TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 458b8f2a59b9559ffd6005c0013544f910ebcfef / . / library / ssl_cli.c
blob: 4e5b3a60247f3b76de21f5da24e709ffca795416 [file] [log] [blame]
Gilles Peskine458b8f22020-02-26 18:28:28 +0100[diff] [blame^]1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_SSL_CLI_C)
29
30#if defined(MBEDTLS_PLATFORM_C)
31#include "mbedtls/platform.h"
32#else
33#include <stdlib.h>
34#define mbedtls_calloc calloc
35#define mbedtls_free free
36#endif
37
38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41
42#if defined(MBEDTLS_USE_PSA_CRYPTO)
43#include "mbedtls/psa_util.h"
44#endif /* MBEDTLS_USE_PSA_CRYPTO */
45
46#include <string.h>
47
48#include <stdint.h>
49
50#if defined(MBEDTLS_HAVE_TIME)
51#include "mbedtls/platform_time.h"
52#endif
53
54#if defined(MBEDTLS_SSL_SESSION_TICKETS)
55#include "mbedtls/platform_util.h"
56#endif
57
58#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
59static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
60{
61 if( conf->psk_identity == NULL ||
62 conf->psk_identity_len == 0 )
63 {
64 return( 0 );
65 }
66
67 if( conf->psk != NULL && conf->psk_len != 0 )
68 return( 1 );
69
70#if defined(MBEDTLS_USE_PSA_CRYPTO)
71 if( conf->psk_opaque != 0 )
72 return( 1 );
73#endif /* MBEDTLS_USE_PSA_CRYPTO */
74
75 return( 0 );
76}
77
78#if defined(MBEDTLS_USE_PSA_CRYPTO)
79static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
80{
81 if( conf->psk_identity == NULL ||
82 conf->psk_identity_len == 0 )
83 {
84 return( 0 );
85 }
86
87 if( conf->psk != NULL && conf->psk_len != 0 )
88 return( 1 );
89
90 return( 0 );
91}
92#endif /* MBEDTLS_USE_PSA_CRYPTO */
93
94#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
95
96#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
97static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
98 unsigned char *buf,
99 size_t *olen )
100{
101 unsigned char *p = buf;
102 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
103 size_t hostname_len;
104
105 *olen = 0;
106
107 if( ssl->hostname == NULL )
108 return;
109
110 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
111 ssl->hostname ) );
112
113 hostname_len = strlen( ssl->hostname );
114
115 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
116 {
117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
118 return;
119 }
120
121 /*
122 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
123 *
124 * In order to provide any of the server names, clients MAY include an
125 * extension of type "server_name" in the (extended) client hello. The
126 * "extension_data" field of this extension SHALL contain
127 * "ServerNameList" where:
128 *
129 * struct {
130 * NameType name_type;
131 * select (name_type) {
132 * case host_name: HostName;
133 * } name;
134 * } ServerName;
135 *
136 * enum {
137 * host_name(0), (255)
138 * } NameType;
139 *
140 * opaque HostName<1..2^16-1>;
141 *
142 * struct {
143 * ServerName server_name_list<1..2^16-1>
144 * } ServerNameList;
145 *
146 */
147 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
149
150 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
151 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
152
153 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
154 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
155
156 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
157 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
158 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
159
160 memcpy( p, ssl->hostname, hostname_len );
161
162 *olen = hostname_len + 9;
163}
164#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
165
166#if defined(MBEDTLS_SSL_RENEGOTIATION)
167static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
168 unsigned char *buf,
169 size_t *olen )
170{
171 unsigned char *p = buf;
172 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
173
174 *olen = 0;
175
176 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
177 * initial ClientHello, in which case also adding the renegotiation
178 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
179 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
180 return;
181
182 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
183
184 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
185 {
186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
187 return;
188 }
189
190 /*
191 * Secure renegotiation
192 */
193 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
195
196 *p++ = 0x00;
197 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
198 *p++ = ssl->verify_data_len & 0xFF;
199
200 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
201
202 *olen = 5 + ssl->verify_data_len;
203}
204#endif /* MBEDTLS_SSL_RENEGOTIATION */
205
206/*
207 * Only if we handle at least one key exchange that needs signatures.
208 */
209#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
210 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
211static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
212 unsigned char *buf,
213 size_t *olen )
214{
215 unsigned char *p = buf;
216 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
217 size_t sig_alg_len = 0;
218 const int *md;
219#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
220 unsigned char *sig_alg_list = buf + 6;
221#endif
222
223 *olen = 0;
224
225 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
226 return;
227
228 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
229
230 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
231 {
232#if defined(MBEDTLS_ECDSA_C)
233 sig_alg_len += 2;
234#endif
235#if defined(MBEDTLS_RSA_C)
236 sig_alg_len += 2;
237#endif
238 }
239
240 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
241 {
242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
243 return;
244 }
245
246 /*
247 * Prepare signature_algorithms extension (TLS 1.2)
248 */
249 sig_alg_len = 0;
250
251 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
252 {
253#if defined(MBEDTLS_ECDSA_C)
254 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
255 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
256#endif
257#if defined(MBEDTLS_RSA_C)
258 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
259 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
260#endif
261 }
262
263 /*
264 * enum {
265 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
266 * sha512(6), (255)
267 * } HashAlgorithm;
268 *
269 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
270 * SignatureAlgorithm;
271 *
272 * struct {
273 * HashAlgorithm hash;
274 * SignatureAlgorithm signature;
275 * } SignatureAndHashAlgorithm;
276 *
277 * SignatureAndHashAlgorithm
278 * supported_signature_algorithms<2..2^16-2>;
279 */
280 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
282
283 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
284 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
285
286 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
287 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
288
289 *olen = 6 + sig_alg_len;
290}
291#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
292 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
293
294#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
295 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
296static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
297 unsigned char *buf,
298 size_t *olen )
299{
300 unsigned char *p = buf;
301 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
302 unsigned char *elliptic_curve_list = p + 6;
303 size_t elliptic_curve_len = 0;
304 const mbedtls_ecp_curve_info *info;
305#if defined(MBEDTLS_ECP_C)
306 const mbedtls_ecp_group_id *grp_id;
307#else
308 ((void) ssl);
309#endif
310
311 *olen = 0;
312
313 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
314
315#if defined(MBEDTLS_ECP_C)
316 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
317#else
318 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
319#endif
320 {
321#if defined(MBEDTLS_ECP_C)
322 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
323#endif
324 if( info == NULL )
325 {
326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
327 return;
328 }
329
330 elliptic_curve_len += 2;
331 }
332
333 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
334 {
335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
336 return;
337 }
338
339 elliptic_curve_len = 0;
340
341#if defined(MBEDTLS_ECP_C)
342 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
343#else
344 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
345#endif
346 {
347#if defined(MBEDTLS_ECP_C)
348 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
349#endif
350 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
351 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
352 }
353
354 if( elliptic_curve_len == 0 )
355 return;
356
357 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
358 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
359
360 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
361 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
362
363 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
364 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
365
366 *olen = 6 + elliptic_curve_len;
367}
368
369static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
370 unsigned char *buf,
371 size_t *olen )
372{
373 unsigned char *p = buf;
374 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
375
376 *olen = 0;
377
378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
379
380 if( end < p || (size_t)( end - p ) < 6 )
381 {
382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
383 return;
384 }
385
386 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
388
389 *p++ = 0x00;
390 *p++ = 2;
391
392 *p++ = 1;
393 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
394
395 *olen = 6;
396}
397#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
398 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
399
400#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
401static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
402 unsigned char *buf,
403 size_t *olen )
404{
405 int ret;
406 unsigned char *p = buf;
407 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
408 size_t kkpp_len;
409
410 *olen = 0;
411
412 /* Skip costly extension if we can't use EC J-PAKE anyway */
413 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
414 return;
415
416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
417
418 if( end - p < 4 )
419 {
420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
421 return;
422 }
423
424 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
425 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
426
427 /*
428 * We may need to send ClientHello multiple times for Hello verification.
429 * We don't want to compute fresh values every time (both for performance
430 * and consistency reasons), so cache the extension content.
431 */
432 if( ssl->handshake->ecjpake_cache == NULL ||
433 ssl->handshake->ecjpake_cache_len == 0 )
434 {
435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
436
437 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
438 p + 2, end - p - 2, &kkpp_len,
439 ssl->conf->f_rng, ssl->conf->p_rng );
440 if( ret != 0 )
441 {
442 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
443 return;
444 }
445
446 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
447 if( ssl->handshake->ecjpake_cache == NULL )
448 {
449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
450 return;
451 }
452
453 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
454 ssl->handshake->ecjpake_cache_len = kkpp_len;
455 }
456 else
457 {
458 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
459
460 kkpp_len = ssl->handshake->ecjpake_cache_len;
461
462 if( (size_t)( end - p - 2 ) < kkpp_len )
463 {
464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
465 return;
466 }
467
468 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
469 }
470
471 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
472 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
473
474 *olen = kkpp_len + 4;
475}
476#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
477
478#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
479static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
480 unsigned char *buf,
481 size_t *olen )
482{
483 unsigned char *p = buf;
484 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
485
486 *olen = 0;
487
488 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
489 return;
490 }
491
492 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
493
494 if( end < p || (size_t)( end - p ) < 5 )
495 {
496 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
497 return;
498 }
499
500 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
501 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
502
503 *p++ = 0x00;
504 *p++ = 1;
505
506 *p++ = ssl->conf->mfl_code;
507
508 *olen = 5;
509}
510#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
511
512#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
513static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
514 unsigned char *buf, size_t *olen )
515{
516 unsigned char *p = buf;
517 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
518
519 *olen = 0;
520
521 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
522 {
523 return;
524 }
525
526 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
527
528 if( end < p || (size_t)( end - p ) < 4 )
529 {
530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
531 return;
532 }
533
534 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
535 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
536
537 *p++ = 0x00;
538 *p++ = 0x00;
539
540 *olen = 4;
541}
542#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
543
544#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
545static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
546 unsigned char *buf, size_t *olen )
547{
548 unsigned char *p = buf;
549 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
550
551 *olen = 0;
552
553 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
554 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
555 {
556 return;
557 }
558
559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
560 "extension" ) );
561
562 if( end < p || (size_t)( end - p ) < 4 )
563 {
564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
565 return;
566 }
567
568 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
569 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
570
571 *p++ = 0x00;
572 *p++ = 0x00;
573
574 *olen = 4;
575}
576#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
577
578#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
579static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
580 unsigned char *buf, size_t *olen )
581{
582 unsigned char *p = buf;
583 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
584
585 *olen = 0;
586
587 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
588 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
589 {
590 return;
591 }
592
593 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
594 "extension" ) );
595
596 if( end < p || (size_t)( end - p ) < 4 )
597 {
598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
599 return;
600 }
601
602 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
603 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
604
605 *p++ = 0x00;
606 *p++ = 0x00;
607
608 *olen = 4;
609}
610#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
611
612#if defined(MBEDTLS_SSL_SESSION_TICKETS)
613static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
614 unsigned char *buf, size_t *olen )
615{
616 unsigned char *p = buf;
617 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
618 size_t tlen = ssl->session_negotiate->ticket_len;
619
620 *olen = 0;
621
622 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
623 {
624 return;
625 }
626
627 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
628
629 if( end < p || (size_t)( end - p ) < 4 + tlen )
630 {
631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
632 return;
633 }
634
635 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
636 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
637
638 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
639 *p++ = (unsigned char)( ( tlen ) & 0xFF );
640
641 *olen = 4;
642
643 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
644 {
645 return;
646 }
647
648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
649
650 memcpy( p, ssl->session_negotiate->ticket, tlen );
651
652 *olen += tlen;
653}
654#endif /* MBEDTLS_SSL_SESSION_TICKETS */
655
656#if defined(MBEDTLS_SSL_ALPN)
657static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
658 unsigned char *buf, size_t *olen )
659{
660 unsigned char *p = buf;
661 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
662 size_t alpnlen = 0;
663 const char **cur;
664
665 *olen = 0;
666
667 if( ssl->conf->alpn_list == NULL )
668 {
669 return;
670 }
671
672 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
673
674 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
675 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
676
677 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
678 {
679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
680 return;
681 }
682
683 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
684 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
685
686 /*
687 * opaque ProtocolName<1..2^8-1>;
688 *
689 * struct {
690 * ProtocolName protocol_name_list<2..2^16-1>
691 * } ProtocolNameList;
692 */
693
694 /* Skip writing extension and list length for now */
695 p += 4;
696
697 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
698 {
699 *p = (unsigned char)( strlen( *cur ) & 0xFF );
700 memcpy( p + 1, *cur, *p );
701 p += 1 + *p;
702 }
703
704 *olen = p - buf;
705
706 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
707 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
708 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
709
710 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
711 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
712 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
713}
714#endif /* MBEDTLS_SSL_ALPN */
715
716/*
717 * Generate random bytes for ClientHello
718 */
719static int ssl_generate_random( mbedtls_ssl_context *ssl )
720{
721 int ret;
722 unsigned char *p = ssl->handshake->randbytes;
723#if defined(MBEDTLS_HAVE_TIME)
724 mbedtls_time_t t;
725#endif
726
727 /*
728 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
729 */
730#if defined(MBEDTLS_SSL_PROTO_DTLS)
731 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
732 ssl->handshake->verify_cookie != NULL )
733 {
734 return( 0 );
735 }
736#endif
737
738#if defined(MBEDTLS_HAVE_TIME)
739 t = mbedtls_time( NULL );
740 *p++ = (unsigned char)( t >> 24 );
741 *p++ = (unsigned char)( t >> 16 );
742 *p++ = (unsigned char)( t >> 8 );
743 *p++ = (unsigned char)( t );
744
745 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
746#else
747 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
748 return( ret );
749
750 p += 4;
751#endif /* MBEDTLS_HAVE_TIME */
752
753 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
754 return( ret );
755
756 return( 0 );
757}
758
759/**
760 * \brief Validate cipher suite against config in SSL context.
761 *
762 * \param suite_info cipher suite to validate
763 * \param ssl SSL context
764 * \param min_minor_ver Minimal minor version to accept a cipher suite
765 * \param max_minor_ver Maximal minor version to accept a cipher suite
766 *
767 * \return 0 if valid, else 1
768 */
769static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
770 const mbedtls_ssl_context * ssl,
771 int min_minor_ver, int max_minor_ver )
772{
773 (void) ssl;
774 if( suite_info == NULL )
775 return( 1 );
776
777 if( suite_info->min_minor_ver > max_minor_ver ||
778 suite_info->max_minor_ver < min_minor_ver )
779 return( 1 );
780
781#if defined(MBEDTLS_SSL_PROTO_DTLS)
782 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
783 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
784 return( 1 );
785#endif
786
787#if defined(MBEDTLS_ARC4_C)
788 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
789 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
790 return( 1 );
791#endif
792
793#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
794 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
795 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
796 return( 1 );
797#endif
798
799 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
800#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
801 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
802 ssl_conf_has_static_psk( ssl->conf ) == 0 )
803 {
804 return( 1 );
805 }
806#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
807
808 return( 0 );
809}
810
811static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
812{
813 int ret;
814 size_t i, n, olen, ext_len = 0;
815 unsigned char *buf;
816 unsigned char *p, *q;
817 unsigned char offer_compress;
818 const int *ciphersuites;
819 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
820#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
821 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
822 int uses_ec = 0;
823#endif
824
825 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
826
827 if( ssl->conf->f_rng == NULL )
828 {
829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
830 return( MBEDTLS_ERR_SSL_NO_RNG );
831 }
832
833#if defined(MBEDTLS_SSL_RENEGOTIATION)
834 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
835#endif
836 {
837 ssl->major_ver = ssl->conf->min_major_ver;
838 ssl->minor_ver = ssl->conf->min_minor_ver;
839 }
840
841 if( ssl->conf->max_major_ver == 0 )
842 {
843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
844 "consider using mbedtls_ssl_config_defaults()" ) );
845 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
846 }
847
848 /*
849 * 0 . 0 handshake type
850 * 1 . 3 handshake length
851 * 4 . 5 highest version supported
852 * 6 . 9 current UNIX time
853 * 10 . 37 random bytes
854 */
855 buf = ssl->out_msg;
856 p = buf + 4;
857
858 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
859 ssl->conf->transport, p );
860 p += 2;
861
862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
863 buf[4], buf[5] ) );
864
865 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
866 {
867 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
868 return( ret );
869 }
870
871 memcpy( p, ssl->handshake->randbytes, 32 );
872 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
873 p += 32;
874
875 /*
876 * 38 . 38 session id length
877 * 39 . 39+n session id
878 * 39+n . 39+n DTLS only: cookie length (1 byte)
879 * 40+n . .. DTSL only: cookie
880 * .. . .. ciphersuitelist length (2 bytes)
881 * .. . .. ciphersuitelist
882 * .. . .. compression methods length (1 byte)
883 * .. . .. compression methods
884 * .. . .. extensions length (2 bytes)
885 * .. . .. extensions
886 */
887 n = ssl->session_negotiate->id_len;
888
889 if( n < 16 || n > 32 ||
890#if defined(MBEDTLS_SSL_RENEGOTIATION)
891 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
892#endif
893 ssl->handshake->resume == 0 )
894 {
895 n = 0;
896 }
897
898#if defined(MBEDTLS_SSL_SESSION_TICKETS)
899 /*
900 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
901 * generate and include a Session ID in the TLS ClientHello."
902 */
903#if defined(MBEDTLS_SSL_RENEGOTIATION)
904 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
905#endif
906 {
907 if( ssl->session_negotiate->ticket != NULL &&
908 ssl->session_negotiate->ticket_len != 0 )
909 {
910 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
911
912 if( ret != 0 )
913 return( ret );
914
915 ssl->session_negotiate->id_len = n = 32;
916 }
917 }
918#endif /* MBEDTLS_SSL_SESSION_TICKETS */
919
920 *p++ = (unsigned char) n;
921
922 for( i = 0; i < n; i++ )
923 *p++ = ssl->session_negotiate->id[i];
924
925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
926 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
927
928 /*
929 * DTLS cookie
930 */
931#if defined(MBEDTLS_SSL_PROTO_DTLS)
932 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
933 {
934 if( ssl->handshake->verify_cookie == NULL )
935 {
936 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
937 *p++ = 0;
938 }
939 else
940 {
941 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
942 ssl->handshake->verify_cookie,
943 ssl->handshake->verify_cookie_len );
944
945 *p++ = ssl->handshake->verify_cookie_len;
946 memcpy( p, ssl->handshake->verify_cookie,
947 ssl->handshake->verify_cookie_len );
948 p += ssl->handshake->verify_cookie_len;
949 }
950 }
951#endif
952
953 /*
954 * Ciphersuite list
955 */
956 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
957
958 /* Skip writing ciphersuite length for now */
959 n = 0;
960 q = p;
961 p += 2;
962
963 for( i = 0; ciphersuites[i] != 0; i++ )
964 {
965 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
966
967 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
968 ssl->conf->min_minor_ver,
969 ssl->conf->max_minor_ver ) != 0 )
970 continue;
971
972 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
973 ciphersuites[i] ) );
974
975#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
976 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
977 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
978#endif
979
980 n++;
981 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
982 *p++ = (unsigned char)( ciphersuites[i] );
983 }
984
985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
986
987 /*
988 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
989 */
990#if defined(MBEDTLS_SSL_RENEGOTIATION)
991 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
992#endif
993 {
994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
995 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
996 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
997 n++;
998 }
999
1000 /* Some versions of OpenSSL don't handle it correctly if not at end */
1001#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1002 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1003 {
1004 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1005 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1006 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1007 n++;
1008 }
1009#endif
1010
1011 *q++ = (unsigned char)( n >> 7 );
1012 *q++ = (unsigned char)( n << 1 );
1013
1014#if defined(MBEDTLS_ZLIB_SUPPORT)
1015 offer_compress = 1;
1016#else
1017 offer_compress = 0;
1018#endif
1019
1020 /*
1021 * We don't support compression with DTLS right now: if many records come
1022 * in the same datagram, uncompressing one could overwrite the next one.
1023 * We don't want to add complexity for handling that case unless there is
1024 * an actual need for it.
1025 */
1026#if defined(MBEDTLS_SSL_PROTO_DTLS)
1027 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1028 offer_compress = 0;
1029#endif
1030
1031 if( offer_compress )
1032 {
1033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1035 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
1036
1037 *p++ = 2;
1038 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1039 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1040 }
1041 else
1042 {
1043 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1044 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1045 MBEDTLS_SSL_COMPRESS_NULL ) );
1046
1047 *p++ = 1;
1048 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1049 }
1050
1051 // First write extensions, then the total length
1052 //
1053#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1054 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1055 ext_len += olen;
1056#endif
1057
1058 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1059 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1060#if defined(MBEDTLS_SSL_RENEGOTIATION)
1061 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1062 ext_len += olen;
1063#endif
1064
1065#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1066 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1067 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1068 ext_len += olen;
1069#endif
1070
1071#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1072 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1073 if( uses_ec )
1074 {
1075 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1076 ext_len += olen;
1077
1078 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1079 ext_len += olen;
1080 }
1081#endif
1082
1083#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1084 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1085 ext_len += olen;
1086#endif
1087
1088#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1089 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1090 ext_len += olen;
1091#endif
1092
1093#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1094 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1095 ext_len += olen;
1096#endif
1097
1098#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1099 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1100 ext_len += olen;
1101#endif
1102
1103#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1104 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1105 ext_len += olen;
1106#endif
1107
1108#if defined(MBEDTLS_SSL_ALPN)
1109 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1110 ext_len += olen;
1111#endif
1112
1113#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1114 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1115 ext_len += olen;
1116#endif
1117
1118 /* olen unused if all extensions are disabled */
1119 ((void) olen);
1120
1121 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1122 ext_len ) );
1123
1124 if( ext_len > 0 )
1125 {
1126 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1127 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1128 p += ext_len;
1129 }
1130
1131 ssl->out_msglen = p - buf;
1132 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1133 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1134
1135 ssl->state++;
1136
1137#if defined(MBEDTLS_SSL_PROTO_DTLS)
1138 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1139 mbedtls_ssl_send_flight_completed( ssl );
1140#endif
1141
1142 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1143 {
1144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1145 return( ret );
1146 }
1147
1148#if defined(MBEDTLS_SSL_PROTO_DTLS)
1149 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1150 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1151 {
1152 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1153 return( ret );
1154 }
1155#endif /* MBEDTLS_SSL_PROTO_DTLS */
1156
1157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1158
1159 return( 0 );
1160}
1161
1162static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1163 const unsigned char *buf,
1164 size_t len )
1165{
1166#if defined(MBEDTLS_SSL_RENEGOTIATION)
1167 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1168 {
1169 /* Check verify-data in constant-time. The length OTOH is no secret */
1170 if( len != 1 + ssl->verify_data_len * 2 ||
1171 buf[0] != ssl->verify_data_len * 2 ||
1172 mbedtls_ssl_safer_memcmp( buf + 1,
1173 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1174 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1175 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1176 {
1177 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1178 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1179 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1180 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1181 }
1182 }
1183 else
1184#endif /* MBEDTLS_SSL_RENEGOTIATION */
1185 {
1186 if( len != 1 || buf[0] != 0x00 )
1187 {
1188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
1189 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1190 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1191 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1192 }
1193
1194 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1195 }
1196
1197 return( 0 );
1198}
1199
1200#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1201static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1202 const unsigned char *buf,
1203 size_t len )
1204{
1205 /*
1206 * server should use the extension only if we did,
1207 * and if so the server's value should match ours (and len is always 1)
1208 */
1209 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1210 len != 1 ||
1211 buf[0] != ssl->conf->mfl_code )
1212 {
1213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
1214 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1215 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1216 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1217 }
1218
1219 return( 0 );
1220}
1221#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1222
1223#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1224static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1225 const unsigned char *buf,
1226 size_t len )
1227{
1228 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1229 len != 0 )
1230 {
1231 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
1232 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1233 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1234 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1235 }
1236
1237 ((void) buf);
1238
1239 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1240
1241 return( 0 );
1242}
1243#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1244
1245#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1246static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1247 const unsigned char *buf,
1248 size_t len )
1249{
1250 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1251 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1252 len != 0 )
1253 {
1254 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
1255 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1256 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1257 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1258 }
1259
1260 ((void) buf);
1261
1262 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1263
1264 return( 0 );
1265}
1266#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1267
1268#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1269static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1270 const unsigned char *buf,
1271 size_t len )
1272{
1273 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1274 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1275 len != 0 )
1276 {
1277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
1278 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1279 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1280 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1281 }
1282
1283 ((void) buf);
1284
1285 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1286
1287 return( 0 );
1288}
1289#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1290
1291#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1292static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1293 const unsigned char *buf,
1294 size_t len )
1295{
1296 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1297 len != 0 )
1298 {
1299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
1300 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1301 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1302 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1303 }
1304
1305 ((void) buf);
1306
1307 ssl->handshake->new_session_ticket = 1;
1308
1309 return( 0 );
1310}
1311#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1312
1313#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1314 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1315static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1316 const unsigned char *buf,
1317 size_t len )
1318{
1319 size_t list_size;
1320 const unsigned char *p;
1321
1322 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1323 {
1324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1325 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1326 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1327 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1328 }
1329 list_size = buf[0];
1330
1331 p = buf + 1;
1332 while( list_size > 0 )
1333 {
1334 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1335 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1336 {
1337#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1338 ssl->handshake->ecdh_ctx.point_format = p[0];
1339#endif
1340#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1341 ssl->handshake->ecjpake_ctx.point_format = p[0];
1342#endif
1343 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1344 return( 0 );
1345 }
1346
1347 list_size--;
1348 p++;
1349 }
1350
1351 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1352 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1353 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1354 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1355}
1356#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1357 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1358
1359#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1360static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1361 const unsigned char *buf,
1362 size_t len )
1363{
1364 int ret;
1365
1366 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1367 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1368 {
1369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1370 return( 0 );
1371 }
1372
1373 /* If we got here, we no longer need our cached extension */
1374 mbedtls_free( ssl->handshake->ecjpake_cache );
1375 ssl->handshake->ecjpake_cache = NULL;
1376 ssl->handshake->ecjpake_cache_len = 0;
1377
1378 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1379 buf, len ) ) != 0 )
1380 {
1381 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1382 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1383 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1384 return( ret );
1385 }
1386
1387 return( 0 );
1388}
1389#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1390
1391#if defined(MBEDTLS_SSL_ALPN)
1392static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1393 const unsigned char *buf, size_t len )
1394{
1395 size_t list_len, name_len;
1396 const char **p;
1397
1398 /* If we didn't send it, the server shouldn't send it */
1399 if( ssl->conf->alpn_list == NULL )
1400 {
1401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1402 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1403 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1404 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1405 }
1406
1407 /*
1408 * opaque ProtocolName<1..2^8-1>;
1409 *
1410 * struct {
1411 * ProtocolName protocol_name_list<2..2^16-1>
1412 * } ProtocolNameList;
1413 *
1414 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1415 */
1416
1417 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1418 if( len < 4 )
1419 {
1420 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1421 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1422 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1423 }
1424
1425 list_len = ( buf[0] << 8 ) | buf[1];
1426 if( list_len != len - 2 )
1427 {
1428 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1429 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1430 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1431 }
1432
1433 name_len = buf[2];
1434 if( name_len != list_len - 1 )
1435 {
1436 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1437 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1438 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1439 }
1440
1441 /* Check that the server chosen protocol was in our list and save it */
1442 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1443 {
1444 if( name_len == strlen( *p ) &&
1445 memcmp( buf + 3, *p, name_len ) == 0 )
1446 {
1447 ssl->alpn_chosen = *p;
1448 return( 0 );
1449 }
1450 }
1451
1452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1453 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1454 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1455 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1456}
1457#endif /* MBEDTLS_SSL_ALPN */
1458
1459/*
1460 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1461 */
1462#if defined(MBEDTLS_SSL_PROTO_DTLS)
1463static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1464{
1465 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1466 int major_ver, minor_ver;
1467 unsigned char cookie_len;
1468
1469 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1470
1471 /*
1472 * struct {
1473 * ProtocolVersion server_version;
1474 * opaque cookie<0..2^8-1>;
1475 * } HelloVerifyRequest;
1476 */
1477 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1478 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1479 p += 2;
1480
1481 /*
1482 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1483 * even is lower than our min version.
1484 */
1485 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1486 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1487 major_ver > ssl->conf->max_major_ver ||
1488 minor_ver > ssl->conf->max_minor_ver )
1489 {
1490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1491
1492 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1493 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1494
1495 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1496 }
1497
1498 cookie_len = *p++;
1499 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1500
1501 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1502 {
1503 MBEDTLS_SSL_DEBUG_MSG( 1,
1504 ( "cookie length does not match incoming message size" ) );
1505 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1506 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1507 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1508 }
1509
1510 mbedtls_free( ssl->handshake->verify_cookie );
1511
1512 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1513 if( ssl->handshake->verify_cookie == NULL )
1514 {
1515 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1516 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1517 }
1518
1519 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1520 ssl->handshake->verify_cookie_len = cookie_len;
1521
1522 /* Start over at ClientHello */
1523 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1524 mbedtls_ssl_reset_checksum( ssl );
1525
1526 mbedtls_ssl_recv_flight_completed( ssl );
1527
1528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1529
1530 return( 0 );
1531}
1532#endif /* MBEDTLS_SSL_PROTO_DTLS */
1533
1534static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1535{
1536 int ret, i;
1537 size_t n;
1538 size_t ext_len;
1539 unsigned char *buf, *ext;
1540 unsigned char comp;
1541#if defined(MBEDTLS_ZLIB_SUPPORT)
1542 int accept_comp;
1543#endif
1544#if defined(MBEDTLS_SSL_RENEGOTIATION)
1545 int renegotiation_info_seen = 0;
1546#endif
1547 int handshake_failure = 0;
1548 const mbedtls_ssl_ciphersuite_t *suite_info;
1549
1550 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1551
1552 buf = ssl->in_msg;
1553
1554 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
1555 {
1556 /* No alert on a read error. */
1557 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1558 return( ret );
1559 }
1560
1561 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1562 {
1563#if defined(MBEDTLS_SSL_RENEGOTIATION)
1564 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1565 {
1566 ssl->renego_records_seen++;
1567
1568 if( ssl->conf->renego_max_records >= 0 &&
1569 ssl->renego_records_seen > ssl->conf->renego_max_records )
1570 {
1571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1572 "but not honored by server" ) );
1573 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1574 }
1575
1576 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1577
1578 ssl->keep_current_message = 1;
1579 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1580 }
1581#endif /* MBEDTLS_SSL_RENEGOTIATION */
1582
1583 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1584 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1585 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1586 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1587 }
1588
1589#if defined(MBEDTLS_SSL_PROTO_DTLS)
1590 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1591 {
1592 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1593 {
1594 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1596 return( ssl_parse_hello_verify_request( ssl ) );
1597 }
1598 else
1599 {
1600 /* We made it through the verification process */
1601 mbedtls_free( ssl->handshake->verify_cookie );
1602 ssl->handshake->verify_cookie = NULL;
1603 ssl->handshake->verify_cookie_len = 0;
1604 }
1605 }
1606#endif /* MBEDTLS_SSL_PROTO_DTLS */
1607
1608 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1609 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1610 {
1611 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1612 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1613 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1614 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1615 }
1616
1617 /*
1618 * 0 . 1 server_version
1619 * 2 . 33 random (maybe including 4 bytes of Unix time)
1620 * 34 . 34 session_id length = n
1621 * 35 . 34+n session_id
1622 * 35+n . 36+n cipher_suite
1623 * 37+n . 37+n compression_method
1624 *
1625 * 38+n . 39+n extensions length (optional)
1626 * 40+n . .. extensions
1627 */
1628 buf += mbedtls_ssl_hs_hdr_len( ssl );
1629
1630 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1631 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1632 ssl->conf->transport, buf + 0 );
1633
1634 if( ssl->major_ver < ssl->conf->min_major_ver ||
1635 ssl->minor_ver < ssl->conf->min_minor_ver ||
1636 ssl->major_ver > ssl->conf->max_major_ver ||
1637 ssl->minor_ver > ssl->conf->max_minor_ver )
1638 {
1639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1640 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1641 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1642 ssl->major_ver, ssl->minor_ver,
1643 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1644
1645 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1646 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1647
1648 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1649 }
1650
1651 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1652 ( (uint32_t) buf[2] << 24 ) |
1653 ( (uint32_t) buf[3] << 16 ) |
1654 ( (uint32_t) buf[4] << 8 ) |
1655 ( (uint32_t) buf[5] ) ) );
1656
1657 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1658
1659 n = buf[34];
1660
1661 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1662
1663 if( n > 32 )
1664 {
1665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1666 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1667 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1668 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1669 }
1670
1671 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1672 {
1673 ext_len = ( ( buf[38 + n] << 8 )
1674 | ( buf[39 + n] ) );
1675
1676 if( ( ext_len > 0 && ext_len < 4 ) ||
1677 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1678 {
1679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1680 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1681 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1682 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1683 }
1684 }
1685 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1686 {
1687 ext_len = 0;
1688 }
1689 else
1690 {
1691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1692 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1693 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1694 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1695 }
1696
1697 /* ciphersuite (used later) */
1698 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1699
1700 /*
1701 * Read and check compression
1702 */
1703 comp = buf[37 + n];
1704
1705#if defined(MBEDTLS_ZLIB_SUPPORT)
1706 /* See comments in ssl_write_client_hello() */
1707#if defined(MBEDTLS_SSL_PROTO_DTLS)
1708 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1709 accept_comp = 0;
1710 else
1711#endif
1712 accept_comp = 1;
1713
1714 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1715 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1716#else /* MBEDTLS_ZLIB_SUPPORT */
1717 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1718#endif/* MBEDTLS_ZLIB_SUPPORT */
1719 {
1720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1722 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1723 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1724 }
1725
1726 /*
1727 * Initialize update checksum functions
1728 */
1729 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1730
1731 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1732 {
1733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1734 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1735 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1736 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1737 }
1738
1739 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1740
1741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1742 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1743
1744 /*
1745 * Check if the session can be resumed
1746 */
1747 if( ssl->handshake->resume == 0 || n == 0 ||
1748#if defined(MBEDTLS_SSL_RENEGOTIATION)
1749 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1750#endif
1751 ssl->session_negotiate->ciphersuite != i ||
1752 ssl->session_negotiate->compression != comp ||
1753 ssl->session_negotiate->id_len != n ||
1754 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1755 {
1756 ssl->state++;
1757 ssl->handshake->resume = 0;
1758#if defined(MBEDTLS_HAVE_TIME)
1759 ssl->session_negotiate->start = mbedtls_time( NULL );
1760#endif
1761 ssl->session_negotiate->ciphersuite = i;
1762 ssl->session_negotiate->compression = comp;
1763 ssl->session_negotiate->id_len = n;
1764 memcpy( ssl->session_negotiate->id, buf + 35, n );
1765 }
1766 else
1767 {
1768 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1769
1770 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1771 {
1772 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1773 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1774 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1775 return( ret );
1776 }
1777 }
1778
1779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1780 ssl->handshake->resume ? "a" : "no" ) );
1781
1782 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1783 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1784
1785 /*
1786 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1787 */
1788 i = 0;
1789 while( 1 )
1790 {
1791 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1792 {
1793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1794 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1795 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1796 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1797 }
1798
1799 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1800 ssl->session_negotiate->ciphersuite )
1801 {
1802 break;
1803 }
1804 }
1805
1806 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1807 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
1808 {
1809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1810 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1811 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1812 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1813 }
1814
1815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1816
1817#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
1818 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1819 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1820 {
1821 ssl->handshake->ecrs_enabled = 1;
1822 }
1823#endif
1824
1825 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1826#if defined(MBEDTLS_ZLIB_SUPPORT)
1827 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1828#endif
1829 )
1830 {
1831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1832 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1833 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1834 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1835 }
1836 ssl->session_negotiate->compression = comp;
1837
1838 ext = buf + 40 + n;
1839
1840 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1841
1842 while( ext_len )
1843 {
1844 unsigned int ext_id = ( ( ext[0] << 8 )
1845 | ( ext[1] ) );
1846 unsigned int ext_size = ( ( ext[2] << 8 )
1847 | ( ext[3] ) );
1848
1849 if( ext_size + 4 > ext_len )
1850 {
1851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1852 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1853 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1854 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1855 }
1856
1857 switch( ext_id )
1858 {
1859 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1861#if defined(MBEDTLS_SSL_RENEGOTIATION)
1862 renegotiation_info_seen = 1;
1863#endif
1864
1865 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1866 ext_size ) ) != 0 )
1867 return( ret );
1868
1869 break;
1870
1871#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1872 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1873 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1874
1875 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1876 ext + 4, ext_size ) ) != 0 )
1877 {
1878 return( ret );
1879 }
1880
1881 break;
1882#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1883
1884#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1885 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1886 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1887
1888 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1889 ext + 4, ext_size ) ) != 0 )
1890 {
1891 return( ret );
1892 }
1893
1894 break;
1895#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1896
1897#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1898 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1899 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
1900
1901 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1902 ext + 4, ext_size ) ) != 0 )
1903 {
1904 return( ret );
1905 }
1906
1907 break;
1908#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1909
1910#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1911 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1912 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
1913
1914 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1915 ext + 4, ext_size ) ) != 0 )
1916 {
1917 return( ret );
1918 }
1919
1920 break;
1921#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1922
1923#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1924 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1925 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1926
1927 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1928 ext + 4, ext_size ) ) != 0 )
1929 {
1930 return( ret );
1931 }
1932
1933 break;
1934#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1935
1936#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1937 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1938 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1940
1941 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1942 ext + 4, ext_size ) ) != 0 )
1943 {
1944 return( ret );
1945 }
1946
1947 break;
1948#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1949 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1950
1951#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1952 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1954
1955 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1956 ext + 4, ext_size ) ) != 0 )
1957 {
1958 return( ret );
1959 }
1960
1961 break;
1962#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1963
1964#if defined(MBEDTLS_SSL_ALPN)
1965 case MBEDTLS_TLS_EXT_ALPN:
1966 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1967
1968 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1969 return( ret );
1970
1971 break;
1972#endif /* MBEDTLS_SSL_ALPN */
1973
1974 default:
1975 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1976 ext_id ) );
1977 }
1978
1979 ext_len -= 4 + ext_size;
1980 ext += 4 + ext_size;
1981
1982 if( ext_len > 0 && ext_len < 4 )
1983 {
1984 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1985 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1986 }
1987 }
1988
1989 /*
1990 * Renegotiation security checks
1991 */
1992 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1993 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1994 {
1995 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1996 handshake_failure = 1;
1997 }
1998#if defined(MBEDTLS_SSL_RENEGOTIATION)
1999 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2000 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2001 renegotiation_info_seen == 0 )
2002 {
2003 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
2004 handshake_failure = 1;
2005 }
2006 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2007 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2008 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2009 {
2010 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2011 handshake_failure = 1;
2012 }
2013 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2014 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2015 renegotiation_info_seen == 1 )
2016 {
2017 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
2018 handshake_failure = 1;
2019 }
2020#endif /* MBEDTLS_SSL_RENEGOTIATION */
2021
2022 if( handshake_failure == 1 )
2023 {
2024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2025 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2026 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2027 }
2028
2029 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2030
2031 return( 0 );
2032}
2033
2034#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2035 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2036static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
2037 unsigned char *end )
2038{
2039 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2040
2041 /*
2042 * Ephemeral DH parameters:
2043 *
2044 * struct {
2045 * opaque dh_p<1..2^16-1>;
2046 * opaque dh_g<1..2^16-1>;
2047 * opaque dh_Ys<1..2^16-1>;
2048 * } ServerDHParams;
2049 */
2050 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
2051 {
2052 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2053 return( ret );
2054 }
2055
2056 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
2057 {
2058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2059 ssl->handshake->dhm_ctx.len * 8,
2060 ssl->conf->dhm_min_bitlen ) );
2061 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2062 }
2063
2064 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2065 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2066 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2067
2068 return( ret );
2069}
2070#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2071 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2072
2073#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2074 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2075 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2076 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2077 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2078static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2079{
2080 const mbedtls_ecp_curve_info *curve_info;
2081 mbedtls_ecp_group_id grp_id;
2082#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2083 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2084#else
2085 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2086#endif
2087
2088 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
2089 if( curve_info == NULL )
2090 {
2091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2092 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2093 }
2094
2095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2096
2097#if defined(MBEDTLS_ECP_C)
2098 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
2099#else
2100 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2101 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2102#endif
2103 return( -1 );
2104
2105 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2106 MBEDTLS_DEBUG_ECDH_QP );
2107
2108 return( 0 );
2109}
2110#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2111 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2112 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2113 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2114 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2115
2116#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2117 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2118 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2119static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
2120 unsigned char **p,
2121 unsigned char *end )
2122{
2123 uint16_t tls_id;
2124 uint8_t ecpoint_len;
2125 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2126
2127 /*
2128 * Parse ECC group
2129 */
2130
2131 if( end - *p < 4 )
2132 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2133
2134 /* First byte is curve_type; only named_curve is handled */
2135 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
2136 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2137
2138 /* Next two bytes are the namedcurve value */
2139 tls_id = *(*p)++;
2140 tls_id <<= 8;
2141 tls_id |= *(*p)++;
2142
2143 /* Convert EC group to PSA key type. */
2144 if( ( handshake->ecdh_psa_curve =
2145 mbedtls_psa_parse_tls_ecc_group( tls_id ) ) == 0 )
2146 {
2147 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2148 }
2149
2150 /*
2151 * Put peer's ECDH public key in the format understood by PSA.
2152 */
2153
2154 ecpoint_len = *(*p)++;
2155 if( (size_t)( end - *p ) < ecpoint_len )
2156 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2157
2158 if( mbedtls_psa_tls_ecpoint_to_psa_ec( handshake->ecdh_psa_curve,
2159 *p, ecpoint_len,
2160 handshake->ecdh_psa_peerkey,
2161 sizeof( handshake->ecdh_psa_peerkey ),
2162 &handshake->ecdh_psa_peerkey_len ) != 0 )
2163 {
2164 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2165 }
2166
2167 *p += ecpoint_len;
2168 return( 0 );
2169}
2170#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2171 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2172 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2173
2174#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2175 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2176 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2177static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2178 unsigned char **p,
2179 unsigned char *end )
2180{
2181 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2182
2183 /*
2184 * Ephemeral ECDH parameters:
2185 *
2186 * struct {
2187 * ECParameters curve_params;
2188 * ECPoint public;
2189 * } ServerECDHParams;
2190 */
2191 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2192 (const unsigned char **) p, end ) ) != 0 )
2193 {
2194 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2195#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2196 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2197 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2198#endif
2199 return( ret );
2200 }
2201
2202 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2203 {
2204 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2205 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2206 }
2207
2208 return( ret );
2209}
2210#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2211 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2212 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2213
2214#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2215static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2216 unsigned char **p,
2217 unsigned char *end )
2218{
2219 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2220 size_t len;
2221 ((void) ssl);
2222
2223 /*
2224 * PSK parameters:
2225 *
2226 * opaque psk_identity_hint<0..2^16-1>;
2227 */
2228 if( end - (*p) < 2 )
2229 {
2230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2231 "(psk_identity_hint length)" ) );
2232 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2233 }
2234 len = (*p)[0] << 8 | (*p)[1];
2235 *p += 2;
2236
2237 if( end - (*p) < (int) len )
2238 {
2239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2240 "(psk_identity_hint length)" ) );
2241 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2242 }
2243
2244 /*
2245 * Note: we currently ignore the PKS identity hint, as we only allow one
2246 * PSK to be provisionned on the client. This could be changed later if
2247 * someone needs that feature.
2248 */
2249 *p += len;
2250 ret = 0;
2251
2252 return( ret );
2253}
2254#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2255
2256#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2257 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2258/*
2259 * Generate a pre-master secret and encrypt it with the server's RSA key
2260 */
2261static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2262 size_t offset, size_t *olen,
2263 size_t pms_offset )
2264{
2265 int ret;
2266 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2267 unsigned char *p = ssl->handshake->premaster + pms_offset;
2268 mbedtls_pk_context * peer_pk;
2269
2270 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
2271 {
2272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2273 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2274 }
2275
2276 /*
2277 * Generate (part of) the pre-master as
2278 * struct {
2279 * ProtocolVersion client_version;
2280 * opaque random[46];
2281 * } PreMasterSecret;
2282 */
2283 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2284 ssl->conf->transport, p );
2285
2286 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2287 {
2288 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2289 return( ret );
2290 }
2291
2292 ssl->handshake->pmslen = 48;
2293
2294#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2295 peer_pk = &ssl->handshake->peer_pubkey;
2296#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2297 if( ssl->session_negotiate->peer_cert == NULL )
2298 {
2299 /* Should never happen */
2300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2302 }
2303 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2304#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2305
2306 /*
2307 * Now write it out, encrypted
2308 */
2309 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
2310 {
2311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2312 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2313 }
2314
2315 if( ( ret = mbedtls_pk_encrypt( peer_pk,
2316 p, ssl->handshake->pmslen,
2317 ssl->out_msg + offset + len_bytes, olen,
2318 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2319 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2320 {
2321 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2322 return( ret );
2323 }
2324
2325#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2326 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2327 if( len_bytes == 2 )
2328 {
2329 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2330 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2331 *olen += 2;
2332 }
2333#endif
2334
2335#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2336 /* We don't need the peer's public key anymore. Free it. */
2337 mbedtls_pk_free( peer_pk );
2338#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2339 return( 0 );
2340}
2341#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2342 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2343
2344#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2345#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2346 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2347 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2348static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2349 unsigned char **p,
2350 unsigned char *end,
2351 mbedtls_md_type_t *md_alg,
2352 mbedtls_pk_type_t *pk_alg )
2353{
2354 ((void) ssl);
2355 *md_alg = MBEDTLS_MD_NONE;
2356 *pk_alg = MBEDTLS_PK_NONE;
2357
2358 /* Only in TLS 1.2 */
2359 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2360 {
2361 return( 0 );
2362 }
2363
2364 if( (*p) + 2 > end )
2365 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2366
2367 /*
2368 * Get hash algorithm
2369 */
2370 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
2371 {
2372 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
2373 "HashAlgorithm %d", *(p)[0] ) );
2374 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2375 }
2376
2377 /*
2378 * Get signature algorithm
2379 */
2380 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
2381 {
2382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
2383 "SignatureAlgorithm %d", (*p)[1] ) );
2384 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2385 }
2386
2387 /*
2388 * Check if the hash is acceptable
2389 */
2390 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2391 {
2392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2393 *(p)[0] ) );
2394 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2395 }
2396
2397 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
2399 *p += 2;
2400
2401 return( 0 );
2402}
2403#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2404 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2405 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2406#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2407
2408#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2409 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2410static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2411{
2412 int ret;
2413 const mbedtls_ecp_keypair *peer_key;
2414 mbedtls_pk_context * peer_pk;
2415
2416#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2417 peer_pk = &ssl->handshake->peer_pubkey;
2418#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2419 if( ssl->session_negotiate->peer_cert == NULL )
2420 {
2421 /* Should never happen */
2422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2424 }
2425 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2426#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2427
2428 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
2429 {
2430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2431 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2432 }
2433
2434 peer_key = mbedtls_pk_ec( *peer_pk );
2435
2436 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2437 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2438 {
2439 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2440 return( ret );
2441 }
2442
2443 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2444 {
2445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2446 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2447 }
2448
2449#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2450 /* We don't need the peer's public key anymore. Free it,
2451 * so that more RAM is available for upcoming expensive
2452 * operations like ECDHE. */
2453 mbedtls_pk_free( peer_pk );
2454#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2455
2456 return( ret );
2457}
2458#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2459 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2460
2461static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2462{
2463 int ret;
2464 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2465 ssl->transform_negotiate->ciphersuite_info;
2466 unsigned char *p = NULL, *end = NULL;
2467
2468 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2469
2470#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2471 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2472 {
2473 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2474 ssl->state++;
2475 return( 0 );
2476 }
2477 ((void) p);
2478 ((void) end);
2479#endif
2480
2481#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2482 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2483 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2484 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2485 {
2486 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2487 {
2488 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2490 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2491 return( ret );
2492 }
2493
2494 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2495 ssl->state++;
2496 return( 0 );
2497 }
2498 ((void) p);
2499 ((void) end);
2500#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2501 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2502
2503#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2504 if( ssl->handshake->ecrs_enabled &&
2505 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2506 {
2507 goto start_processing;
2508 }
2509#endif
2510
2511 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2512 {
2513 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2514 return( ret );
2515 }
2516
2517 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2518 {
2519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2520 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2521 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2522 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2523 }
2524
2525 /*
2526 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2527 * doesn't use a psk_identity_hint
2528 */
2529 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2530 {
2531 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2532 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2533 {
2534 /* Current message is probably either
2535 * CertificateRequest or ServerHelloDone */
2536 ssl->keep_current_message = 1;
2537 goto exit;
2538 }
2539
2540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2541 "not be skipped" ) );
2542 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2543 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2544
2545 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2546 }
2547
2548#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2549 if( ssl->handshake->ecrs_enabled )
2550 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2551
2552start_processing:
2553#endif
2554 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2555 end = ssl->in_msg + ssl->in_hslen;
2556 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2557
2558#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2559 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2560 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2561 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2562 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2563 {
2564 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2565 {
2566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2567 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2568 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2569 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2570 }
2571 } /* FALLTROUGH */
2572#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2573
2574#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2575 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2576 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2577 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2578 ; /* nothing more to do */
2579 else
2580#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2581 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2582#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2583 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2584 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2585 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2586 {
2587 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2588 {
2589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2590 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2591 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2592 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2593 }
2594 }
2595 else
2596#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2597 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2598#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2599 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2600 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2601 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2602 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2603 {
2604 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
2605 {
2606 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2607 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2608 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2609 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2610 }
2611 }
2612 else
2613#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2614 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2615 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2616#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2617 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2618 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2619 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2620 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2621 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2622 {
2623 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2624 {
2625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2626 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2627 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2628 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2629 }
2630 }
2631 else
2632#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2633 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2634 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2635#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2636 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2637 {
2638 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2639 p, end - p );
2640 if( ret != 0 )
2641 {
2642 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2643 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2644 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2645 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2646 }
2647 }
2648 else
2649#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2650 {
2651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2652 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2653 }
2654
2655#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2656 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2657 {
2658 size_t sig_len, hashlen;
2659 unsigned char hash[64];
2660 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2661 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2662 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2663 size_t params_len = p - params;
2664 void *rs_ctx = NULL;
2665
2666 mbedtls_pk_context * peer_pk;
2667
2668 /*
2669 * Handle the digitally-signed structure
2670 */
2671#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2672 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2673 {
2674 if( ssl_parse_signature_algorithm( ssl, &p, end,
2675 &md_alg, &pk_alg ) != 0 )
2676 {
2677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2678 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2679 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2680 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2681 }
2682
2683 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2684 {
2685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2686 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2687 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2688 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2689 }
2690 }
2691 else
2692#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2693#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2694 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2695 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2696 {
2697 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2698
2699 /* Default hash for ECDSA is SHA-1 */
2700 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2701 md_alg = MBEDTLS_MD_SHA1;
2702 }
2703 else
2704#endif
2705 {
2706 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2707 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2708 }
2709
2710 /*
2711 * Read signature
2712 */
2713
2714 if( p > end - 2 )
2715 {
2716 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2717 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2718 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2719 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2720 }
2721 sig_len = ( p[0] << 8 ) | p[1];
2722 p += 2;
2723
2724 if( p != end - sig_len )
2725 {
2726 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2727 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2729 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2730 }
2731
2732 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2733
2734 /*
2735 * Compute the hash that has been signed
2736 */
2737#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2738 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2739 if( md_alg == MBEDTLS_MD_NONE )
2740 {
2741 hashlen = 36;
2742 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2743 params_len );
2744 if( ret != 0 )
2745 return( ret );
2746 }
2747 else
2748#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2749 MBEDTLS_SSL_PROTO_TLS1_1 */
2750#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2751 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2752 if( md_alg != MBEDTLS_MD_NONE )
2753 {
2754 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2755 params, params_len,
2756 md_alg );
2757 if( ret != 0 )
2758 return( ret );
2759 }
2760 else
2761#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2762 MBEDTLS_SSL_PROTO_TLS1_2 */
2763 {
2764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2765 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2766 }
2767
2768 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2769
2770#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2771 peer_pk = &ssl->handshake->peer_pubkey;
2772#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2773 if( ssl->session_negotiate->peer_cert == NULL )
2774 {
2775 /* Should never happen */
2776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2777 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2778 }
2779 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2780#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2781
2782 /*
2783 * Verify signature
2784 */
2785 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
2786 {
2787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2788 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2789 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2790 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2791 }
2792
2793#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2794 if( ssl->handshake->ecrs_enabled )
2795 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2796#endif
2797
2798 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
2799 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
2800 {
2801#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2802 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2803#endif
2804 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2805 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2806 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2807#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2808 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2809 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2810#endif
2811 return( ret );
2812 }
2813
2814#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2815 /* We don't need the peer's public key anymore. Free it,
2816 * so that more RAM is available for upcoming expensive
2817 * operations like ECDHE. */
2818 mbedtls_pk_free( peer_pk );
2819#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2820 }
2821#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2822
2823exit:
2824 ssl->state++;
2825
2826 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2827
2828 return( 0 );
2829}
2830
2831#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
2832static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2833{
2834 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2835 ssl->transform_negotiate->ciphersuite_info;
2836
2837 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2838
2839 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2840 {
2841 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2842 ssl->state++;
2843 return( 0 );
2844 }
2845
2846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2847 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2848}
2849#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2850static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2851{
2852 int ret;
2853 unsigned char *buf;
2854 size_t n = 0;
2855 size_t cert_type_len = 0, dn_len = 0;
2856 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2857 ssl->transform_negotiate->ciphersuite_info;
2858
2859 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2860
2861 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2862 {
2863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2864 ssl->state++;
2865 return( 0 );
2866 }
2867
2868 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2869 {
2870 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2871 return( ret );
2872 }
2873
2874 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2875 {
2876 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2877 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2878 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2879 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2880 }
2881
2882 ssl->state++;
2883 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
2884
2885 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2886 ssl->client_auth ? "a" : "no" ) );
2887
2888 if( ssl->client_auth == 0 )
2889 {
2890 /* Current message is probably the ServerHelloDone */
2891 ssl->keep_current_message = 1;
2892 goto exit;
2893 }
2894
2895 /*
2896 * struct {
2897 * ClientCertificateType certificate_types<1..2^8-1>;
2898 * SignatureAndHashAlgorithm
2899 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2900 * DistinguishedName certificate_authorities<0..2^16-1>;
2901 * } CertificateRequest;
2902 *
2903 * Since we only support a single certificate on clients, let's just
2904 * ignore all the information that's supposed to help us pick a
2905 * certificate.
2906 *
2907 * We could check that our certificate matches the request, and bail out
2908 * if it doesn't, but it's simpler to just send the certificate anyway,
2909 * and give the server the opportunity to decide if it should terminate
2910 * the connection when it doesn't like our certificate.
2911 *
2912 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2913 * point we only have one hash available (see comments in
2914 * write_certificate_verify), so let's just use what we have.
2915 *
2916 * However, we still minimally parse the message to check it is at least
2917 * superficially sane.
2918 */
2919 buf = ssl->in_msg;
2920
2921 /* certificate_types */
2922 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
2923 {
2924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2925 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2926 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2927 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2928 }
2929 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
2930 n = cert_type_len;
2931
2932 /*
2933 * In the subsequent code there are two paths that read from buf:
2934 * * the length of the signature algorithms field (if minor version of
2935 * SSL is 3),
2936 * * distinguished name length otherwise.
2937 * Both reach at most the index:
2938 * ...hdr_len + 2 + n,
2939 * therefore the buffer length at this point must be greater than that
2940 * regardless of the actual code path.
2941 */
2942 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2943 {
2944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2945 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2946 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2947 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2948 }
2949
2950 /* supported_signature_algorithms */
2951#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2952 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2953 {
2954 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2955 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2956#if defined(MBEDTLS_DEBUG_C)
2957 unsigned char* sig_alg;
2958 size_t i;
2959#endif
2960
2961 /*
2962 * The furthest access in buf is in the loop few lines below:
2963 * sig_alg[i + 1],
2964 * where:
2965 * sig_alg = buf + ...hdr_len + 3 + n,
2966 * max(i) = sig_alg_len - 1.
2967 * Therefore the furthest access is:
2968 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2969 * which reduces to:
2970 * buf[...hdr_len + 3 + n + sig_alg_len],
2971 * which is one less than we need the buf to be.
2972 */
2973 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
2974 {
2975 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2976 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2977 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2978 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2979 }
2980
2981#if defined(MBEDTLS_DEBUG_C)
2982 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
2983 for( i = 0; i < sig_alg_len; i += 2 )
2984 {
2985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
2986 ",%d", sig_alg[i], sig_alg[i + 1] ) );
2987 }
2988#endif
2989
2990 n += 2 + sig_alg_len;
2991 }
2992#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2993
2994 /* certificate_authorities */
2995 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2996 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2997
2998 n += dn_len;
2999 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3000 {
3001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3002 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3003 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3004 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3005 }
3006
3007exit:
3008 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3009
3010 return( 0 );
3011}
3012#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3013
3014static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3015{
3016 int ret;
3017
3018 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3019
3020 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3021 {
3022 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3023 return( ret );
3024 }
3025
3026 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3027 {
3028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3029 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3030 }
3031
3032 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3033 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
3034 {
3035 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3036 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3037 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3038 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
3039 }
3040
3041 ssl->state++;
3042
3043#if defined(MBEDTLS_SSL_PROTO_DTLS)
3044 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3045 mbedtls_ssl_recv_flight_completed( ssl );
3046#endif
3047
3048 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3049
3050 return( 0 );
3051}
3052
3053static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3054{
3055 int ret;
3056
3057 size_t header_len;
3058 size_t content_len;
3059 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3060 ssl->transform_negotiate->ciphersuite_info;
3061
3062 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3063
3064#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3065 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3066 {
3067 /*
3068 * DHM key exchange -- send G^X mod P
3069 */
3070 content_len = ssl->handshake->dhm_ctx.len;
3071
3072 ssl->out_msg[4] = (unsigned char)( content_len >> 8 );
3073 ssl->out_msg[5] = (unsigned char)( content_len );
3074 header_len = 6;
3075
3076 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3077 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3078 &ssl->out_msg[header_len], content_len,
3079 ssl->conf->f_rng, ssl->conf->p_rng );
3080 if( ret != 0 )
3081 {
3082 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3083 return( ret );
3084 }
3085
3086 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3087 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3088
3089 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3090 ssl->handshake->premaster,
3091 MBEDTLS_PREMASTER_SIZE,
3092 &ssl->handshake->pmslen,
3093 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3094 {
3095 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3096 return( ret );
3097 }
3098
3099 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3100 }
3101 else
3102#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3103#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3104 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3105 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3106 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3107 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3108 {
3109 psa_status_t status;
3110 psa_key_policy_t policy;
3111
3112 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3113
3114 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3115 size_t own_pubkey_len;
3116 unsigned char *own_pubkey_ecpoint;
3117 size_t own_pubkey_ecpoint_len;
3118
3119 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
3120
3121 header_len = 4;
3122
3123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
3124
3125 /*
3126 * Generate EC private key for ECDHE exchange.
3127 */
3128
3129 /* Allocate a new key slot for the private key. */
3130
3131 status = psa_allocate_key( &handshake->ecdh_psa_privkey );
3132 if( status != PSA_SUCCESS )
3133 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3134
3135 /* The master secret is obtained from the shared ECDH secret by
3136 * applying the TLS 1.2 PRF with a specific salt and label. While
3137 * the PSA Crypto API encourages combining key agreement schemes
3138 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3139 * yet support the provisioning of salt + label to the KDF.
3140 * For the time being, we therefore need to split the computation
3141 * of the ECDH secret and the application of the TLS 1.2 PRF. */
3142 policy = psa_key_policy_init();
3143 psa_key_policy_set_usage( &policy,
3144 PSA_KEY_USAGE_DERIVE,
3145 PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
3146 status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
3147 if( status != PSA_SUCCESS )
3148 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3149
3150 /* Generate ECDH private key. */
3151 status = psa_generate_key( handshake->ecdh_psa_privkey,
3152 PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
3153 MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
3154 NULL, 0 );
3155 if( status != PSA_SUCCESS )
3156 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3157
3158 /* Export the public part of the ECDH private key from PSA
3159 * and convert it to ECPoint format used in ClientKeyExchange. */
3160 status = psa_export_public_key( handshake->ecdh_psa_privkey,
3161 own_pubkey, sizeof( own_pubkey ),
3162 &own_pubkey_len );
3163 if( status != PSA_SUCCESS )
3164 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3165
3166 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey,
3167 own_pubkey_len,
3168 &own_pubkey_ecpoint,
3169 &own_pubkey_ecpoint_len ) != 0 )
3170 {
3171 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3172 }
3173
3174 /* Copy ECPoint structure to outgoing message buffer. */
3175 ssl->out_msg[header_len] = own_pubkey_ecpoint_len;
3176 memcpy( ssl->out_msg + header_len + 1,
3177 own_pubkey_ecpoint, own_pubkey_ecpoint_len );
3178 content_len = own_pubkey_ecpoint_len + 1;
3179
3180 /* Compute ECDH shared secret. */
3181 status = psa_key_agreement( &generator,
3182 handshake->ecdh_psa_privkey,
3183 handshake->ecdh_psa_peerkey,
3184 handshake->ecdh_psa_peerkey_len,
3185 PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
3186 if( status != PSA_SUCCESS )
3187 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3188
3189 /* The ECDH secret is the premaster secret used for key derivation. */
3190
3191 ssl->handshake->pmslen =
3192 MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
3193
3194 status = psa_generator_read( &generator,
3195 ssl->handshake->premaster,
3196 ssl->handshake->pmslen );
3197 if( status != PSA_SUCCESS )
3198 {
3199 psa_generator_abort( &generator );
3200 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3201 }
3202
3203 status = psa_generator_abort( &generator );
3204 if( status != PSA_SUCCESS )
3205 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3206
3207 status = psa_destroy_key( handshake->ecdh_psa_privkey );
3208 if( status != PSA_SUCCESS )
3209 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3210 handshake->ecdh_psa_privkey = 0;
3211 }
3212 else
3213#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3214 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3215 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
3216#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3217 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3218 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3219 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3220 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3221 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3222 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3223 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3224 {
3225 /*
3226 * ECDH key exchange -- send client public value
3227 */
3228 header_len = 4;
3229
3230#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3231 if( ssl->handshake->ecrs_enabled )
3232 {
3233 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3234 goto ecdh_calc_secret;
3235
3236 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3237 }
3238#endif
3239
3240 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3241 &content_len,
3242 &ssl->out_msg[header_len], 1000,
3243 ssl->conf->f_rng, ssl->conf->p_rng );
3244 if( ret != 0 )
3245 {
3246 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3247#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3248 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3249 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3250#endif
3251 return( ret );
3252 }
3253
3254 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3255 MBEDTLS_DEBUG_ECDH_Q );
3256
3257#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3258 if( ssl->handshake->ecrs_enabled )
3259 {
3260 ssl->handshake->ecrs_n = content_len;
3261 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3262 }
3263
3264ecdh_calc_secret:
3265 if( ssl->handshake->ecrs_enabled )
3266 content_len = ssl->handshake->ecrs_n;
3267#endif
3268 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3269 &ssl->handshake->pmslen,
3270 ssl->handshake->premaster,
3271 MBEDTLS_MPI_MAX_SIZE,
3272 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3273 {
3274 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3275#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3276 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3277 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3278#endif
3279 return( ret );
3280 }
3281
3282 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3283 MBEDTLS_DEBUG_ECDH_Z );
3284 }
3285 else
3286#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3287 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3288 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3289 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3290#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3291 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3292 {
3293 /*
3294 * opaque psk_identity<0..2^16-1>;
3295 */
3296 if( ssl_conf_has_static_psk( ssl->conf ) == 0 )
3297 {
3298 /* We don't offer PSK suites if we don't have a PSK,
3299 * and we check that the server's choice is among the
3300 * ciphersuites we offered, so this should never happen. */
3301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3302 }
3303
3304 header_len = 4;
3305 content_len = ssl->conf->psk_identity_len;
3306
3307 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
3308 {
3309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3310 "SSL buffer too short" ) );
3311 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3312 }
3313
3314 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3315 ssl->out_msg[header_len++] = (unsigned char)( content_len );
3316
3317 memcpy( ssl->out_msg + header_len,
3318 ssl->conf->psk_identity,
3319 ssl->conf->psk_identity_len );
3320 header_len += ssl->conf->psk_identity_len;
3321
3322#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3323 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3324 {
3325 content_len = 0;
3326 }
3327 else
3328#endif
3329#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3330 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3331 {
3332#if defined(MBEDTLS_USE_PSA_CRYPTO)
3333 /* Opaque PSKs are currently only supported for PSK-only suites. */
3334 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3335 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3336#endif /* MBEDTLS_USE_PSA_CRYPTO */
3337
3338 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3339 &content_len, 2 ) ) != 0 )
3340 return( ret );
3341 }
3342 else
3343#endif
3344#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3345 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3346 {
3347#if defined(MBEDTLS_USE_PSA_CRYPTO)
3348 /* Opaque PSKs are currently only supported for PSK-only suites. */
3349 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3350 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3351#endif /* MBEDTLS_USE_PSA_CRYPTO */
3352
3353 /*
3354 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3355 */
3356 content_len = ssl->handshake->dhm_ctx.len;
3357
3358 if( header_len + 2 + content_len >
3359 MBEDTLS_SSL_OUT_CONTENT_LEN )
3360 {
3361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3362 " or SSL buffer too short" ) );
3363 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3364 }
3365
3366 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3367 ssl->out_msg[header_len++] = (unsigned char)( content_len );
3368
3369 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3370 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3371 &ssl->out_msg[header_len], content_len,
3372 ssl->conf->f_rng, ssl->conf->p_rng );
3373 if( ret != 0 )
3374 {
3375 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3376 return( ret );
3377 }
3378 }
3379 else
3380#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3381#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3382 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3383 {
3384#if defined(MBEDTLS_USE_PSA_CRYPTO)
3385 /* Opaque PSKs are currently only supported for PSK-only suites. */
3386 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3387 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3388#endif /* MBEDTLS_USE_PSA_CRYPTO */
3389
3390 /*
3391 * ClientECDiffieHellmanPublic public;
3392 */
3393 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3394 &content_len,
3395 &ssl->out_msg[header_len],
3396 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3397 ssl->conf->f_rng, ssl->conf->p_rng );
3398 if( ret != 0 )
3399 {
3400 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3401 return( ret );
3402 }
3403
3404 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3405 MBEDTLS_DEBUG_ECDH_Q );
3406 }
3407 else
3408#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3409 {
3410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3411 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3412 }
3413
3414#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3415 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3416 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
3417 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
3418 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3419 {
3420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
3421 }
3422 else
3423#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3424 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3425 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3426 ciphersuite_info->key_exchange ) ) != 0 )
3427 {
3428 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3429 return( ret );
3430 }
3431 }
3432 else
3433#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3434#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3435 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3436 {
3437 header_len = 4;
3438 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3439 &content_len, 0 ) ) != 0 )
3440 return( ret );
3441 }
3442 else
3443#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3444#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3445 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3446 {
3447 header_len = 4;
3448
3449 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3450 ssl->out_msg + header_len,
3451 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3452 &content_len,
3453 ssl->conf->f_rng, ssl->conf->p_rng );
3454 if( ret != 0 )
3455 {
3456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3457 return( ret );
3458 }
3459
3460 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3461 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3462 ssl->conf->f_rng, ssl->conf->p_rng );
3463 if( ret != 0 )
3464 {
3465 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3466 return( ret );
3467 }
3468 }
3469 else
3470#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3471 {
3472 ((void) ciphersuite_info);
3473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3474 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3475 }
3476
3477 ssl->out_msglen = header_len + content_len;
3478 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3479 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3480
3481 ssl->state++;
3482
3483 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3484 {
3485 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3486 return( ret );
3487 }
3488
3489 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3490
3491 return( 0 );
3492}
3493
3494#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
3495static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3496{
3497 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3498 ssl->transform_negotiate->ciphersuite_info;
3499 int ret;
3500
3501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3502
3503 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3504 {
3505 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3506 return( ret );
3507 }
3508
3509 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3510 {
3511 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3512 ssl->state++;
3513 return( 0 );
3514 }
3515
3516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3517 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3518}
3519#else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3520static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3521{
3522 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3523 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3524 ssl->transform_negotiate->ciphersuite_info;
3525 size_t n = 0, offset = 0;
3526 unsigned char hash[48];
3527 unsigned char *hash_start = hash;
3528 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3529 unsigned int hashlen;
3530 void *rs_ctx = NULL;
3531
3532 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3533
3534#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3535 if( ssl->handshake->ecrs_enabled &&
3536 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3537 {
3538 goto sign;
3539 }
3540#endif
3541
3542 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3543 {
3544 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3545 return( ret );
3546 }
3547
3548 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3549 {
3550 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3551 ssl->state++;
3552 return( 0 );
3553 }
3554
3555 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3556 {
3557 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3558 ssl->state++;
3559 return( 0 );
3560 }
3561
3562 if( mbedtls_ssl_own_key( ssl ) == NULL )
3563 {
3564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3565 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3566 }
3567
3568 /*
3569 * Make a signature of the handshake digests
3570 */
3571#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3572 if( ssl->handshake->ecrs_enabled )
3573 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3574
3575sign:
3576#endif
3577
3578 ssl->handshake->calc_verify( ssl, hash );
3579
3580#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3581 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3582 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3583 {
3584 /*
3585 * digitally-signed struct {
3586 * opaque md5_hash[16];
3587 * opaque sha_hash[20];
3588 * };
3589 *
3590 * md5_hash
3591 * MD5(handshake_messages);
3592 *
3593 * sha_hash
3594 * SHA(handshake_messages);
3595 */
3596 hashlen = 36;
3597 md_alg = MBEDTLS_MD_NONE;
3598
3599 /*
3600 * For ECDSA, default hash is SHA-1 only
3601 */
3602 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3603 {
3604 hash_start += 16;
3605 hashlen -= 16;
3606 md_alg = MBEDTLS_MD_SHA1;
3607 }
3608 }
3609 else
3610#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3611 MBEDTLS_SSL_PROTO_TLS1_1 */
3612#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3613 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3614 {
3615 /*
3616 * digitally-signed struct {
3617 * opaque handshake_messages[handshake_messages_length];
3618 * };
3619 *
3620 * Taking shortcut here. We assume that the server always allows the
3621 * PRF Hash function and has sent it in the allowed signature
3622 * algorithms list received in the Certificate Request message.
3623 *
3624 * Until we encounter a server that does not, we will take this
3625 * shortcut.
3626 *
3627 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3628 * in order to satisfy 'weird' needs from the server side.
3629 */
3630 if( ssl->transform_negotiate->ciphersuite_info->mac ==
3631 MBEDTLS_MD_SHA384 )
3632 {
3633 md_alg = MBEDTLS_MD_SHA384;
3634 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3635 }
3636 else
3637 {
3638 md_alg = MBEDTLS_MD_SHA256;
3639 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3640 }
3641 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3642
3643 /* Info from md_alg will be used instead */
3644 hashlen = 0;
3645 offset = 2;
3646 }
3647 else
3648#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3649 {
3650 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3651 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3652 }
3653
3654#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3655 if( ssl->handshake->ecrs_enabled )
3656 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3657#endif
3658
3659 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3660 md_alg, hash_start, hashlen,
3661 ssl->out_msg + 6 + offset, &n,
3662 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
3663 {
3664 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3665#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3666 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3667 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3668#endif
3669 return( ret );
3670 }
3671
3672 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3673 ssl->out_msg[5 + offset] = (unsigned char)( n );
3674
3675 ssl->out_msglen = 6 + n + offset;
3676 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3677 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3678
3679 ssl->state++;
3680
3681 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3682 {
3683 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3684 return( ret );
3685 }
3686
3687 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3688
3689 return( ret );
3690}
3691#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3692
3693#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3694static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3695{
3696 int ret;
3697 uint32_t lifetime;
3698 size_t ticket_len;
3699 unsigned char *ticket;
3700 const unsigned char *msg;
3701
3702 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3703
3704 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3705 {
3706 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3707 return( ret );
3708 }
3709
3710 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3711 {
3712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3713 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3714 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3715 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3716 }
3717
3718 /*
3719 * struct {
3720 * uint32 ticket_lifetime_hint;
3721 * opaque ticket<0..2^16-1>;
3722 * } NewSessionTicket;
3723 *
3724 * 0 . 3 ticket_lifetime_hint
3725 * 4 . 5 ticket_len (n)
3726 * 6 . 5+n ticket content
3727 */
3728 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3729 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3730 {
3731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3732 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3733 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3734 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3735 }
3736
3737 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3738
3739 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3740 ( msg[2] << 8 ) | ( msg[3] );
3741
3742 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3743
3744 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3745 {
3746 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3747 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3748 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3749 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3750 }
3751
3752 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3753
3754 /* We're not waiting for a NewSessionTicket message any more */
3755 ssl->handshake->new_session_ticket = 0;
3756 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3757
3758 /*
3759 * Zero-length ticket means the server changed his mind and doesn't want
3760 * to send a ticket after all, so just forget it
3761 */
3762 if( ticket_len == 0 )
3763 return( 0 );
3764
3765 if( ssl->session != NULL && ssl->session->ticket != NULL )
3766 {
3767 mbedtls_platform_zeroize( ssl->session->ticket,
3768 ssl->session->ticket_len );
3769 mbedtls_free( ssl->session->ticket );
3770 ssl->session->ticket = NULL;
3771 ssl->session->ticket_len = 0;
3772 }
3773
3774 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3775 ssl->session_negotiate->ticket_len );
3776 mbedtls_free( ssl->session_negotiate->ticket );
3777 ssl->session_negotiate->ticket = NULL;
3778 ssl->session_negotiate->ticket_len = 0;
3779
3780 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3781 {
3782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3783 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3784 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3785 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3786 }
3787
3788 memcpy( ticket, msg + 6, ticket_len );
3789
3790 ssl->session_negotiate->ticket = ticket;
3791 ssl->session_negotiate->ticket_len = ticket_len;
3792 ssl->session_negotiate->ticket_lifetime = lifetime;
3793
3794 /*
3795 * RFC 5077 section 3.4:
3796 * "If the client receives a session ticket from the server, then it
3797 * discards any Session ID that was sent in the ServerHello."
3798 */
3799 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3800 ssl->session_negotiate->id_len = 0;
3801
3802 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3803
3804 return( 0 );
3805}
3806#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3807
3808/*
3809 * SSL handshake -- client side -- single step
3810 */
3811int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3812{
3813 int ret = 0;
3814
3815 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3816 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3817
3818 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3819
3820 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3821 return( ret );
3822
3823#if defined(MBEDTLS_SSL_PROTO_DTLS)
3824 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3825 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3826 {
3827 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3828 return( ret );
3829 }
3830#endif /* MBEDTLS_SSL_PROTO_DTLS */
3831
3832 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3833 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3834#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3835 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3836 ssl->handshake->new_session_ticket != 0 )
3837 {
3838 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3839 }
3840#endif
3841
3842 switch( ssl->state )
3843 {
3844 case MBEDTLS_SSL_HELLO_REQUEST:
3845 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3846 break;
3847
3848 /*
3849 * ==> ClientHello
3850 */
3851 case MBEDTLS_SSL_CLIENT_HELLO:
3852 ret = ssl_write_client_hello( ssl );
3853 break;
3854
3855 /*
3856 * <== ServerHello
3857 * Certificate
3858 * ( ServerKeyExchange )
3859 * ( CertificateRequest )
3860 * ServerHelloDone
3861 */
3862 case MBEDTLS_SSL_SERVER_HELLO:
3863 ret = ssl_parse_server_hello( ssl );
3864 break;
3865
3866 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3867 ret = mbedtls_ssl_parse_certificate( ssl );
3868 break;
3869
3870 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3871 ret = ssl_parse_server_key_exchange( ssl );
3872 break;
3873
3874 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3875 ret = ssl_parse_certificate_request( ssl );
3876 break;
3877
3878 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3879 ret = ssl_parse_server_hello_done( ssl );
3880 break;
3881
3882 /*
3883 * ==> ( Certificate/Alert )
3884 * ClientKeyExchange
3885 * ( CertificateVerify )
3886 * ChangeCipherSpec
3887 * Finished
3888 */
3889 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3890 ret = mbedtls_ssl_write_certificate( ssl );
3891 break;
3892
3893 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3894 ret = ssl_write_client_key_exchange( ssl );
3895 break;
3896
3897 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3898 ret = ssl_write_certificate_verify( ssl );
3899 break;
3900
3901 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3902 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3903 break;
3904
3905 case MBEDTLS_SSL_CLIENT_FINISHED:
3906 ret = mbedtls_ssl_write_finished( ssl );
3907 break;
3908
3909 /*
3910 * <== ( NewSessionTicket )
3911 * ChangeCipherSpec
3912 * Finished
3913 */
3914#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3915 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
3916 ret = ssl_parse_new_session_ticket( ssl );
3917 break;
3918#endif
3919
3920 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3921 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3922 break;
3923
3924 case MBEDTLS_SSL_SERVER_FINISHED:
3925 ret = mbedtls_ssl_parse_finished( ssl );
3926 break;
3927
3928 case MBEDTLS_SSL_FLUSH_BUFFERS:
3929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3930 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3931 break;
3932
3933 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3934 mbedtls_ssl_handshake_wrapup( ssl );
3935 break;
3936
3937 default:
3938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3939 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3940 }
3941
3942 return( ret );
3943}
3944#endif /* MBEDTLS_SSL_CLI_C */