p[1] = (unsigned char)( sa_len );
\r
2944 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
2947 * DistinguishedName certificate_authorities<0..2^16-1>;
\r
2948 * opaque DistinguishedName<1..2^16-1>;
\r
2952 total_dn_size = 0;
\r
2954 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
\r
2956 /* NOTE: If trusted certificates are provisioned
\r
2957 * via a CA callback (configured through
\r
2958 * `mbedtls_ssl_conf_ca_cb()`, then the
\r
2959 * CertificateRequest is currently left empty. */
\r
2961 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
\r
2962 if( ssl->handshake->sni_ca_chain != NULL )
\r
2963 crt = ssl->handshake->sni_ca_chain;
\r
2966 crt = ssl->conf->ca_chain;
\r
2968 while( crt != NULL && crt->version != 0 )
\r
2970 dn_size = crt->subject_raw.len;
\r
2973 (size_t)( end - p ) < dn_size ||
\r
2974 (size_t)( end - p ) < 2 + dn_size )
\r
2976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
\r
2980 *p++ = (unsigned char)( dn_size >> 8 );
\r
2981 *p++ = (unsigned char)( dn_size );
\r
2982 memcpy( p, crt->subject_raw.p, dn_size );
\r
2985 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
\r
2987 total_dn_size += 2 + dn_size;
\r
2992 ssl->out_msglen = p - buf;
\r
2993 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
2994 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
\r
2995 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
\r
2996 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
\r
2998 ret = mbedtls_ssl_write_handshake_msg( ssl );
\r
3000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
\r
3004 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
\r
3006 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
\r
3007 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
\r
3008 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
\r
3012 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
\r
3014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
\r
3015 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
\r
3018 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
\r
3019 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
\r
3020 MBEDTLS_ECDH_OURS ) ) != 0 )
\r
3022 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
\r
3028 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
\r
3029 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
\r
3031 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
\r
3032 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3033 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
\r
3034 size_t *signature_len )
\r
3036 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
\r
3037 * signature length which will be added in ssl_write_server_key_exchange
\r
3038 * after the call to ssl_prepare_server_key_exchange.
\r
3039 * ssl_write_server_key_exchange also takes care of incrementing
\r
3040 * ssl->out_msglen. */
\r
3041 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
\r
3042 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
\r
3044 int ret = ssl->conf->f_async_resume( ssl,
\r
3045 sig_start, signature_len, sig_max_len );
\r
3046 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
\r
3048 ssl->handshake->async_in_progress = 0;
\r
3049 mbedtls_ssl_set_async_operation_data( ssl, NULL );
\r
3051 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
\r
3054 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
\r
3055 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
\r
3057 /* Prepare the ServerKeyExchange message, up to and including
\r
3058 * calculating the signature if any, but excluding formatting the
\r
3059 * signature and sending the message. */
\r
3060 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
\r
3061 size_t *signature_len )
\r
3063 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
3064 ssl->handshake->ciphersuite_info;
\r
3066 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
\r
3067 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3068 unsigned char *dig_signed = NULL;
\r
3069 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
\r
3070 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
\r
3072 (void) ciphersuite_info; /* unused in some configurations */
\r
3073 #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3074 (void) signature_len;
\r
3075 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
\r
3077 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
\r
3081 * Part 1: Provide key exchange parameters for chosen ciphersuite.
\r
3086 * - ECJPAKE key exchanges
\r
3088 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
3089 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
\r
3094 ret = mbedtls_ecjpake_write_round_two(
\r
3095 &ssl->handshake->ecjpake_ctx,
\r
3096 ssl->out_msg + ssl->out_msglen,
\r
3097 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
\r
3098 ssl->conf->f_rng, ssl->conf->p_rng );
\r
3101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
\r
3105 ssl->out_msglen += len;
\r
3107 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
3110 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
\r
3111 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
\r
3112 * we use empty support identity hints here.
\r
3114 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
\r
3115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
\r
3116 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
\r
3117 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
\r
3119 ssl->out_msg[ssl->out_msglen++] = 0x00;
\r
3120 ssl->out_msg[ssl->out_msglen++] = 0x00;
\r
3122 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
\r
3123 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
\r
3126 * - DHE key exchanges
\r
3128 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
\r
3129 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
\r
3134 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
\r
3136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
\r
3137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
\r
3141 * Ephemeral DH parameters:
\r
3144 * opaque dh_p<1..2^16-1>;
\r
3145 * opaque dh_g<1..2^16-1>;
\r
3146 * opaque dh_Ys<1..2^16-1>;
\r
3147 * } ServerDHParams;
\r
3149 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
\r
3150 &ssl->conf->dhm_P,
\r
3151 &ssl->conf->dhm_G ) ) != 0 )
\r
3153 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
\r
3157 if( ( ret = mbedtls_dhm_make_params(
\r
3158 &ssl->handshake->dhm_ctx,
\r
3159 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
\r
3160 ssl->out_msg + ssl->out_msglen, &len,
\r
3161 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
\r
3163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
\r
3167 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3168 dig_signed = ssl->out_msg + ssl->out_msglen;
\r
3171 ssl->out_msglen += len;
\r
3173 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
\r
3174 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
\r
3175 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
\r
3176 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
\r
3178 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
\r
3181 * - ECDHE key exchanges
\r
3183 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
\r
3184 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
\r
3187 * Ephemeral ECDH parameters:
\r
3190 * ECParameters curve_params;
\r
3192 * } ServerECDHParams;
\r
3194 const mbedtls_ecp_curve_info **curve = NULL;
\r
3195 const mbedtls_ecp_group_id *gid;
\r
3199 /* Match our preference list against the offered curves */
\r
3200 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
\r
3201 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
\r
3202 if( (*curve)->grp_id == *gid )
\r
3203 goto curve_matching_done;
\r
3205 curve_matching_done:
\r
3206 if( curve == NULL || *curve == NULL )
\r
3208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
\r
3209 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
\r
3212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
\r
3214 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
\r
3215 (*curve)->grp_id ) ) != 0 )
\r
3217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
\r
3221 if( ( ret = mbedtls_ecdh_make_params(
\r
3222 &ssl->handshake->ecdh_ctx, &len,
\r
3223 ssl->out_msg + ssl->out_msglen,
\r
3224 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
\r
3225 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
\r
3227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
\r
3231 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3232 dig_signed = ssl->out_msg + ssl->out_msglen;
\r
3235 ssl->out_msglen += len;
\r
3237 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
\r
3238 MBEDTLS_DEBUG_ECDH_Q );
\r
3240 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
\r
3244 * Part 2: For key exchanges involving the server signing the
\r
3245 * exchange parameters, compute and add the signature here.
\r
3248 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3249 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
\r
3251 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
\r
3252 size_t hashlen = 0;
\r
3253 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
\r
3257 * 2.1: Choose hash algorithm:
\r
3258 * A: For TLS 1.2, obey signature-hash-algorithm extension
\r
3259 * to choose appropriate hash.
\r
3260 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
\r
3261 * (RFC 4492, Sec. 5.4)
\r
3262 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
\r
3265 mbedtls_md_type_t md_alg;
\r
3267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
3268 mbedtls_pk_type_t sig_alg =
\r
3269 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
\r
3270 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
3272 /* A: For TLS 1.2, obey signature-hash-algorithm extension
\r
3273 * (RFC 5246, Sec. 7.4.1.4.1). */
\r
3274 if( sig_alg == MBEDTLS_PK_NONE ||
\r
3275 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
\r
3276 sig_alg ) ) == MBEDTLS_MD_NONE )
\r
3278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
3279 /* (... because we choose a cipher suite
\r
3280 * only if there is a matching hash.) */
\r
3281 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
3285 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
3286 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
\r
3287 defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
3288 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
\r
3290 /* B: Default hash SHA1 */
\r
3291 md_alg = MBEDTLS_MD_SHA1;
\r
3294 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
\r
3295 MBEDTLS_SSL_PROTO_TLS1_1 */
\r
3297 /* C: MD5 + SHA1 */
\r
3298 md_alg = MBEDTLS_MD_NONE;
\r
3301 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
\r
3304 * 2.2: Compute the hash to be signed
\r
3306 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
\r
3307 defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
3308 if( md_alg == MBEDTLS_MD_NONE )
\r
3311 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
\r
3318 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
\r
3319 MBEDTLS_SSL_PROTO_TLS1_1 */
\r
3320 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
\r
3321 defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
3322 if( md_alg != MBEDTLS_MD_NONE )
\r
3324 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
\r
3332 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
\r
3333 MBEDTLS_SSL_PROTO_TLS1_2 */
\r
3335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
3336 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
3339 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
\r
3342 * 2.3: Compute and add the signature
\r
3344 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
3345 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
3348 * For TLS 1.2, we need to specify signature and hash algorithm
\r
3349 * explicitly through a prefix to the signature.
\r
3352 * HashAlgorithm hash;
\r
3353 * SignatureAlgorithm signature;
\r
3354 * } SignatureAndHashAlgorithm;
\r
3357 * SignatureAndHashAlgorithm algorithm;
\r
3358 * opaque signature<0..2^16-1>;
\r
3359 * } DigitallySigned;
\r
3363 ssl->out_msg[ssl->out_msglen++] =
\r
3364 mbedtls_ssl_hash_from_md_alg( md_alg );
\r
3365 ssl->out_msg[ssl->out_msglen++] =
\r
3366 mbedtls_ssl_sig_from_pk_alg( sig_alg );
\r
3368 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
3370 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3371 if( ssl->conf->f_async_sign_start != NULL )
\r
3373 ret = ssl->conf->f_async_sign_start( ssl,
\r
3374 mbedtls_ssl_own_cert( ssl ),
\r
3375 md_alg, hash, hashlen );
\r
3378 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
\r
3379 /* act as if f_async_sign was null */
\r
3382 ssl->handshake->async_in_progress = 1;
\r
3383 return( ssl_resume_server_key_exchange( ssl, signature_len ) );
\r
3384 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
\r
3385 ssl->handshake->async_in_progress = 1;
\r
3386 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
\r
3388 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
\r
3392 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
3394 if( mbedtls_ssl_own_key( ssl ) == NULL )
\r
3396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
\r
3397 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
\r
3400 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
\r
3401 * signature length which will be added in ssl_write_server_key_exchange
\r
3402 * after the call to ssl_prepare_server_key_exchange.
\r
3403 * ssl_write_server_key_exchange also takes care of incrementing
\r
3404 * ssl->out_msglen. */
\r
3405 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
\r
3406 md_alg, hash, hashlen,
\r
3407 ssl->out_msg + ssl->out_msglen + 2,
\r
3410 ssl->conf->p_rng ) ) != 0 )
\r
3412 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
\r
3416 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
\r
3421 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
\r
3422 * that do not include a ServerKeyExchange message, do nothing. Either
\r
3423 * way, if successful, move on to the next step in the SSL state
\r
3425 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
\r
3428 size_t signature_len = 0;
\r
3429 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
\r
3430 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
3431 ssl->handshake->ciphersuite_info;
\r
3432 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
\r
3434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
\r
3436 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
\r
3437 /* Extract static ECDH parameters and abort if ServerKeyExchange
\r
3438 * is not needed. */
\r
3439 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
\r
3441 /* For suites involving ECDH, extract DH parameters
\r
3442 * from certificate at this point. */
\r
3443 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
\r
3444 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
\r
3446 ssl_get_ecdh_params_from_cert( ssl );
\r
3448 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
\r
3450 /* Key exchanges not involving ephemeral keys don't use
\r
3451 * ServerKeyExchange, so end here. */
\r
3452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
\r
3456 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
\r
3458 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
\r
3459 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3460 /* If we have already prepared the message and there is an ongoing
\r
3461 * signature operation, resume signing. */
\r
3462 if( ssl->handshake->async_in_progress != 0 )
\r
3464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
\r
3465 ret = ssl_resume_server_key_exchange( ssl, &signature_len );
\r
3468 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
\r
3469 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
\r
3471 /* ServerKeyExchange is needed. Prepare the message. */
\r
3472 ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
\r
3477 /* If we're starting to write a new message, set ssl->out_msglen
\r
3478 * to 0. But if we're resuming after an asynchronous message,
\r
3479 * out_msglen is the amount of data written so far and mst be
\r
3481 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
\r
3482 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
\r
3484 ssl->out_msglen = 0;
\r
3488 /* If there is a signature, write its length.
\r
3489 * ssl_prepare_server_key_exchange already wrote the signature
\r
3490 * itself at its proper place in the output buffer. */
\r
3491 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
\r
3492 if( signature_len != 0 )
\r
3494 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
\r
3495 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
\r
3497 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
\r
3498 ssl->out_msg + ssl->out_msglen,
\r
3501 /* Skip over the already-written signature */
\r
3502 ssl->out_msglen += signature_len;
\r
3504 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
\r
3506 /* Add header and send. */
\r
3507 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
3508 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
\r
3512 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
\r
3514 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
\r
3518 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
\r
3522 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
\r
3526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
\r
3528 ssl->out_msglen = 4;
\r
3529 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
3530 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
\r
3534 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
3535 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
\r
3536 mbedtls_ssl_send_flight_completed( ssl );
\r
3539 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
\r
3541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
\r
3545 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
3546 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
\r
3547 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
\r
3549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
\r
3552 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
3554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
\r
3559 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
\r
3560 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
\r
3561 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
\r
3562 const unsigned char *end )
\r
3564 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
\r
3568 * Receive G^Y mod P, premaster = (G^Y)^X mod P
\r
3570 if( *p + 2 > end )
\r
3572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3573 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3576 n = ( (*p)[0] << 8 ) | (*p)[1];
\r
3579 if( *p + n > end )
\r
3581 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3585 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
\r
3587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
\r
3588 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
\r
3593 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
\r
3597 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
\r
3598 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
\r
3600 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
\r
3601 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
\r
3603 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3604 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
\r
3605 unsigned char *peer_pms,
\r
3606 size_t *peer_pmslen,
\r
3607 size_t peer_pmssize )
\r
3609 int ret = ssl->conf->f_async_resume( ssl,
\r
3610 peer_pms, peer_pmslen, peer_pmssize );
\r
3611 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
\r
3613 ssl->handshake->async_in_progress = 0;
\r
3614 mbedtls_ssl_set_async_operation_data( ssl, NULL );
\r
3616 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
\r
3619 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
3621 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
\r
3622 const unsigned char *p,
\r
3623 const unsigned char *end,
\r
3624 unsigned char *peer_pms,
\r
3625 size_t *peer_pmslen,
\r
3626 size_t peer_pmssize )
\r
3629 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
\r
3630 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
\r
3631 size_t len = mbedtls_pk_get_len( public_key );
\r
3633 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3634 /* If we have already started decoding the message and there is an ongoing
\r
3635 * decryption operation, resume signing. */
\r
3636 if( ssl->handshake->async_in_progress != 0 )
\r
3638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
\r
3639 return( ssl_resume_decrypt_pms( ssl,
\r
3640 peer_pms, peer_pmslen, peer_pmssize ) );
\r
3642 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
3645 * Prepare to decrypt the premaster using own private RSA key
\r
3647 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
\r
3648 defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
3649 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
\r
3651 if ( p + 2 > end ) {
\r
3652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3653 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3655 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
\r
3656 *p++ != ( ( len ) & 0xFF ) )
\r
3658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3659 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3664 if( p + len != end )
\r
3666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3671 * Decrypt the premaster secret
\r
3673 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3674 if( ssl->conf->f_async_decrypt_start != NULL )
\r
3676 ret = ssl->conf->f_async_decrypt_start( ssl,
\r
3677 mbedtls_ssl_own_cert( ssl ),
\r
3681 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
\r
3682 /* act as if f_async_decrypt_start was null */
\r
3685 ssl->handshake->async_in_progress = 1;
\r
3686 return( ssl_resume_decrypt_pms( ssl,
\r
3690 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
\r
3691 ssl->handshake->async_in_progress = 1;
\r
3692 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
\r
3694 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
\r
3698 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
3700 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
\r
3702 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
\r
3703 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
\r
3706 ret = mbedtls_pk_decrypt( private_key, p, len,
\r
3707 peer_pms, peer_pmslen, peer_pmssize,
\r
3708 ssl->conf->f_rng, ssl->conf->p_rng );
\r
3712 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
\r
3713 const unsigned char *p,
\r
3714 const unsigned char *end,
\r
3715 size_t pms_offset )
\r
3718 unsigned char *pms = ssl->handshake->premaster + pms_offset;
\r
3719 unsigned char ver[2];
\r
3720 unsigned char fake_pms[48], peer_pms[48];
\r
3721 unsigned char mask;
\r
3722 size_t i, peer_pmslen;
\r
3723 unsigned int diff;
\r
3725 /* In case of a failure in decryption, the decryption may write less than
\r
3726 * 2 bytes of output, but we always read the first two bytes. It doesn't
\r
3727 * matter in the end because diff will be nonzero in that case due to
\r
3728 * peer_pmslen being less than 48, and we only care whether diff is 0.
\r
3729 * But do initialize peer_pms for robustness anyway. This also makes
\r
3730 * memory analyzers happy (don't access uninitialized memory, even
\r
3731 * if it's an unsigned char). */
\r
3732 peer_pms[0] = peer_pms[1] = ~0;
\r
3734 ret = ssl_decrypt_encrypted_pms( ssl, p, end,
\r
3737 sizeof( peer_pms ) );
\r
3739 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
3740 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
\r
3742 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
3744 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
\r
3745 ssl->handshake->max_minor_ver,
\r
3746 ssl->conf->transport, ver );
\r
3748 /* Avoid data-dependent branches while checking for invalid
\r
3749 * padding, to protect against timing-based Bleichenbacher-type
\r
3751 diff = (unsigned int) ret;
\r
3752 diff |= peer_pmslen ^ 48;
\r
3753 diff |= peer_pms[0] ^ ver[0];
\r
3754 diff |= peer_pms[1] ^ ver[1];
\r
3756 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
\r
3757 /* MSVC has a warning about unary minus on unsigned, but this is
\r
3758 * well-defined and precisely what we want to do here */
\r
3759 #if defined(_MSC_VER)
\r
3760 #pragma warning( push )
\r
3761 #pragma warning( disable : 4146 )
\r
3763 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
\r
3764 #if defined(_MSC_VER)
\r
3765 #pragma warning( pop )
\r
3769 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
\r
3770 * must not cause the connection to end immediately; instead, send a
\r
3771 * bad_record_mac later in the handshake.
\r
3772 * To protect against timing-based variants of the attack, we must
\r
3773 * not have any branch that depends on whether the decryption was
\r
3774 * successful. In particular, always generate the fake premaster secret,
\r
3775 * regardless of whether it will ultimately influence the output or not.
\r
3777 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
\r
3780 /* It's ok to abort on an RNG failure, since this does not reveal
\r
3781 * anything about the RSA decryption. */
\r
3785 #if defined(MBEDTLS_SSL_DEBUG_ALL)
\r
3787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3790 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
\r
3791 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
\r
3793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
3794 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
3796 ssl->handshake->pmslen = 48;
\r
3798 /* Set pms to either the true or the fake PMS, without
\r
3799 * data-dependent branches. */
\r
3800 for( i = 0; i < ssl->handshake->pmslen; i++ )
\r
3801 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
\r
3805 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
\r
3806 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
\r
3808 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
\r
3809 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
\r
3810 const unsigned char *end )
\r
3815 if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
\r
3817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
\r
3818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
\r
3822 * Receive client pre-shared key identity name
\r
3824 if( end - *p < 2 )
\r
3826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3827 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3830 n = ( (*p)[0] << 8 ) | (*p)[1];
\r
3833 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
\r
3835 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3836 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3839 if( ssl->conf->f_psk != NULL )
\r
3841 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
\r
3842 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
\r
3846 /* Identity is not a big secret since clients send it in the clear,
\r
3847 * but treat it carefully anyway, just in case */
\r
3848 if( n != ssl->conf->psk_identity_len ||
\r
3849 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
\r
3851 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
\r
3855 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
\r
3857 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
\r
3858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
\r
3859 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
\r
3860 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
\r
3867 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
\r
3869 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
\r
3872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
\r
3873 unsigned char *p, *end;
\r
3875 ciphersuite_info = ssl->handshake->ciphersuite_info;
\r
3877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
\r
3879 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
\r
3880 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
\r
3881 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
\r
3882 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
\r
3883 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
\r
3884 ( ssl->handshake->async_in_progress != 0 ) )
\r
3886 /* We've already read a record and there is an asynchronous
\r
3887 * operation in progress to decrypt it. So skip reading the
\r
3889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
\r
3893 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
\r
3895 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
\r
3899 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
\r
3900 end = ssl->in_msg + ssl->in_hslen;
\r
3902 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
\r
3904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3905 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3908 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
\r
3910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
\r
3911 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3914 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
\r
3915 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
\r
3917 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
\r
3919 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
\r
3925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
\r
3926 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3929 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
\r
3930 ssl->handshake->premaster,
\r
3931 MBEDTLS_PREMASTER_SIZE,
\r
3932 &ssl->handshake->pmslen,
\r
3933 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
\r
3935 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
\r
3936 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
\r
3939 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
\r
3942 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
\r
3943 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
\r
3944 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
\r
3945 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
\r
3946 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
\r
3947 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
\r
3948 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
\r
3949 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
\r
3950 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
\r
3952 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
\r
3953 p, end - p) ) != 0 )
\r
3955 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
\r
3956 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
\r
3959 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
\r
3960 MBEDTLS_DEBUG_ECDH_QP );
\r
3962 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
\r
3963 &ssl->handshake->pmslen,
\r
3964 ssl->handshake->premaster,
\r
3965 MBEDTLS_MPI_MAX_SIZE,
\r
3966 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
\r
3968 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
\r
3969 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
\r
3972 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
\r
3973 MBEDTLS_DEBUG_ECDH_Z );
\r
3976 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
\r
3977 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
\r
3978 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
\r
3979 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
\r
3980 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
\r
3981 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
\r
3983 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
\r
3985 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
\r
3991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
\r
3992 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
3995 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
3996 /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically
\r
3997 * and skip the intermediate PMS. */
\r
3998 if( ssl_use_opaque_psk( ssl ) == 1 )
\r
3999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
\r
4001 #endif /* MBEDTLS_USE_PSA_CRYPTO */
\r
4002 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
\r
4003 ciphersuite_info->key_exchange ) ) != 0 )
\r
4005 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
\r
4010 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
\r
4011 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
\r
4012 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
\r
4014 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
\r
4015 if ( ssl->handshake->async_in_progress != 0 )
\r
4017 /* There is an asynchronous operation in progress to
\r
4018 * decrypt the encrypted premaster secret, so skip
\r
4019 * directly to resuming this operation. */
\r
4020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
\r
4021 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
\r
4022 * won't actually use it, but maintain p anyway for robustness. */
\r
4023 p += ssl->conf->psk_identity_len + 2;
\r
4026 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
\r
4027 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
\r
4029 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
\r
4033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
4034 /* Opaque PSKs are currently only supported for PSK-only. */
\r
4035 if( ssl_use_opaque_psk( ssl ) == 1 )
\r
4036 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
\r
4039 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
\r
4041 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
\r
4045 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
\r
4046 ciphersuite_info->key_exchange ) ) != 0 )
\r
4048 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
\r
4053 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
\r
4054 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
\r
4055 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
\r
4057 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
\r
4059 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
\r
4062 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
\r
4064 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
\r
4068 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
4069 /* Opaque PSKs are currently only supported for PSK-only. */
\r
4070 if( ssl_use_opaque_psk( ssl ) == 1 )
\r
4071 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
\r
4076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
\r
4077 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
\r
4080 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
\r
4081 ciphersuite_info->key_exchange ) ) != 0 )
\r
4083 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
\r
4088 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
\r
4089 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
\r
4090 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
\r
4092 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
\r
4094 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
\r
4098 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
\r
4099 p, end - p ) ) != 0 )
\r
4101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
\r
4102 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
\r
4105 #if defined(MBEDTLS_USE_PSA_CRYPTO)
\r
4106 /* Opaque PSKs are currently only supported for PSK-only. */
\r
4107 if( ssl_use_opaque_psk( ssl ) == 1 )
\r
4108 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
\r
4111 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
\r
4112 MBEDTLS_DEBUG_ECDH_QP );
\r
4114 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
\r
4115 ciphersuite_info->key_exchange ) ) != 0 )
\r
4117 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
\r
4122 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
\r
4123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
\r
4124 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
\r
4126 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
\r
4128 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
\r
4133 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
\r
4134 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
\r
4135 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
\r
4137 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
\r
4141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
\r
4142 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
\r
4145 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
\r
4146 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
\r
4147 ssl->conf->f_rng, ssl->conf->p_rng );
\r
4150 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
\r
4155 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
\r
4157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
4158 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
4161 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
\r
4163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
\r
4169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
\r
4174 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
\r
4175 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
\r
4177 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
4178 ssl->handshake->ciphersuite_info;
\r
4180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
\r
4182 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
\r
4184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
\r
4189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
4190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
4192 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
\r
4193 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
\r
4195 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
\r
4196 size_t i, sig_len;
\r
4197 unsigned char hash[48];
\r
4198 unsigned char *hash_start = hash;
\r
4200 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
4201 mbedtls_pk_type_t pk_alg;
\r
4203 mbedtls_md_type_t md_alg;
\r
4204 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
\r
4205 ssl->handshake->ciphersuite_info;
\r
4206 mbedtls_pk_context * peer_pk;
\r
4208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
\r
4210 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
\r
4212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
\r
4217 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
\r
4218 if( ssl->session_negotiate->peer_cert == NULL )
\r
4220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
\r
4224 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
\r
4225 if( ssl->session_negotiate->peer_cert_digest == NULL )
\r
4227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
\r
4231 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
\r
4233 /* Read the message without adding it to the checksum */
\r
4234 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
\r
4237 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
\r
4243 /* Process the message contents */
\r
4244 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
\r
4245 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
\r
4247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
\r
4248 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4251 i = mbedtls_ssl_hs_hdr_len( ssl );
\r
4253 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
\r
4254 peer_pk = &ssl->handshake->peer_pubkey;
\r
4255 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
\r
4256 if( ssl->session_negotiate->peer_cert == NULL )
\r
4258 /* Should never happen */
\r
4259 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
4261 peer_pk = &ssl->session_negotiate->peer_cert->pk;
\r
4262 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
\r
4266 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
\r
4267 * opaque signature<0..2^16-1>;
\r
4268 * } DigitallySigned;
\r
4270 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
\r
4271 defined(MBEDTLS_SSL_PROTO_TLS1_1)
\r
4272 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
\r
4274 md_alg = MBEDTLS_MD_NONE;
\r
4277 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
\r
4278 if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) )
\r
4282 md_alg = MBEDTLS_MD_SHA1;
\r
4286 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
\r
4287 MBEDTLS_SSL_PROTO_TLS1_1 */
\r
4288 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
\r
4289 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
\r
4291 if( i + 2 > ssl->in_hslen )
\r
4293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
\r
4294 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4300 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
\r
4302 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
\r
4304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
\r
4305 " for verify message" ) );
\r
4306 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4309 #if !defined(MBEDTLS_MD_SHA1)
\r
4310 if( MBEDTLS_MD_SHA1 == md_alg )
\r
4314 /* Info from md_alg will be used instead */
\r
4322 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
\r
4323 == MBEDTLS_PK_NONE )
\r
4325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
\r
4326 " for verify message" ) );
\r
4327 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4331 * Check the certificate's key type matches the signature alg
\r
4333 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
\r
4335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
\r
4336 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
\r
4344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
\r
4345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
\r
4348 if( i + 2 > ssl->in_hslen )
\r
4350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
\r
4351 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4354 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
\r
4357 if( i + sig_len != ssl->in_hslen )
\r
4359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
\r
4360 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
\r
4363 /* Calculate hash and verify signature */
\r
4364 ssl->handshake->calc_verify( ssl, hash );
\r
4366 if( ( ret = mbedtls_pk_verify( peer_pk,
\r
4367 md_alg, hash_start, hashlen,
\r
4368 ssl->in_msg + i, sig_len ) ) != 0 )
\r
4370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
\r
4374 mbedtls_ssl_update_handshake_status( ssl );
\r
4376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
\r
4380 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
\r
4382 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
4383 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
\r
4387 uint32_t lifetime;
\r
4389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
\r
4391 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
\r
4392 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
\r
4396 * uint32 ticket_lifetime_hint;
\r
4397 * opaque ticket<0..2^16-1>;
\r
4398 * } NewSessionTicket;
\r
4400 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
\r
4401 * 8 . 9 ticket_len (n)
\r
4402 * 10 . 9+n ticket content
\r
4405 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
\r
4406 ssl->session_negotiate,
\r
4407 ssl->out_msg + 10,
\r
4408 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
\r
4409 &tlen, &lifetime ) ) != 0 )
\r
4411 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
\r
4415 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
\r
4416 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
\r
4417 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
\r
4418 ssl->out_msg[7] = ( lifetime ) & 0xFF;
\r
4420 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
\r
4421 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
\r
4423 ssl->out_msglen = 10 + tlen;
\r
4426 * Morally equivalent to updating ssl->state, but NewSessionTicket and
\r
4427 * ChangeCipherSpec share the same state.
\r
4429 ssl->handshake->new_session_ticket = 0;
\r
4431 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
\r
4433 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
\r
4437 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
\r
4441 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
\r
4444 * SSL handshake -- server side -- single step
\r
4446 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
\r
4450 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
\r
4451 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
\r
4453 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
\r
4455 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
\r
4458 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
4459 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
\r
4460 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
\r
4462 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
\r
4465 #endif /* MBEDTLS_SSL_PROTO_DTLS */
\r
4467 switch( ssl->state )
\r
4469 case MBEDTLS_SSL_HELLO_REQUEST:
\r
4470 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
\r
4476 case MBEDTLS_SSL_CLIENT_HELLO:
\r
4477 ret = ssl_parse_client_hello( ssl );
\r
4480 #if defined(MBEDTLS_SSL_PROTO_DTLS)
\r
4481 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
\r
4482 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
\r
4488 * ( ServerKeyExchange )
\r
4489 * ( CertificateRequest )
\r
4492 case MBEDTLS_SSL_SERVER_HELLO:
\r
4493 ret = ssl_write_server_hello( ssl );
\r
4496 case MBEDTLS_SSL_SERVER_CERTIFICATE:
\r
4497 ret = mbedtls_ssl_write_certificate( ssl );
\r
4500 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
\r
4501 ret = ssl_write_server_key_exchange( ssl );
\r
4504 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
\r
4505 ret = ssl_write_certificate_request( ssl );
\r
4508 case MBEDTLS_SSL_SERVER_HELLO_DONE:
\r
4509 ret = ssl_write_server_hello_done( ssl );
\r
4513 * <== ( Certificate/Alert )
\r
4514 * ClientKeyExchange
\r
4515 * ( CertificateVerify )
\r
4516 * ChangeCipherSpec
\r
4519 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
\r
4520 ret = mbedtls_ssl_parse_certificate( ssl );
\r
4523 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
\r
4524 ret = ssl_parse_client_key_exchange( ssl );
\r
4527 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
\r
4528 ret = ssl_parse_certificate_verify( ssl );
\r
4531 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
\r
4532 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
\r
4535 case MBEDTLS_SSL_CLIENT_FINISHED:
\r
4536 ret = mbedtls_ssl_parse_finished( ssl );
\r
4540 * ==> ( NewSessionTicket )
\r
4541 * ChangeCipherSpec
\r
4544 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
\r
4545 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
\r
4546 if( ssl->handshake->new_session_ticket != 0 )
\r
4547 ret = ssl_write_new_session_ticket( ssl );
\r
4550 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
\r
4553 case MBEDTLS_SSL_SERVER_FINISHED:
\r
4554 ret = mbedtls_ssl_write_finished( ssl );
\r
4557 case MBEDTLS_SSL_FLUSH_BUFFERS:
\r
4558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
\r
4559 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
\r
4562 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
\r
4563 mbedtls_ssl_handshake_wrapup( ssl );
\r
4567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
\r
4568 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
\r
4573 #endif /* MBEDTLS_SSL_SRV_C */
\r