source: azure_iot_hub_mbedtls/trunk/mbedtls-2.16.1/library/ssl_srv.c@ 398

Last change on this file since 398 was 398, checked in by coas-nagasima, 5 years ago

mbedTLS版Azure IoT Hub接続サンプルのソースコードを追加
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc;charset=UTF-8
File size: 148.9 KB
Line 
1/*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22#if !defined(MBEDTLS_CONFIG_FILE)
23#include "mbedtls/config.h"
24#else
25#include MBEDTLS_CONFIG_FILE
26#endif
27
28#if defined(MBEDTLS_SSL_SRV_C)
29
30#if defined(MBEDTLS_PLATFORM_C)
31#include "mbedtls/platform.h"
32#else
33#include <stdlib.h>
34#define mbedtls_calloc calloc
35#define mbedtls_free free
36#endif
37
38#include "mbedtls/debug.h"
39#include "mbedtls/ssl.h"
40#include "mbedtls/ssl_internal.h"
41#include "mbedtls/platform_util.h"
42
43#include <string.h>
44
45#if defined(MBEDTLS_ECP_C)
46#include "mbedtls/ecp.h"
47#endif
48
49#if defined(MBEDTLS_HAVE_TIME)
50#include "mbedtls/platform_time.h"
51#endif
52
53#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
54int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
55 const unsigned char *info,
56 size_t ilen )
57{
58 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
59 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
60
61 mbedtls_free( ssl->cli_id );
62
63 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
64 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
65
66 memcpy( ssl->cli_id, info, ilen );
67 ssl->cli_id_len = ilen;
68
69 return( 0 );
70}
71
72void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
73 mbedtls_ssl_cookie_write_t *f_cookie_write,
74 mbedtls_ssl_cookie_check_t *f_cookie_check,
75 void *p_cookie )
76{
77 conf->f_cookie_write = f_cookie_write;
78 conf->f_cookie_check = f_cookie_check;
79 conf->p_cookie = p_cookie;
80}
81#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
82
83#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
84static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
85 const unsigned char *buf,
86 size_t len )
87{
88 int ret;
89 size_t servername_list_size, hostname_len;
90 const unsigned char *p;
91
92 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
93
94 if( len < 2 )
95 {
96 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
97 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
98 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
99 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
100 }
101 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
102 if( servername_list_size + 2 != len )
103 {
104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
105 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
107 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
108 }
109
110 p = buf + 2;
111 while( servername_list_size > 2 )
112 {
113 hostname_len = ( ( p[1] << 8 ) | p[2] );
114 if( hostname_len + 3 > servername_list_size )
115 {
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
117 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
118 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
119 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
120 }
121
122 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
123 {
124 ret = ssl->conf->f_sni( ssl->conf->p_sni,
125 ssl, p + 3, hostname_len );
126 if( ret != 0 )
127 {
128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
129 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
130 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
132 }
133 return( 0 );
134 }
135
136 servername_list_size -= hostname_len + 3;
137 p += hostname_len + 3;
138 }
139
140 if( servername_list_size != 0 )
141 {
142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
143 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
144 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
146 }
147
148 return( 0 );
149}
150#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
151
152static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
153 const unsigned char *buf,
154 size_t len )
155{
156#if defined(MBEDTLS_SSL_RENEGOTIATION)
157 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
158 {
159 /* Check verify-data in constant-time. The length OTOH is no secret */
160 if( len != 1 + ssl->verify_data_len ||
161 buf[0] != ssl->verify_data_len ||
162 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
163 ssl->verify_data_len ) != 0 )
164 {
165 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
166 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
167 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
168 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
169 }
170 }
171 else
172#endif /* MBEDTLS_SSL_RENEGOTIATION */
173 {
174 if( len != 1 || buf[0] != 0x0 )
175 {
176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
177 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
178 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
179 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
180 }
181
182 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
183 }
184
185 return( 0 );
186}
187
188#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
189 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
190
191/*
192 * Status of the implementation of signature-algorithms extension:
193 *
194 * Currently, we are only considering the signature-algorithm extension
195 * to pick a ciphersuite which allows us to send the ServerKeyExchange
196 * message with a signature-hash combination that the user allows.
197 *
198 * We do *not* check whether all certificates in our certificate
199 * chain are signed with an allowed signature-hash pair.
200 * This needs to be done at a later stage.
201 *
202 */
203static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
204 const unsigned char *buf,
205 size_t len )
206{
207 size_t sig_alg_list_size;
208
209 const unsigned char *p;
210 const unsigned char *end = buf + len;
211
212 mbedtls_md_type_t md_cur;
213 mbedtls_pk_type_t sig_cur;
214
215 if ( len < 2 ) {
216 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
217 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
218 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
219 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
220 }
221 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
222 if( sig_alg_list_size + 2 != len ||
223 sig_alg_list_size % 2 != 0 )
224 {
225 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
226 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
227 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
228 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
229 }
230
231 /* Currently we only guarantee signing the ServerKeyExchange message according
232 * to the constraints specified in this extension (see above), so it suffices
233 * to remember only one suitable hash for each possible signature algorithm.
234 *
235 * This will change when we also consider certificate signatures,
236 * in which case we will need to remember the whole signature-hash
237 * pair list from the extension.
238 */
239
240 for( p = buf + 2; p < end; p += 2 )
241 {
242 /* Silently ignore unknown signature or hash algorithms. */
243
244 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
245 {
246 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
247 " unknown sig alg encoding %d", p[1] ) );
248 continue;
249 }
250
251 /* Check if we support the hash the user proposes */
252 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
253 if( md_cur == MBEDTLS_MD_NONE )
254 {
255 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
256 " unknown hash alg encoding %d", p[0] ) );
257 continue;
258 }
259
260 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
261 {
262 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
264 " match sig %d and hash %d",
265 sig_cur, md_cur ) );
266 }
267 else
268 {
269 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
270 "hash alg %d not supported", md_cur ) );
271 }
272 }
273
274 return( 0 );
275}
276#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
277 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
278
279#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
280 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
281static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
282 const unsigned char *buf,
283 size_t len )
284{
285 size_t list_size, our_size;
286 const unsigned char *p;
287 const mbedtls_ecp_curve_info *curve_info, **curves;
288
289 if ( len < 2 ) {
290 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
291 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
292 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
293 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
294 }
295 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
296 if( list_size + 2 != len ||
297 list_size % 2 != 0 )
298 {
299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
300 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
301 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
302 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
303 }
304
305 /* Should never happen unless client duplicates the extension */
306 if( ssl->handshake->curves != NULL )
307 {
308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
310 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
311 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
312 }
313
314 /* Don't allow our peer to make us allocate too much memory,
315 * and leave room for a final 0 */
316 our_size = list_size / 2 + 1;
317 if( our_size > MBEDTLS_ECP_DP_MAX )
318 our_size = MBEDTLS_ECP_DP_MAX;
319
320 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
321 {
322 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
323 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
324 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
325 }
326
327 ssl->handshake->curves = curves;
328
329 p = buf + 2;
330 while( list_size > 0 && our_size > 1 )
331 {
332 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
333
334 if( curve_info != NULL )
335 {
336 *curves++ = curve_info;
337 our_size--;
338 }
339
340 list_size -= 2;
341 p += 2;
342 }
343
344 return( 0 );
345}
346
347static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
348 const unsigned char *buf,
349 size_t len )
350{
351 size_t list_size;
352 const unsigned char *p;
353
354 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
355 {
356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
357 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
358 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
359 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
360 }
361 list_size = buf[0];
362
363 p = buf + 1;
364 while( list_size > 0 )
365 {
366 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
367 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
368 {
369#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
370 ssl->handshake->ecdh_ctx.point_format = p[0];
371#endif
372#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
373 ssl->handshake->ecjpake_ctx.point_format = p[0];
374#endif
375 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
376 return( 0 );
377 }
378
379 list_size--;
380 p++;
381 }
382
383 return( 0 );
384}
385#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
386 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
387
388#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
389static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
390 const unsigned char *buf,
391 size_t len )
392{
393 int ret;
394
395 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
396 {
397 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
398 return( 0 );
399 }
400
401 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
402 buf, len ) ) != 0 )
403 {
404 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
405 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
406 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
407 return( ret );
408 }
409
410 /* Only mark the extension as OK when we're sure it is */
411 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
412
413 return( 0 );
414}
415#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
416
417#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
418static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
419 const unsigned char *buf,
420 size_t len )
421{
422 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
423 {
424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
425 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
426 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
427 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
428 }
429
430 ssl->session_negotiate->mfl_code = buf[0];
431
432 return( 0 );
433}
434#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
435
436#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
437static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
438 const unsigned char *buf,
439 size_t len )
440{
441 if( len != 0 )
442 {
443 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
444 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
445 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
446 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
447 }
448
449 ((void) buf);
450
451 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
452 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
453
454 return( 0 );
455}
456#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
457
458#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
459static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
460 const unsigned char *buf,
461 size_t len )
462{
463 if( len != 0 )
464 {
465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
466 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
467 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
468 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
469 }
470
471 ((void) buf);
472
473 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
474 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
475 {
476 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
477 }
478
479 return( 0 );
480}
481#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
482
483#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
484static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
485 const unsigned char *buf,
486 size_t len )
487{
488 if( len != 0 )
489 {
490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
492 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
493 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
494 }
495
496 ((void) buf);
497
498 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
499 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
500 {
501 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
502 }
503
504 return( 0 );
505}
506#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
507
508#if defined(MBEDTLS_SSL_SESSION_TICKETS)
509static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
510 unsigned char *buf,
511 size_t len )
512{
513 int ret;
514 mbedtls_ssl_session session;
515
516 mbedtls_ssl_session_init( &session );
517
518 if( ssl->conf->f_ticket_parse == NULL ||
519 ssl->conf->f_ticket_write == NULL )
520 {
521 return( 0 );
522 }
523
524 /* Remember the client asked us to send a new ticket */
525 ssl->handshake->new_session_ticket = 1;
526
527 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
528
529 if( len == 0 )
530 return( 0 );
531
532#if defined(MBEDTLS_SSL_RENEGOTIATION)
533 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
534 {
535 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
536 return( 0 );
537 }
538#endif /* MBEDTLS_SSL_RENEGOTIATION */
539
540 /*
541 * Failures are ok: just ignore the ticket and proceed.
542 */
543 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
544 buf, len ) ) != 0 )
545 {
546 mbedtls_ssl_session_free( &session );
547
548 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
549 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
550 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
552 else
553 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
554
555 return( 0 );
556 }
557
558 /*
559 * Keep the session ID sent by the client, since we MUST send it back to
560 * inform them we're accepting the ticket (RFC 5077 section 3.4)
561 */
562 session.id_len = ssl->session_negotiate->id_len;
563 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
564
565 mbedtls_ssl_session_free( ssl->session_negotiate );
566 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
567
568 /* Zeroize instead of free as we copied the content */
569 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
570
571 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
572
573 ssl->handshake->resume = 1;
574
575 /* Don't send a new ticket after all, this one is OK */
576 ssl->handshake->new_session_ticket = 0;
577
578 return( 0 );
579}
580#endif /* MBEDTLS_SSL_SESSION_TICKETS */
581
582#if defined(MBEDTLS_SSL_ALPN)
583static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
584 const unsigned char *buf, size_t len )
585{
586 size_t list_len, cur_len, ours_len;
587 const unsigned char *theirs, *start, *end;
588 const char **ours;
589
590 /* If ALPN not configured, just ignore the extension */
591 if( ssl->conf->alpn_list == NULL )
592 return( 0 );
593
594 /*
595 * opaque ProtocolName<1..2^8-1>;
596 *
597 * struct {
598 * ProtocolName protocol_name_list<2..2^16-1>
599 * } ProtocolNameList;
600 */
601
602 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
603 if( len < 4 )
604 {
605 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
607 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
608 }
609
610 list_len = ( buf[0] << 8 ) | buf[1];
611 if( list_len != len - 2 )
612 {
613 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
614 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
615 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
616 }
617
618 /*
619 * Validate peer's list (lengths)
620 */
621 start = buf + 2;
622 end = buf + len;
623 for( theirs = start; theirs != end; theirs += cur_len )
624 {
625 cur_len = *theirs++;
626
627 /* Current identifier must fit in list */
628 if( cur_len > (size_t)( end - theirs ) )
629 {
630 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
631 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
632 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
633 }
634
635 /* Empty strings MUST NOT be included */
636 if( cur_len == 0 )
637 {
638 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
639 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
640 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
641 }
642 }
643
644 /*
645 * Use our order of preference
646 */
647 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
648 {
649 ours_len = strlen( *ours );
650 for( theirs = start; theirs != end; theirs += cur_len )
651 {
652 cur_len = *theirs++;
653
654 if( cur_len == ours_len &&
655 memcmp( theirs, *ours, cur_len ) == 0 )
656 {
657 ssl->alpn_chosen = *ours;
658 return( 0 );
659 }
660 }
661 }
662
663 /* If we get there, no match was found */
664 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
665 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
666 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
667}
668#endif /* MBEDTLS_SSL_ALPN */
669
670/*
671 * Auxiliary functions for ServerHello parsing and related actions
672 */
673
674#if defined(MBEDTLS_X509_CRT_PARSE_C)
675/*
676 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
677 */
678#if defined(MBEDTLS_ECDSA_C)
679static int ssl_check_key_curve( mbedtls_pk_context *pk,
680 const mbedtls_ecp_curve_info **curves )
681{
682 const mbedtls_ecp_curve_info **crv = curves;
683 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
684
685 while( *crv != NULL )
686 {
687 if( (*crv)->grp_id == grp_id )
688 return( 0 );
689 crv++;
690 }
691
692 return( -1 );
693}
694#endif /* MBEDTLS_ECDSA_C */
695
696/*
697 * Try picking a certificate for this ciphersuite,
698 * return 0 on success and -1 on failure.
699 */
700static int ssl_pick_cert( mbedtls_ssl_context *ssl,
701 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
702{
703 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
704 mbedtls_pk_type_t pk_alg =
705 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
706 uint32_t flags;
707
708#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
709 if( ssl->handshake->sni_key_cert != NULL )
710 list = ssl->handshake->sni_key_cert;
711 else
712#endif
713 list = ssl->conf->key_cert;
714
715 if( pk_alg == MBEDTLS_PK_NONE )
716 return( 0 );
717
718 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
719
720 if( list == NULL )
721 {
722 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
723 return( -1 );
724 }
725
726 for( cur = list; cur != NULL; cur = cur->next )
727 {
728 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
729 cur->cert );
730
731 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
732 {
733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
734 continue;
735 }
736
737 /*
738 * This avoids sending the client a cert it'll reject based on
739 * keyUsage or other extensions.
740 *
741 * It also allows the user to provision different certificates for
742 * different uses based on keyUsage, eg if they want to avoid signing
743 * and decrypting with the same RSA key.
744 */
745 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
746 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
747 {
748 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
749 "(extended) key usage extension" ) );
750 continue;
751 }
752
753#if defined(MBEDTLS_ECDSA_C)
754 if( pk_alg == MBEDTLS_PK_ECDSA &&
755 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
756 {
757 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
758 continue;
759 }
760#endif
761
762 /*
763 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
764 * present them a SHA-higher cert rather than failing if it's the only
765 * one we got that satisfies the other conditions.
766 */
767 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
768 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
769 {
770 if( fallback == NULL )
771 fallback = cur;
772 {
773 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
774 "sha-2 with pre-TLS 1.2 client" ) );
775 continue;
776 }
777 }
778
779 /* If we get there, we got a winner */
780 break;
781 }
782
783 if( cur == NULL )
784 cur = fallback;
785
786 /* Do not update ssl->handshake->key_cert unless there is a match */
787 if( cur != NULL )
788 {
789 ssl->handshake->key_cert = cur;
790 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
791 ssl->handshake->key_cert->cert );
792 return( 0 );
793 }
794
795 return( -1 );
796}
797#endif /* MBEDTLS_X509_CRT_PARSE_C */
798
799/*
800 * Check if a given ciphersuite is suitable for use with our config/keys/etc
801 * Sets ciphersuite_info only if the suite matches.
802 */
803static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
804 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
805{
806 const mbedtls_ssl_ciphersuite_t *suite_info;
807
808#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
809 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
810 mbedtls_pk_type_t sig_type;
811#endif
812
813 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
814 if( suite_info == NULL )
815 {
816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
817 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
818 }
819
820 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
821
822 if( suite_info->min_minor_ver > ssl->minor_ver ||
823 suite_info->max_minor_ver < ssl->minor_ver )
824 {
825 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
826 return( 0 );
827 }
828
829#if defined(MBEDTLS_SSL_PROTO_DTLS)
830 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
831 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
832 return( 0 );
833#endif
834
835#if defined(MBEDTLS_ARC4_C)
836 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
837 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
838 {
839 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
840 return( 0 );
841 }
842#endif
843
844#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
845 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
846 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
847 {
848 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
849 "not configured or ext missing" ) );
850 return( 0 );
851 }
852#endif
853
854
855#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
856 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
857 ( ssl->handshake->curves == NULL ||
858 ssl->handshake->curves[0] == NULL ) )
859 {
860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
861 "no common elliptic curve" ) );
862 return( 0 );
863 }
864#endif
865
866#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
867 /* If the ciphersuite requires a pre-shared key and we don't
868 * have one, skip it now rather than failing later */
869 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
870 ssl->conf->f_psk == NULL &&
871 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
872 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
873 {
874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
875 return( 0 );
876 }
877#endif
878
879#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
880 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
881 /* If the ciphersuite requires signing, check whether
882 * a suitable hash algorithm is present. */
883 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
884 {
885 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
886 if( sig_type != MBEDTLS_PK_NONE &&
887 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
888 {
889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
890 "for signature algorithm %d", sig_type ) );
891 return( 0 );
892 }
893 }
894
895#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
896 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
897
898#if defined(MBEDTLS_X509_CRT_PARSE_C)
899 /*
900 * Final check: if ciphersuite requires us to have a
901 * certificate/key of a particular type:
902 * - select the appropriate certificate if we have one, or
903 * - try the next ciphersuite if we don't
904 * This must be done last since we modify the key_cert list.
905 */
906 if( ssl_pick_cert( ssl, suite_info ) != 0 )
907 {
908 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
909 "no suitable certificate" ) );
910 return( 0 );
911 }
912#endif
913
914 *ciphersuite_info = suite_info;
915 return( 0 );
916}
917
918#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
919static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
920{
921 int ret, got_common_suite;
922 unsigned int i, j;
923 size_t n;
924 unsigned int ciph_len, sess_len, chal_len;
925 unsigned char *buf, *p;
926 const int *ciphersuites;
927 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
928
929 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
930
931#if defined(MBEDTLS_SSL_RENEGOTIATION)
932 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
933 {
934 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
935 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
936 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
937 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
938 }
939#endif /* MBEDTLS_SSL_RENEGOTIATION */
940
941 buf = ssl->in_hdr;
942
943 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
944
945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
946 buf[2] ) );
947 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
948 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
950 buf[3], buf[4] ) );
951
952 /*
953 * SSLv2 Client Hello
954 *
955 * Record layer:
956 * 0 . 1 message length
957 *
958 * SSL layer:
959 * 2 . 2 message type
960 * 3 . 4 protocol version
961 */
962 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
963 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
964 {
965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
966 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
967 }
968
969 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
970
971 if( n < 17 || n > 512 )
972 {
973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
974 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
975 }
976
977 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
978 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
979 ? buf[4] : ssl->conf->max_minor_ver;
980
981 if( ssl->minor_ver < ssl->conf->min_minor_ver )
982 {
983 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
984 " [%d:%d] < [%d:%d]",
985 ssl->major_ver, ssl->minor_ver,
986 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
987
988 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
989 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
990 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
991 }
992
993 ssl->handshake->max_major_ver = buf[3];
994 ssl->handshake->max_minor_ver = buf[4];
995
996 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
997 {
998 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
999 return( ret );
1000 }
1001
1002 ssl->handshake->update_checksum( ssl, buf + 2, n );
1003
1004 buf = ssl->in_msg;
1005 n = ssl->in_left - 5;
1006
1007 /*
1008 * 0 . 1 ciphersuitelist length
1009 * 2 . 3 session id length
1010 * 4 . 5 challenge length
1011 * 6 . .. ciphersuitelist
1012 * .. . .. session id
1013 * .. . .. challenge
1014 */
1015 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
1016
1017 ciph_len = ( buf[0] << 8 ) | buf[1];
1018 sess_len = ( buf[2] << 8 ) | buf[3];
1019 chal_len = ( buf[4] << 8 ) | buf[5];
1020
1021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1022 ciph_len, sess_len, chal_len ) );
1023
1024 /*
1025 * Make sure each parameter length is valid
1026 */
1027 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1028 {
1029 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1030 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1031 }
1032
1033 if( sess_len > 32 )
1034 {
1035 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1036 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1037 }
1038
1039 if( chal_len < 8 || chal_len > 32 )
1040 {
1041 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1042 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1043 }
1044
1045 if( n != 6 + ciph_len + sess_len + chal_len )
1046 {
1047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1048 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1049 }
1050
1051 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1052 buf + 6, ciph_len );
1053 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
1054 buf + 6 + ciph_len, sess_len );
1055 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
1056 buf + 6 + ciph_len + sess_len, chal_len );
1057
1058 p = buf + 6 + ciph_len;
1059 ssl->session_negotiate->id_len = sess_len;
1060 memset( ssl->session_negotiate->id, 0,
1061 sizeof( ssl->session_negotiate->id ) );
1062 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
1063
1064 p += sess_len;
1065 memset( ssl->handshake->randbytes, 0, 64 );
1066 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1067
1068 /*
1069 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1070 */
1071 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1072 {
1073 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1074 {
1075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1076#if defined(MBEDTLS_SSL_RENEGOTIATION)
1077 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1078 {
1079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1080 "during renegotiation" ) );
1081
1082 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1083 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1084 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1085 }
1086#endif /* MBEDTLS_SSL_RENEGOTIATION */
1087 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1088 break;
1089 }
1090 }
1091
1092#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1093 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1094 {
1095 if( p[0] == 0 &&
1096 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1097 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1098 {
1099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1100
1101 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1102 {
1103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1104
1105 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1106 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1107
1108 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1109 }
1110
1111 break;
1112 }
1113 }
1114#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1115
1116 got_common_suite = 0;
1117 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1118 ciphersuite_info = NULL;
1119#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1120 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1121 for( i = 0; ciphersuites[i] != 0; i++ )
1122#else
1123 for( i = 0; ciphersuites[i] != 0; i++ )
1124 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1125#endif
1126 {
1127 if( p[0] != 0 ||
1128 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1129 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1130 continue;
1131
1132 got_common_suite = 1;
1133
1134 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1135 &ciphersuite_info ) ) != 0 )
1136 return( ret );
1137
1138 if( ciphersuite_info != NULL )
1139 goto have_ciphersuite_v2;
1140 }
1141
1142 if( got_common_suite )
1143 {
1144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1145 "but none of them usable" ) );
1146 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1147 }
1148 else
1149 {
1150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1151 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1152 }
1153
1154have_ciphersuite_v2:
1155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1156
1157 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1158 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
1159
1160 /*
1161 * SSLv2 Client Hello relevant renegotiation security checks
1162 */
1163 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1164 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1165 {
1166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1167 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1168 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1169 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1170 }
1171
1172 ssl->in_left = 0;
1173 ssl->state++;
1174
1175 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1176
1177 return( 0 );
1178}
1179#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1180
1181/* This function doesn't alert on errors that happen early during
1182 ClientHello parsing because they might indicate that the client is
1183 not talking SSL/TLS at all and would not understand our alert. */
1184static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
1185{
1186 int ret, got_common_suite;
1187 size_t i, j;
1188 size_t ciph_offset, comp_offset, ext_offset;
1189 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1190#if defined(MBEDTLS_SSL_PROTO_DTLS)
1191 size_t cookie_offset, cookie_len;
1192#endif
1193 unsigned char *buf, *p, *ext;
1194#if defined(MBEDTLS_SSL_RENEGOTIATION)
1195 int renegotiation_info_seen = 0;
1196#endif
1197 int handshake_failure = 0;
1198 const int *ciphersuites;
1199 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1200 int major, minor;
1201
1202 /* If there is no signature-algorithm extension present,
1203 * we need to fall back to the default values for allowed
1204 * signature-hash pairs. */
1205#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1206 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1207 int sig_hash_alg_ext_present = 0;
1208#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1209 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1210
1211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1212
1213#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1214read_record_header:
1215#endif
1216 /*
1217 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1218 * otherwise read it ourselves manually in order to support SSLv2
1219 * ClientHello, which doesn't use the same record layer format.
1220 */
1221#if defined(MBEDTLS_SSL_RENEGOTIATION)
1222 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1223#endif
1224 {
1225 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
1226 {
1227 /* No alert on a read error. */
1228 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1229 return( ret );
1230 }
1231 }
1232
1233 buf = ssl->in_hdr;
1234
1235#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1236#if defined(MBEDTLS_SSL_PROTO_DTLS)
1237 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
1238#endif
1239 if( ( buf[0] & 0x80 ) != 0 )
1240 return( ssl_parse_client_hello_v2( ssl ) );
1241#endif
1242
1243 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
1244
1245 /*
1246 * SSLv3/TLS Client Hello
1247 *
1248 * Record layer:
1249 * 0 . 0 message type
1250 * 1 . 2 protocol version
1251 * 3 . 11 DTLS: epoch + record sequence number
1252 * 3 . 4 message length
1253 */
1254 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1255 buf[0] ) );
1256
1257 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
1258 {
1259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1260 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1261 }
1262
1263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1264 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
1265
1266 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1267 buf[1], buf[2] ) );
1268
1269 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
1270
1271 /* According to RFC 5246 Appendix E.1, the version here is typically
1272 * "{03,00}, the lowest version number supported by the client, [or] the
1273 * value of ClientHello.client_version", so the only meaningful check here
1274 * is the major version shouldn't be less than 3 */
1275 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
1276 {
1277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1278 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1279 }
1280
1281 /* For DTLS if this is the initial handshake, remember the client sequence
1282 * number to use it in our next message (RFC 6347 4.2.1) */
1283#if defined(MBEDTLS_SSL_PROTO_DTLS)
1284 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1285#if defined(MBEDTLS_SSL_RENEGOTIATION)
1286 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1287#endif
1288 )
1289 {
1290 /* Epoch should be 0 for initial handshakes */
1291 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
1292 {
1293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1294 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1295 }
1296
1297 memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
1298
1299#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1300 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
1301 {
1302 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1303 ssl->next_record_offset = 0;
1304 ssl->in_left = 0;
1305 goto read_record_header;
1306 }
1307
1308 /* No MAC to check yet, so we can update right now */
1309 mbedtls_ssl_dtls_replay_update( ssl );
1310#endif
1311 }
1312#endif /* MBEDTLS_SSL_PROTO_DTLS */
1313
1314 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
1315
1316#if defined(MBEDTLS_SSL_RENEGOTIATION)
1317 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1318 {
1319 /* Set by mbedtls_ssl_read_record() */
1320 msg_len = ssl->in_hslen;
1321 }
1322 else
1323#endif
1324 {
1325 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
1326 {
1327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1328 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1329 }
1330
1331 if( ( ret = mbedtls_ssl_fetch_input( ssl,
1332 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
1333 {
1334 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1335 return( ret );
1336 }
1337
1338 /* Done reading this record, get ready for the next one */
1339#if defined(MBEDTLS_SSL_PROTO_DTLS)
1340 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1341 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
1342 else
1343#endif
1344 ssl->in_left = 0;
1345 }
1346
1347 buf = ssl->in_msg;
1348
1349 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
1350
1351 ssl->handshake->update_checksum( ssl, buf, msg_len );
1352
1353 /*
1354 * Handshake layer:
1355 * 0 . 0 handshake type
1356 * 1 . 3 handshake length
1357 * 4 . 5 DTLS only: message seqence number
1358 * 6 . 8 DTLS only: fragment offset
1359 * 9 . 11 DTLS only: fragment length
1360 */
1361 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
1362 {
1363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1364 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1365 }
1366
1367 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
1368
1369 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
1370 {
1371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1373 }
1374
1375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1376 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1377
1378 /* We don't support fragmentation of ClientHello (yet?) */
1379 if( buf[1] != 0 ||
1380 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
1381 {
1382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1383 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1384 }
1385
1386#if defined(MBEDTLS_SSL_PROTO_DTLS)
1387 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1388 {
1389 /*
1390 * Copy the client's handshake message_seq on initial handshakes,
1391 * check sequence number on renego.
1392 */
1393#if defined(MBEDTLS_SSL_RENEGOTIATION)
1394 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1395 {
1396 /* This couldn't be done in ssl_prepare_handshake_record() */
1397 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1398 ssl->in_msg[5];
1399
1400 if( cli_msg_seq != ssl->handshake->in_msg_seq )
1401 {
1402 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1403 "%d (expected %d)", cli_msg_seq,
1404 ssl->handshake->in_msg_seq ) );
1405 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1406 }
1407
1408 ssl->handshake->in_msg_seq++;
1409 }
1410 else
1411#endif
1412 {
1413 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1414 ssl->in_msg[5];
1415 ssl->handshake->out_msg_seq = cli_msg_seq;
1416 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1417 }
1418
1419 /*
1420 * For now we don't support fragmentation, so make sure
1421 * fragment_offset == 0 and fragment_length == length
1422 */
1423 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1424 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
1425 {
1426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1427 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1428 }
1429 }
1430#endif /* MBEDTLS_SSL_PROTO_DTLS */
1431
1432 buf += mbedtls_ssl_hs_hdr_len( ssl );
1433 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
1434
1435 /*
1436 * ClientHello layer:
1437 * 0 . 1 protocol version
1438 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1439 * 34 . 35 session id length (1 byte)
1440 * 35 . 34+x session id
1441 * 35+x . 35+x DTLS only: cookie length (1 byte)
1442 * 36+x . .. DTLS only: cookie
1443 * .. . .. ciphersuite list length (2 bytes)
1444 * .. . .. ciphersuite list
1445 * .. . .. compression alg. list length (1 byte)
1446 * .. . .. compression alg. list
1447 * .. . .. extensions length (2 bytes, optional)
1448 * .. . .. extensions (optional)
1449 */
1450
1451 /*
1452 * Minimal length (with everything empty and extensions ommitted) is
1453 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1454 * read at least up to session id length without worrying.
1455 */
1456 if( msg_len < 38 )
1457 {
1458 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1459 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1460 }
1461
1462 /*
1463 * Check and save the protocol version
1464 */
1465 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
1466
1467 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1468 ssl->conf->transport, buf );
1469
1470 ssl->handshake->max_major_ver = ssl->major_ver;
1471 ssl->handshake->max_minor_ver = ssl->minor_ver;
1472
1473 if( ssl->major_ver < ssl->conf->min_major_ver ||
1474 ssl->minor_ver < ssl->conf->min_minor_ver )
1475 {
1476 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1477 " [%d:%d] < [%d:%d]",
1478 ssl->major_ver, ssl->minor_ver,
1479 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1480 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1481 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1482 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1483 }
1484
1485 if( ssl->major_ver > ssl->conf->max_major_ver )
1486 {
1487 ssl->major_ver = ssl->conf->max_major_ver;
1488 ssl->minor_ver = ssl->conf->max_minor_ver;
1489 }
1490 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
1491 ssl->minor_ver = ssl->conf->max_minor_ver;
1492
1493 /*
1494 * Save client random (inc. Unix time)
1495 */
1496 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
1497
1498 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
1499
1500 /*
1501 * Check the session ID length and save session ID
1502 */
1503 sess_len = buf[34];
1504
1505 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
1506 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
1507 {
1508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1509 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1510 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1511 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1512 }
1513
1514 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
1515
1516 ssl->session_negotiate->id_len = sess_len;
1517 memset( ssl->session_negotiate->id, 0,
1518 sizeof( ssl->session_negotiate->id ) );
1519 memcpy( ssl->session_negotiate->id, buf + 35,
1520 ssl->session_negotiate->id_len );
1521
1522 /*
1523 * Check the cookie length and content
1524 */
1525#if defined(MBEDTLS_SSL_PROTO_DTLS)
1526 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1527 {
1528 cookie_offset = 35 + sess_len;
1529 cookie_len = buf[cookie_offset];
1530
1531 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
1532 {
1533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1535 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1537 }
1538
1539 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1540 buf + cookie_offset + 1, cookie_len );
1541
1542#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1543 if( ssl->conf->f_cookie_check != NULL
1544#if defined(MBEDTLS_SSL_RENEGOTIATION)
1545 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1546#endif
1547 )
1548 {
1549 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
1550 buf + cookie_offset + 1, cookie_len,
1551 ssl->cli_id, ssl->cli_id_len ) != 0 )
1552 {
1553 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1554 ssl->handshake->verify_cookie_len = 1;
1555 }
1556 else
1557 {
1558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1559 ssl->handshake->verify_cookie_len = 0;
1560 }
1561 }
1562 else
1563#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1564 {
1565 /* We know we didn't send a cookie, so it should be empty */
1566 if( cookie_len != 0 )
1567 {
1568 /* This may be an attacker's probe, so don't send an alert */
1569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1570 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1571 }
1572
1573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1574 }
1575
1576 /*
1577 * Check the ciphersuitelist length (will be parsed later)
1578 */
1579 ciph_offset = cookie_offset + 1 + cookie_len;
1580 }
1581 else
1582#endif /* MBEDTLS_SSL_PROTO_DTLS */
1583 ciph_offset = 35 + sess_len;
1584
1585 ciph_len = ( buf[ciph_offset + 0] << 8 )
1586 | ( buf[ciph_offset + 1] );
1587
1588 if( ciph_len < 2 ||
1589 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1590 ( ciph_len % 2 ) != 0 )
1591 {
1592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1593 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1594 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1595 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1596 }
1597
1598 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1599 buf + ciph_offset + 2, ciph_len );
1600
1601 /*
1602 * Check the compression algorithms length and pick one
1603 */
1604 comp_offset = ciph_offset + 2 + ciph_len;
1605
1606 comp_len = buf[comp_offset];
1607
1608 if( comp_len < 1 ||
1609 comp_len > 16 ||
1610 comp_len + comp_offset + 1 > msg_len )
1611 {
1612 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1613 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1614 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1615 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1616 }
1617
1618 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1619 buf + comp_offset + 1, comp_len );
1620
1621 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1622#if defined(MBEDTLS_ZLIB_SUPPORT)
1623 for( i = 0; i < comp_len; ++i )
1624 {
1625 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
1626 {
1627 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1628 break;
1629 }
1630 }
1631#endif
1632
1633 /* See comments in ssl_write_client_hello() */
1634#if defined(MBEDTLS_SSL_PROTO_DTLS)
1635 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1636 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1637#endif
1638
1639 /* Do not parse the extensions if the protocol is SSLv3 */
1640#if defined(MBEDTLS_SSL_PROTO_SSL3)
1641 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
1642 {
1643#endif
1644 /*
1645 * Check the extension length
1646 */
1647 ext_offset = comp_offset + 1 + comp_len;
1648 if( msg_len > ext_offset )
1649 {
1650 if( msg_len < ext_offset + 2 )
1651 {
1652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1653 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1654 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1655 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1656 }
1657
1658 ext_len = ( buf[ext_offset + 0] << 8 )
1659 | ( buf[ext_offset + 1] );
1660
1661 if( ( ext_len > 0 && ext_len < 4 ) ||
1662 msg_len != ext_offset + 2 + ext_len )
1663 {
1664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1665 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1666 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1668 }
1669 }
1670 else
1671 ext_len = 0;
1672
1673 ext = buf + ext_offset + 2;
1674 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
1675
1676 while( ext_len != 0 )
1677 {
1678 unsigned int ext_id;
1679 unsigned int ext_size;
1680 if ( ext_len < 4 ) {
1681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1682 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1683 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1684 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1685 }
1686 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
1687 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
1688
1689 if( ext_size + 4 > ext_len )
1690 {
1691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1692 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1693 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1694 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1695 }
1696 switch( ext_id )
1697 {
1698#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1699 case MBEDTLS_TLS_EXT_SERVERNAME:
1700 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1701 if( ssl->conf->f_sni == NULL )
1702 break;
1703
1704 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1705 if( ret != 0 )
1706 return( ret );
1707 break;
1708#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1709
1710 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1711 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1712#if defined(MBEDTLS_SSL_RENEGOTIATION)
1713 renegotiation_info_seen = 1;
1714#endif
1715
1716 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1717 if( ret != 0 )
1718 return( ret );
1719 break;
1720
1721#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1722 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1723 case MBEDTLS_TLS_EXT_SIG_ALG:
1724 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1725
1726 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1727 if( ret != 0 )
1728 return( ret );
1729
1730 sig_hash_alg_ext_present = 1;
1731 break;
1732#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1733 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1734
1735#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1736 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1737 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1738 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1739
1740 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1741 if( ret != 0 )
1742 return( ret );
1743 break;
1744
1745 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1746 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1747 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1748
1749 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1750 if( ret != 0 )
1751 return( ret );
1752 break;
1753#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1754 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1755
1756#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1757 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1758 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1759
1760 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
1761 if( ret != 0 )
1762 return( ret );
1763 break;
1764#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1765
1766#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1767 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1769
1770 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1771 if( ret != 0 )
1772 return( ret );
1773 break;
1774#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1775
1776#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1777 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1778 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1779
1780 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1781 if( ret != 0 )
1782 return( ret );
1783 break;
1784#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1785
1786#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1787 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1788 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1789
1790 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1791 if( ret != 0 )
1792 return( ret );
1793 break;
1794#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1795
1796#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1797 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1798 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1799
1800 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1801 if( ret != 0 )
1802 return( ret );
1803 break;
1804#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1805
1806#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1807 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1808 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1809
1810 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1811 if( ret != 0 )
1812 return( ret );
1813 break;
1814#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1815
1816#if defined(MBEDTLS_SSL_ALPN)
1817 case MBEDTLS_TLS_EXT_ALPN:
1818 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1819
1820 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1821 if( ret != 0 )
1822 return( ret );
1823 break;
1824#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1825
1826 default:
1827 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1828 ext_id ) );
1829 }
1830
1831 ext_len -= 4 + ext_size;
1832 ext += 4 + ext_size;
1833
1834 if( ext_len > 0 && ext_len < 4 )
1835 {
1836 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1837 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1838 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1839 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1840 }
1841 }
1842#if defined(MBEDTLS_SSL_PROTO_SSL3)
1843 }
1844#endif
1845
1846#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1847 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1848 {
1849 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1850 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1851 {
1852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1853
1854 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1855 {
1856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1857
1858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1859 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1860
1861 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1862 }
1863
1864 break;
1865 }
1866 }
1867#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1868
1869#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1870 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1871
1872 /*
1873 * Try to fall back to default hash SHA1 if the client
1874 * hasn't provided any preferred signature-hash combinations.
1875 */
1876 if( sig_hash_alg_ext_present == 0 )
1877 {
1878 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
1879
1880 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
1881 md_default = MBEDTLS_MD_NONE;
1882
1883 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
1884 }
1885
1886#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1887 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1888
1889 /*
1890 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1891 */
1892 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1893 {
1894 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1895 {
1896 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1897#if defined(MBEDTLS_SSL_RENEGOTIATION)
1898 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1899 {
1900 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1901 "during renegotiation" ) );
1902 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1903 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1904 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1905 }
1906#endif
1907 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1908 break;
1909 }
1910 }
1911
1912 /*
1913 * Renegotiation security checks
1914 */
1915 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1916 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1917 {
1918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1919 handshake_failure = 1;
1920 }
1921#if defined(MBEDTLS_SSL_RENEGOTIATION)
1922 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1923 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1924 renegotiation_info_seen == 0 )
1925 {
1926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1927 handshake_failure = 1;
1928 }
1929 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1930 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1931 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1932 {
1933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1934 handshake_failure = 1;
1935 }
1936 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1937 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1938 renegotiation_info_seen == 1 )
1939 {
1940 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1941 handshake_failure = 1;
1942 }
1943#endif /* MBEDTLS_SSL_RENEGOTIATION */
1944
1945 if( handshake_failure == 1 )
1946 {
1947 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1948 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1949 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1950 }
1951
1952 /*
1953 * Search for a matching ciphersuite
1954 * (At the end because we need information from the EC-based extensions
1955 * and certificate from the SNI callback triggered by the SNI extension.)
1956 */
1957 got_common_suite = 0;
1958 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1959 ciphersuite_info = NULL;
1960#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1961 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1962 for( i = 0; ciphersuites[i] != 0; i++ )
1963#else
1964 for( i = 0; ciphersuites[i] != 0; i++ )
1965 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1966#endif
1967 {
1968 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1969 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
1970 continue;
1971
1972 got_common_suite = 1;
1973
1974 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1975 &ciphersuite_info ) ) != 0 )
1976 return( ret );
1977
1978 if( ciphersuite_info != NULL )
1979 goto have_ciphersuite;
1980 }
1981
1982 if( got_common_suite )
1983 {
1984 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1985 "but none of them usable" ) );
1986 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1987 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1988 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1989 }
1990 else
1991 {
1992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1993 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1994 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1995 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1996 }
1997
1998have_ciphersuite:
1999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
2000
2001 ssl->session_negotiate->ciphersuite = ciphersuites[i];
2002 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
2003
2004 ssl->state++;
2005
2006#if defined(MBEDTLS_SSL_PROTO_DTLS)
2007 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2008 mbedtls_ssl_recv_flight_completed( ssl );
2009#endif
2010
2011 /* Debugging-only output for testsuite */
2012#if defined(MBEDTLS_DEBUG_C) && \
2013 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2014 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
2015 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2016 {
2017 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
2018 if( sig_alg != MBEDTLS_PK_NONE )
2019 {
2020 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
2021 sig_alg );
2022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
2023 mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
2024 }
2025 else
2026 {
2027 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
2028 "%d - should not happen", sig_alg ) );
2029 }
2030 }
2031#endif
2032
2033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
2034
2035 return( 0 );
2036}
2037
2038#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2039static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
2040 unsigned char *buf,
2041 size_t *olen )
2042{
2043 unsigned char *p = buf;
2044
2045 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
2046 {
2047 *olen = 0;
2048 return;
2049 }
2050
2051 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
2052
2053 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
2054 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
2055
2056 *p++ = 0x00;
2057 *p++ = 0x00;
2058
2059 *olen = 4;
2060}
2061#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2062
2063#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2064static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
2065 unsigned char *buf,
2066 size_t *olen )
2067{
2068 unsigned char *p = buf;
2069 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2070 const mbedtls_cipher_info_t *cipher = NULL;
2071
2072 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
2073 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2074 {
2075 *olen = 0;
2076 return;
2077 }
2078
2079 /*
2080 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2081 * from a client and then selects a stream or Authenticated Encryption
2082 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2083 * encrypt-then-MAC response extension back to the client."
2084 */
2085 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
2086 ssl->session_negotiate->ciphersuite ) ) == NULL ||
2087 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
2088 cipher->mode != MBEDTLS_MODE_CBC )
2089 {
2090 *olen = 0;
2091 return;
2092 }
2093
2094 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
2095
2096 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
2097 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
2098
2099 *p++ = 0x00;
2100 *p++ = 0x00;
2101
2102 *olen = 4;
2103}
2104#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2105
2106#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2107static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
2108 unsigned char *buf,
2109 size_t *olen )
2110{
2111 unsigned char *p = buf;
2112
2113 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
2114 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2115 {
2116 *olen = 0;
2117 return;
2118 }
2119
2120 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
2121 "extension" ) );
2122
2123 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
2124 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
2125
2126 *p++ = 0x00;
2127 *p++ = 0x00;
2128
2129 *olen = 4;
2130}
2131#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2132
2133#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2134static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
2135 unsigned char *buf,
2136 size_t *olen )
2137{
2138 unsigned char *p = buf;
2139
2140 if( ssl->handshake->new_session_ticket == 0 )
2141 {
2142 *olen = 0;
2143 return;
2144 }
2145
2146 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
2147
2148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
2149 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
2150
2151 *p++ = 0x00;
2152 *p++ = 0x00;
2153
2154 *olen = 4;
2155}
2156#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2157
2158static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
2159 unsigned char *buf,
2160 size_t *olen )
2161{
2162 unsigned char *p = buf;
2163
2164 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
2165 {
2166 *olen = 0;
2167 return;
2168 }
2169
2170 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
2171
2172 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
2173 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
2174
2175#if defined(MBEDTLS_SSL_RENEGOTIATION)
2176 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
2177 {
2178 *p++ = 0x00;
2179 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
2180 *p++ = ssl->verify_data_len * 2 & 0xFF;
2181
2182 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
2183 p += ssl->verify_data_len;
2184 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
2185 p += ssl->verify_data_len;
2186 }
2187 else
2188#endif /* MBEDTLS_SSL_RENEGOTIATION */
2189 {
2190 *p++ = 0x00;
2191 *p++ = 0x01;
2192 *p++ = 0x00;
2193 }
2194
2195 *olen = p - buf;
2196}
2197
2198#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2199static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
2200 unsigned char *buf,
2201 size_t *olen )
2202{
2203 unsigned char *p = buf;
2204
2205 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
2206 {
2207 *olen = 0;
2208 return;
2209 }
2210
2211 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2212
2213 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
2214 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
2215
2216 *p++ = 0x00;
2217 *p++ = 1;
2218
2219 *p++ = ssl->session_negotiate->mfl_code;
2220
2221 *olen = 5;
2222}
2223#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2224
2225#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2226 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2227static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
2228 unsigned char *buf,
2229 size_t *olen )
2230{
2231 unsigned char *p = buf;
2232 ((void) ssl);
2233
2234 if( ( ssl->handshake->cli_exts &
2235 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2236 {
2237 *olen = 0;
2238 return;
2239 }
2240
2241 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2242
2243 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
2244 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
2245
2246 *p++ = 0x00;
2247 *p++ = 2;
2248
2249 *p++ = 1;
2250 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2251
2252 *olen = 6;
2253}
2254#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2255
2256#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2257static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
2258 unsigned char *buf,
2259 size_t *olen )
2260{
2261 int ret;
2262 unsigned char *p = buf;
2263 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2264 size_t kkpp_len;
2265
2266 *olen = 0;
2267
2268 /* Skip costly computation if not needed */
2269 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
2270 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2271 return;
2272
2273 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2274
2275 if( end - p < 4 )
2276 {
2277 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2278 return;
2279 }
2280
2281 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
2282 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
2283
2284 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
2285 p + 2, end - p - 2, &kkpp_len,
2286 ssl->conf->f_rng, ssl->conf->p_rng );
2287 if( ret != 0 )
2288 {
2289 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
2290 return;
2291 }
2292
2293 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
2294 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
2295
2296 *olen = kkpp_len + 4;
2297}
2298#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2299
2300#if defined(MBEDTLS_SSL_ALPN )
2301static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2302 unsigned char *buf, size_t *olen )
2303{
2304 if( ssl->alpn_chosen == NULL )
2305 {
2306 *olen = 0;
2307 return;
2308 }
2309
2310 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2311
2312 /*
2313 * 0 . 1 ext identifier
2314 * 2 . 3 ext length
2315 * 4 . 5 protocol list length
2316 * 6 . 6 protocol name length
2317 * 7 . 7+n protocol name
2318 */
2319 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
2320 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
2321
2322 *olen = 7 + strlen( ssl->alpn_chosen );
2323
2324 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2325 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2326
2327 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2328 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2329
2330 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2331
2332 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2333}
2334#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2335
2336#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2337static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
2338{
2339 int ret;
2340 unsigned char *p = ssl->out_msg + 4;
2341 unsigned char *cookie_len_byte;
2342
2343 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2344
2345 /*
2346 * struct {
2347 * ProtocolVersion server_version;
2348 * opaque cookie<0..2^8-1>;
2349 * } HelloVerifyRequest;
2350 */
2351
2352 /* The RFC is not clear on this point, but sending the actual negotiated
2353 * version looks like the most interoperable thing to do. */
2354 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2355 ssl->conf->transport, p );
2356 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
2357 p += 2;
2358
2359 /* If we get here, f_cookie_check is not null */
2360 if( ssl->conf->f_cookie_write == NULL )
2361 {
2362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2363 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2364 }
2365
2366 /* Skip length byte until we know the length */
2367 cookie_len_byte = p++;
2368
2369 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
2370 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2371 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
2372 {
2373 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
2374 return( ret );
2375 }
2376
2377 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
2378
2379 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
2380
2381 ssl->out_msglen = p - ssl->out_msg;
2382 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2383 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2384
2385 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2386
2387 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
2388 {
2389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
2390 return( ret );
2391 }
2392
2393#if defined(MBEDTLS_SSL_PROTO_DTLS)
2394 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2395 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2396 {
2397 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2398 return( ret );
2399 }
2400#endif /* MBEDTLS_SSL_PROTO_DTLS */
2401
2402 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2403
2404 return( 0 );
2405}
2406#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2407
2408static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
2409{
2410#if defined(MBEDTLS_HAVE_TIME)
2411 mbedtls_time_t t;
2412#endif
2413 int ret;
2414 size_t olen, ext_len = 0, n;
2415 unsigned char *buf, *p;
2416
2417 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2418
2419#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2420 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2421 ssl->handshake->verify_cookie_len != 0 )
2422 {
2423 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2424 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2425
2426 return( ssl_write_hello_verify_request( ssl ) );
2427 }
2428#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2429
2430 if( ssl->conf->f_rng == NULL )
2431 {
2432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2433 return( MBEDTLS_ERR_SSL_NO_RNG );
2434 }
2435
2436 /*
2437 * 0 . 0 handshake type
2438 * 1 . 3 handshake length
2439 * 4 . 5 protocol version
2440 * 6 . 9 UNIX time()
2441 * 10 . 37 random bytes
2442 */
2443 buf = ssl->out_msg;
2444 p = buf + 4;
2445
2446 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2447 ssl->conf->transport, p );
2448 p += 2;
2449
2450 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2451 buf[4], buf[5] ) );
2452
2453#if defined(MBEDTLS_HAVE_TIME)
2454 t = mbedtls_time( NULL );
2455 *p++ = (unsigned char)( t >> 24 );
2456 *p++ = (unsigned char)( t >> 16 );
2457 *p++ = (unsigned char)( t >> 8 );
2458 *p++ = (unsigned char)( t );
2459
2460 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
2461#else
2462 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
2463 return( ret );
2464
2465 p += 4;
2466#endif /* MBEDTLS_HAVE_TIME */
2467
2468 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
2469 return( ret );
2470
2471 p += 28;
2472
2473 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
2474
2475 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2476
2477 /*
2478 * Resume is 0 by default, see ssl_handshake_init().
2479 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2480 * If not, try looking up session ID in our cache.
2481 */
2482 if( ssl->handshake->resume == 0 &&
2483#if defined(MBEDTLS_SSL_RENEGOTIATION)
2484 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
2485#endif
2486 ssl->session_negotiate->id_len != 0 &&
2487 ssl->conf->f_get_cache != NULL &&
2488 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
2489 {
2490 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2491 ssl->handshake->resume = 1;
2492 }
2493
2494 if( ssl->handshake->resume == 0 )
2495 {
2496 /*
2497 * New session, create a new session id,
2498 * unless we're about to issue a session ticket
2499 */
2500 ssl->state++;
2501
2502#if defined(MBEDTLS_HAVE_TIME)
2503 ssl->session_negotiate->start = mbedtls_time( NULL );
2504#endif
2505
2506#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2507 if( ssl->handshake->new_session_ticket != 0 )
2508 {
2509 ssl->session_negotiate->id_len = n = 0;
2510 memset( ssl->session_negotiate->id, 0, 32 );
2511 }
2512 else
2513#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2514 {
2515 ssl->session_negotiate->id_len = n = 32;
2516 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
2517 n ) ) != 0 )
2518 return( ret );
2519 }
2520 }
2521 else
2522 {
2523 /*
2524 * Resuming a session
2525 */
2526 n = ssl->session_negotiate->id_len;
2527 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2528
2529 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2530 {
2531 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2532 return( ret );
2533 }
2534 }
2535
2536 /*
2537 * 38 . 38 session id length
2538 * 39 . 38+n session id
2539 * 39+n . 40+n chosen ciphersuite
2540 * 41+n . 41+n chosen compression alg.
2541 * 42+n . 43+n extensions length
2542 * 44+n . 43+n+m extensions
2543 */
2544 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2545 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
2546 p += ssl->session_negotiate->id_len;
2547
2548 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2549 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2550 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2551 ssl->handshake->resume ? "a" : "no" ) );
2552
2553 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2554 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2555 *p++ = (unsigned char)( ssl->session_negotiate->compression );
2556
2557 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2558 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
2559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2560 ssl->session_negotiate->compression ) );
2561
2562 /* Do not write the extensions if the protocol is SSLv3 */
2563#if defined(MBEDTLS_SSL_PROTO_SSL3)
2564 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
2565 {
2566#endif
2567
2568 /*
2569 * First write extensions, then the total length
2570 */
2571 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2572 ext_len += olen;
2573
2574#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2575 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2576 ext_len += olen;
2577#endif
2578
2579#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2580 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2581 ext_len += olen;
2582#endif
2583
2584#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2585 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2586 ext_len += olen;
2587#endif
2588
2589#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2590 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2591 ext_len += olen;
2592#endif
2593
2594#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2595 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2596 ext_len += olen;
2597#endif
2598
2599#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2600 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2601 if ( mbedtls_ssl_ciphersuite_uses_ec(
2602 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
2603 {
2604 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2605 ext_len += olen;
2606 }
2607#endif
2608
2609#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2610 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
2611 ext_len += olen;
2612#endif
2613
2614#if defined(MBEDTLS_SSL_ALPN)
2615 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2616 ext_len += olen;
2617#endif
2618
2619 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
2620
2621 if( ext_len > 0 )
2622 {
2623 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2624 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2625 p += ext_len;
2626 }
2627
2628#if defined(MBEDTLS_SSL_PROTO_SSL3)
2629 }
2630#endif
2631
2632 ssl->out_msglen = p - buf;
2633 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2634 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2635
2636 ret = mbedtls_ssl_write_handshake_msg( ssl );
2637
2638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2639
2640 return( ret );
2641}
2642
2643#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
2644 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
2645 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
2646 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
2647 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
2648 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2649static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2650{
2651 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2652 ssl->transform_negotiate->ciphersuite_info;
2653
2654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2655
2656 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2657 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2658 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2659 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2660 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2661 {
2662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2663 ssl->state++;
2664 return( 0 );
2665 }
2666
2667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2668 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2669}
2670#else
2671static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2672{
2673 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2674 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2675 ssl->transform_negotiate->ciphersuite_info;
2676 size_t dn_size, total_dn_size; /* excluding length bytes */
2677 size_t ct_len, sa_len; /* including length bytes */
2678 unsigned char *buf, *p;
2679 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2680 const mbedtls_x509_crt *crt;
2681 int authmode;
2682
2683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2684
2685 ssl->state++;
2686
2687#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2688 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2689 authmode = ssl->handshake->sni_authmode;
2690 else
2691#endif
2692 authmode = ssl->conf->authmode;
2693
2694 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2695 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2696 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2697 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2698 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
2699 authmode == MBEDTLS_SSL_VERIFY_NONE )
2700 {
2701 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2702 return( 0 );
2703 }
2704
2705 /*
2706 * 0 . 0 handshake type
2707 * 1 . 3 handshake length
2708 * 4 . 4 cert type count
2709 * 5 .. m-1 cert types
2710 * m .. m+1 sig alg length (TLS 1.2 only)
2711 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2712 * n .. n+1 length of all DNs
2713 * n+2 .. n+3 length of DN 1
2714 * n+4 .. ... Distinguished Name #1
2715 * ... .. ... length of DN 2, etc.
2716 */
2717 buf = ssl->out_msg;
2718 p = buf + 4;
2719
2720 /*
2721 * Supported certificate types
2722 *
2723 * ClientCertificateType certificate_types<1..2^8-1>;
2724 * enum { (255) } ClientCertificateType;
2725 */
2726 ct_len = 0;
2727
2728#if defined(MBEDTLS_RSA_C)
2729 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2730#endif
2731#if defined(MBEDTLS_ECDSA_C)
2732 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2733#endif
2734
2735 p[0] = (unsigned char) ct_len++;
2736 p += ct_len;
2737
2738 sa_len = 0;
2739#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2740 /*
2741 * Add signature_algorithms for verify (TLS 1.2)
2742 *
2743 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2744 *
2745 * struct {
2746 * HashAlgorithm hash;
2747 * SignatureAlgorithm signature;
2748 * } SignatureAndHashAlgorithm;
2749 *
2750 * enum { (255) } HashAlgorithm;
2751 * enum { (255) } SignatureAlgorithm;
2752 */
2753 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2754 {
2755 const int *cur;
2756
2757 /*
2758 * Supported signature algorithms
2759 */
2760 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
2761 {
2762 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
2763
2764 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
2765 continue;
2766
2767#if defined(MBEDTLS_RSA_C)
2768 p[2 + sa_len++] = hash;
2769 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2770#endif
2771#if defined(MBEDTLS_ECDSA_C)
2772 p[2 + sa_len++] = hash;
2773 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2774#endif
2775 }
2776
2777 p[0] = (unsigned char)( sa_len >> 8 );
2778 p[1] = (unsigned char)( sa_len );
2779 sa_len += 2;
2780 p += sa_len;
2781 }
2782#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2783
2784 /*
2785 * DistinguishedName certificate_authorities<0..2^16-1>;
2786 * opaque DistinguishedName<1..2^16-1>;
2787 */
2788 p += 2;
2789
2790 total_dn_size = 0;
2791
2792 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
2793 {
2794#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2795 if( ssl->handshake->sni_ca_chain != NULL )
2796 crt = ssl->handshake->sni_ca_chain;
2797 else
2798#endif
2799 crt = ssl->conf->ca_chain;
2800
2801 while( crt != NULL && crt->version != 0 )
2802 {
2803 dn_size = crt->subject_raw.len;
2804
2805 if( end < p ||
2806 (size_t)( end - p ) < dn_size ||
2807 (size_t)( end - p ) < 2 + dn_size )
2808 {
2809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2810 break;
2811 }
2812
2813 *p++ = (unsigned char)( dn_size >> 8 );
2814 *p++ = (unsigned char)( dn_size );
2815 memcpy( p, crt->subject_raw.p, dn_size );
2816 p += dn_size;
2817
2818 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
2819
2820 total_dn_size += 2 + dn_size;
2821 crt = crt->next;
2822 }
2823 }
2824
2825 ssl->out_msglen = p - buf;
2826 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2827 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2828 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2829 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2830
2831 ret = mbedtls_ssl_write_handshake_msg( ssl );
2832
2833 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2834
2835 return( ret );
2836}
2837#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
2838 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
2839 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
2840 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
2841 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
2842 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2843
2844#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2845 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2846static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2847{
2848 int ret;
2849
2850 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
2851 {
2852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2853 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2854 }
2855
2856 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
2857 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
2858 MBEDTLS_ECDH_OURS ) ) != 0 )
2859 {
2860 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2861 return( ret );
2862 }
2863
2864 return( 0 );
2865}
2866#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2867 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2868
2869#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
2870 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2871static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
2872 size_t *signature_len )
2873{
2874 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2875 * signature length which will be added in ssl_write_server_key_exchange
2876 * after the call to ssl_prepare_server_key_exchange.
2877 * ssl_write_server_key_exchange also takes care of incrementing
2878 * ssl->out_msglen. */
2879 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2880 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2881 - sig_start );
2882 int ret = ssl->conf->f_async_resume( ssl,
2883 sig_start, signature_len, sig_max_len );
2884 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
2885 {
2886 ssl->handshake->async_in_progress = 0;
2887 mbedtls_ssl_set_async_operation_data( ssl, NULL );
2888 }
2889 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
2890 return( ret );
2891}
2892#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
2893 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
2894
2895/* Prepare the ServerKeyExchange message, up to and including
2896 * calculating the signature if any, but excluding formatting the
2897 * signature and sending the message. */
2898static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
2899 size_t *signature_len )
2900{
2901 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2902 ssl->transform_negotiate->ciphersuite_info;
2903#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
2904#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2905 unsigned char *dig_signed = NULL;
2906#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2907#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
2908
2909 (void) ciphersuite_info; /* unused in some configurations */
2910#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2911 (void) signature_len;
2912#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2913
2914 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2915
2916 /*
2917 *
2918 * Part 1: Provide key exchange parameters for chosen ciphersuite.
2919 *
2920 */
2921
2922 /*
2923 * - ECJPAKE key exchanges
2924 */
2925#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2926 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2927 {
2928 int ret;
2929 size_t len = 0;
2930
2931 ret = mbedtls_ecjpake_write_round_two(
2932 &ssl->handshake->ecjpake_ctx,
2933 ssl->out_msg + ssl->out_msglen,
2934 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2935 ssl->conf->f_rng, ssl->conf->p_rng );
2936 if( ret != 0 )
2937 {
2938 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2939 return( ret );
2940 }
2941
2942 ssl->out_msglen += len;
2943 }
2944#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2945
2946 /*
2947 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2948 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2949 * we use empty support identity hints here.
2950 **/
2951#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2952 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2953 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2954 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2955 {
2956 ssl->out_msg[ssl->out_msglen++] = 0x00;
2957 ssl->out_msg[ssl->out_msglen++] = 0x00;
2958 }
2959#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
2960 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2961
2962 /*
2963 * - DHE key exchanges
2964 */
2965#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
2966 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
2967 {
2968 int ret;
2969 size_t len = 0;
2970
2971 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
2972 {
2973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
2974 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2975 }
2976
2977 /*
2978 * Ephemeral DH parameters:
2979 *
2980 * struct {
2981 * opaque dh_p<1..2^16-1>;
2982 * opaque dh_g<1..2^16-1>;
2983 * opaque dh_Ys<1..2^16-1>;
2984 * } ServerDHParams;
2985 */
2986 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
2987 &ssl->conf->dhm_P,
2988 &ssl->conf->dhm_G ) ) != 0 )
2989 {
2990 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
2991 return( ret );
2992 }
2993
2994 if( ( ret = mbedtls_dhm_make_params(
2995 &ssl->handshake->dhm_ctx,
2996 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2997 ssl->out_msg + ssl->out_msglen, &len,
2998 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2999 {
3000 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
3001 return( ret );
3002 }
3003
3004#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3005 dig_signed = ssl->out_msg + ssl->out_msglen;
3006#endif
3007
3008 ssl->out_msglen += len;
3009
3010 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3011 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
3012 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
3013 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3014 }
3015#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
3016
3017 /*
3018 * - ECDHE key exchanges
3019 */
3020#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
3021 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
3022 {
3023 /*
3024 * Ephemeral ECDH parameters:
3025 *
3026 * struct {
3027 * ECParameters curve_params;
3028 * ECPoint public;
3029 * } ServerECDHParams;
3030 */
3031 const mbedtls_ecp_curve_info **curve = NULL;
3032 const mbedtls_ecp_group_id *gid;
3033 int ret;
3034 size_t len = 0;
3035
3036 /* Match our preference list against the offered curves */
3037 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
3038 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
3039 if( (*curve)->grp_id == *gid )
3040 goto curve_matching_done;
3041
3042curve_matching_done:
3043 if( curve == NULL || *curve == NULL )
3044 {
3045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
3046 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
3047 }
3048
3049 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
3050
3051 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
3052 (*curve)->grp_id ) ) != 0 )
3053 {
3054 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
3055 return( ret );
3056 }
3057
3058 if( ( ret = mbedtls_ecdh_make_params(
3059 &ssl->handshake->ecdh_ctx, &len,
3060 ssl->out_msg + ssl->out_msglen,
3061 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3062 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3063 {
3064 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
3065 return( ret );
3066 }
3067
3068#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3069 dig_signed = ssl->out_msg + ssl->out_msglen;
3070#endif
3071
3072 ssl->out_msglen += len;
3073
3074 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3075 MBEDTLS_DEBUG_ECDH_Q );
3076 }
3077#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
3078
3079 /*
3080 *
3081 * Part 2: For key exchanges involving the server signing the
3082 * exchange parameters, compute and add the signature here.
3083 *
3084 */
3085#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3086 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
3087 {
3088 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3089 size_t hashlen = 0;
3090 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3091 int ret;
3092
3093 /*
3094 * 2.1: Choose hash algorithm:
3095 * A: For TLS 1.2, obey signature-hash-algorithm extension
3096 * to choose appropriate hash.
3097 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3098 * (RFC 4492, Sec. 5.4)
3099 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3100 */
3101
3102 mbedtls_md_type_t md_alg;
3103
3104#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3105 mbedtls_pk_type_t sig_alg =
3106 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
3107 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3108 {
3109 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3110 * (RFC 5246, Sec. 7.4.1.4.1). */
3111 if( sig_alg == MBEDTLS_PK_NONE ||
3112 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
3113 sig_alg ) ) == MBEDTLS_MD_NONE )
3114 {
3115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3116 /* (... because we choose a cipher suite
3117 * only if there is a matching hash.) */
3118 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3119 }
3120 }
3121 else
3122#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3123#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3124 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3125 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3126 {
3127 /* B: Default hash SHA1 */
3128 md_alg = MBEDTLS_MD_SHA1;
3129 }
3130 else
3131#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3132 MBEDTLS_SSL_PROTO_TLS1_1 */
3133 {
3134 /* C: MD5 + SHA1 */
3135 md_alg = MBEDTLS_MD_NONE;
3136 }
3137
3138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
3139
3140 /*
3141 * 2.2: Compute the hash to be signed
3142 */
3143#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3144 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3145 if( md_alg == MBEDTLS_MD_NONE )
3146 {
3147 hashlen = 36;
3148 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
3149 dig_signed,
3150 dig_signed_len );
3151 if( ret != 0 )
3152 return( ret );
3153 }
3154 else
3155#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3156 MBEDTLS_SSL_PROTO_TLS1_1 */
3157#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3158 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3159 if( md_alg != MBEDTLS_MD_NONE )
3160 {
3161 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3162 dig_signed,
3163 dig_signed_len,
3164 md_alg );
3165 if( ret != 0 )
3166 return( ret );
3167 }
3168 else
3169#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3170 MBEDTLS_SSL_PROTO_TLS1_2 */
3171 {
3172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3173 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3174 }
3175
3176 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
3177
3178 /*
3179 * 2.3: Compute and add the signature
3180 */
3181#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3182 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3183 {
3184 /*
3185 * For TLS 1.2, we need to specify signature and hash algorithm
3186 * explicitly through a prefix to the signature.
3187 *
3188 * struct {
3189 * HashAlgorithm hash;
3190 * SignatureAlgorithm signature;
3191 * } SignatureAndHashAlgorithm;
3192 *
3193 * struct {
3194 * SignatureAndHashAlgorithm algorithm;
3195 * opaque signature<0..2^16-1>;
3196 * } DigitallySigned;
3197 *
3198 */
3199
3200 ssl->out_msg[ssl->out_msglen++] =
3201 mbedtls_ssl_hash_from_md_alg( md_alg );
3202 ssl->out_msg[ssl->out_msglen++] =
3203 mbedtls_ssl_sig_from_pk_alg( sig_alg );
3204 }
3205#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3206
3207#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3208 if( ssl->conf->f_async_sign_start != NULL )
3209 {
3210 ret = ssl->conf->f_async_sign_start( ssl,
3211 mbedtls_ssl_own_cert( ssl ),
3212 md_alg, hash, hashlen );
3213 switch( ret )
3214 {
3215 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3216 /* act as if f_async_sign was null */
3217 break;
3218 case 0:
3219 ssl->handshake->async_in_progress = 1;
3220 return( ssl_resume_server_key_exchange( ssl, signature_len ) );
3221 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3222 ssl->handshake->async_in_progress = 1;
3223 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3224 default:
3225 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
3226 return( ret );
3227 }
3228 }
3229#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3230
3231 if( mbedtls_ssl_own_key( ssl ) == NULL )
3232 {
3233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
3234 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3235 }
3236
3237 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3238 * signature length which will be added in ssl_write_server_key_exchange
3239 * after the call to ssl_prepare_server_key_exchange.
3240 * ssl_write_server_key_exchange also takes care of incrementing
3241 * ssl->out_msglen. */
3242 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
3243 md_alg, hash, hashlen,
3244 ssl->out_msg + ssl->out_msglen + 2,
3245 signature_len,
3246 ssl->conf->f_rng,
3247 ssl->conf->p_rng ) ) != 0 )
3248 {
3249 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3250 return( ret );
3251 }
3252 }
3253#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3254
3255 return( 0 );
3256}
3257
3258/* Prepare the ServerKeyExchange message and send it. For ciphersuites
3259 * that do not include a ServerKeyExchange message, do nothing. Either
3260 * way, if successful, move on to the next step in the SSL state
3261 * machine. */
3262static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
3263{
3264 int ret;
3265 size_t signature_len = 0;
3266#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3267 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3268 ssl->transform_negotiate->ciphersuite_info;
3269#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3270
3271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
3272
3273#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3274 /* Extract static ECDH parameters and abort if ServerKeyExchange
3275 * is not needed. */
3276 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
3277 {
3278 /* For suites involving ECDH, extract DH parameters
3279 * from certificate at this point. */
3280#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
3281 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
3282 {
3283 ssl_get_ecdh_params_from_cert( ssl );
3284 }
3285#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
3286
3287 /* Key exchanges not involving ephemeral keys don't use
3288 * ServerKeyExchange, so end here. */
3289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
3290 ssl->state++;
3291 return( 0 );
3292 }
3293#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3294
3295#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
3296 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3297 /* If we have already prepared the message and there is an ongoing
3298 * signature operation, resume signing. */
3299 if( ssl->handshake->async_in_progress != 0 )
3300 {
3301 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
3302 ret = ssl_resume_server_key_exchange( ssl, &signature_len );
3303 }
3304 else
3305#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
3306 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3307 {
3308 /* ServerKeyExchange is needed. Prepare the message. */
3309 ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
3310 }
3311
3312 if( ret != 0 )
3313 {
3314 /* If we're starting to write a new message, set ssl->out_msglen
3315 * to 0. But if we're resuming after an asynchronous message,
3316 * out_msglen is the amount of data written so far and mst be
3317 * preserved. */
3318 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3319 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
3320 else
3321 ssl->out_msglen = 0;
3322 return( ret );
3323 }
3324
3325 /* If there is a signature, write its length.
3326 * ssl_prepare_server_key_exchange already wrote the signature
3327 * itself at its proper place in the output buffer. */
3328#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3329 if( signature_len != 0 )
3330 {
3331 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
3332 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
3333
3334 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
3335 ssl->out_msg + ssl->out_msglen,
3336 signature_len );
3337
3338 /* Skip over the already-written signature */
3339 ssl->out_msglen += signature_len;
3340 }
3341#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3342
3343 /* Add header and send. */
3344 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3345 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3346
3347 ssl->state++;
3348
3349 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3350 {
3351 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3352 return( ret );
3353 }
3354
3355 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3356 return( 0 );
3357}
3358
3359static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
3360{
3361 int ret;
3362
3363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3364
3365 ssl->out_msglen = 4;
3366 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3367 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3368
3369 ssl->state++;
3370
3371#if defined(MBEDTLS_SSL_PROTO_DTLS)
3372 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3373 mbedtls_ssl_send_flight_completed( ssl );
3374#endif
3375
3376 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3377 {
3378 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3379 return( ret );
3380 }
3381
3382#if defined(MBEDTLS_SSL_PROTO_DTLS)
3383 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3384 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3385 {
3386 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
3387 return( ret );
3388 }
3389#endif /* MBEDTLS_SSL_PROTO_DTLS */
3390
3391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3392
3393 return( 0 );
3394}
3395
3396#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3397 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3398static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
3399 const unsigned char *end )
3400{
3401 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3402 size_t n;
3403
3404 /*
3405 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3406 */
3407 if( *p + 2 > end )
3408 {
3409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3410 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3411 }
3412
3413 n = ( (*p)[0] << 8 ) | (*p)[1];
3414 *p += 2;
3415
3416 if( *p + n > end )
3417 {
3418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3419 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3420 }
3421
3422 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
3423 {
3424 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
3425 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3426 }
3427
3428 *p += n;
3429
3430 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
3431
3432 return( ret );
3433}
3434#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3435 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3436
3437#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3438 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3439
3440#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3441static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
3442 unsigned char *peer_pms,
3443 size_t *peer_pmslen,
3444 size_t peer_pmssize )
3445{
3446 int ret = ssl->conf->f_async_resume( ssl,
3447 peer_pms, peer_pmslen, peer_pmssize );
3448 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3449 {
3450 ssl->handshake->async_in_progress = 0;
3451 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3452 }
3453 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
3454 return( ret );
3455}
3456#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3457
3458static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
3459 const unsigned char *p,
3460 const unsigned char *end,
3461 unsigned char *peer_pms,
3462 size_t *peer_pmslen,
3463 size_t peer_pmssize )
3464{
3465 int ret;
3466 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
3467 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
3468 size_t len = mbedtls_pk_get_len( public_key );
3469
3470#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3471 /* If we have already started decoding the message and there is an ongoing
3472 * decryption operation, resume signing. */
3473 if( ssl->handshake->async_in_progress != 0 )
3474 {
3475 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
3476 return( ssl_resume_decrypt_pms( ssl,
3477 peer_pms, peer_pmslen, peer_pmssize ) );
3478 }
3479#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3480
3481 /*
3482 * Prepare to decrypt the premaster using own private RSA key
3483 */
3484#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3485 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3486 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
3487 {
3488 if ( p + 2 > end ) {
3489 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3490 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3491 }
3492 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
3493 *p++ != ( ( len ) & 0xFF ) )
3494 {
3495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3496 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3497 }
3498 }
3499#endif
3500
3501 if( p + len != end )
3502 {
3503 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3504 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3505 }
3506
3507 /*
3508 * Decrypt the premaster secret
3509 */
3510#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3511 if( ssl->conf->f_async_decrypt_start != NULL )
3512 {
3513 ret = ssl->conf->f_async_decrypt_start( ssl,
3514 mbedtls_ssl_own_cert( ssl ),
3515 p, len );
3516 switch( ret )
3517 {
3518 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3519 /* act as if f_async_decrypt_start was null */
3520 break;
3521 case 0:
3522 ssl->handshake->async_in_progress = 1;
3523 return( ssl_resume_decrypt_pms( ssl,
3524 peer_pms,
3525 peer_pmslen,
3526 peer_pmssize ) );
3527 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3528 ssl->handshake->async_in_progress = 1;
3529 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3530 default:
3531 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
3532 return( ret );
3533 }
3534 }
3535#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3536
3537 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
3538 {
3539 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3540 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3541 }
3542
3543 ret = mbedtls_pk_decrypt( private_key, p, len,
3544 peer_pms, peer_pmslen, peer_pmssize,
3545 ssl->conf->f_rng, ssl->conf->p_rng );
3546 return( ret );
3547}
3548
3549static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
3550 const unsigned char *p,
3551 const unsigned char *end,
3552 size_t pms_offset )
3553{
3554 int ret;
3555 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3556 unsigned char ver[2];
3557 unsigned char fake_pms[48], peer_pms[48];
3558 unsigned char mask;
3559 size_t i, peer_pmslen;
3560 unsigned int diff;
3561
3562 /* In case of a failure in decryption, the decryption may write less than
3563 * 2 bytes of output, but we always read the first two bytes. It doesn't
3564 * matter in the end because diff will be nonzero in that case due to
3565 * peer_pmslen being less than 48, and we only care whether diff is 0.
3566 * But do initialize peer_pms for robustness anyway. This also makes
3567 * memory analyzers happy (don't access uninitialized memory, even
3568 * if it's an unsigned char). */
3569 peer_pms[0] = peer_pms[1] = ~0;
3570
3571 ret = ssl_decrypt_encrypted_pms( ssl, p, end,
3572 peer_pms,
3573 &peer_pmslen,
3574 sizeof( peer_pms ) );
3575
3576#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3577 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3578 return( ret );
3579#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3580
3581 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
3582 ssl->handshake->max_minor_ver,
3583 ssl->conf->transport, ver );
3584
3585 /* Avoid data-dependent branches while checking for invalid
3586 * padding, to protect against timing-based Bleichenbacher-type
3587 * attacks. */
3588 diff = (unsigned int) ret;
3589 diff |= peer_pmslen ^ 48;
3590 diff |= peer_pms[0] ^ ver[0];
3591 diff |= peer_pms[1] ^ ver[1];
3592
3593 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3594 /* MSVC has a warning about unary minus on unsigned, but this is
3595 * well-defined and precisely what we want to do here */
3596#if defined(_MSC_VER)
3597#pragma warning( push )
3598#pragma warning( disable : 4146 )
3599#endif
3600 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3601#if defined(_MSC_VER)
3602#pragma warning( pop )
3603#endif
3604
3605 /*
3606 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3607 * must not cause the connection to end immediately; instead, send a
3608 * bad_record_mac later in the handshake.
3609 * To protect against timing-based variants of the attack, we must
3610 * not have any branch that depends on whether the decryption was
3611 * successful. In particular, always generate the fake premaster secret,
3612 * regardless of whether it will ultimately influence the output or not.
3613 */
3614 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
3615 if( ret != 0 )
3616 {
3617 /* It's ok to abort on an RNG failure, since this does not reveal
3618 * anything about the RSA decryption. */
3619 return( ret );
3620 }
3621
3622#if defined(MBEDTLS_SSL_DEBUG_ALL)
3623 if( diff != 0 )
3624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3625#endif
3626
3627 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
3628 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
3629 {
3630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3631 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3632 }
3633 ssl->handshake->pmslen = 48;
3634
3635 /* Set pms to either the true or the fake PMS, without
3636 * data-dependent branches. */
3637 for( i = 0; i < ssl->handshake->pmslen; i++ )
3638 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
3639
3640 return( 0 );
3641}
3642#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3643 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3644
3645#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3646static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
3647 const unsigned char *end )
3648{
3649 int ret = 0;
3650 size_t n;
3651
3652 if( ssl->conf->f_psk == NULL &&
3653 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
3654 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
3655 {
3656 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3657 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3658 }
3659
3660 /*
3661 * Receive client pre-shared key identity name
3662 */
3663 if( end - *p < 2 )
3664 {
3665 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3666 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3667 }
3668
3669 n = ( (*p)[0] << 8 ) | (*p)[1];
3670 *p += 2;
3671
3672 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
3673 {
3674 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3675 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3676 }
3677
3678 if( ssl->conf->f_psk != NULL )
3679 {
3680 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
3681 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3682 }
3683 else
3684 {
3685 /* Identity is not a big secret since clients send it in the clear,
3686 * but treat it carefully anyway, just in case */
3687 if( n != ssl->conf->psk_identity_len ||
3688 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
3689 {
3690 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3691 }
3692 }
3693
3694 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
3695 {
3696 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
3697 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3698 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
3699 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
3700 }
3701
3702 *p += n;
3703
3704 return( 0 );
3705}
3706#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3707
3708static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
3709{
3710 int ret;
3711 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3712 unsigned char *p, *end;
3713
3714 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
3715
3716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3717
3718#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3719 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3720 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
3721 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3722 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
3723 ( ssl->handshake->async_in_progress != 0 ) )
3724 {
3725 /* We've already read a record and there is an asynchronous
3726 * operation in progress to decrypt it. So skip reading the
3727 * record. */
3728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
3729 }
3730 else
3731#endif
3732 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3733 {
3734 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3735 return( ret );
3736 }
3737
3738 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3739 end = ssl->in_msg + ssl->in_hslen;
3740
3741 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3742 {
3743 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3744 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3745 }
3746
3747 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
3748 {
3749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3750 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3751 }
3752
3753#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3754 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3755 {
3756 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3757 {
3758 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3759 return( ret );
3760 }
3761
3762 if( p != end )
3763 {
3764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3765 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3766 }
3767
3768 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3769 ssl->handshake->premaster,
3770 MBEDTLS_PREMASTER_SIZE,
3771 &ssl->handshake->pmslen,
3772 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3773 {
3774 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3775 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3776 }
3777
3778 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3779 }
3780 else
3781#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3782#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3783 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3784 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3785 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3786 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3787 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3788 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3789 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3790 {
3791 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3792 p, end - p) ) != 0 )
3793 {
3794 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3795 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3796 }
3797
3798 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3799 MBEDTLS_DEBUG_ECDH_QP );
3800
3801 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3802 &ssl->handshake->pmslen,
3803 ssl->handshake->premaster,
3804 MBEDTLS_MPI_MAX_SIZE,
3805 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3806 {
3807 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3808 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3809 }
3810
3811 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3812 MBEDTLS_DEBUG_ECDH_Z );
3813 }
3814 else
3815#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3816 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3817 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3818 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3819#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3820 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3821 {
3822 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3823 {
3824 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3825 return( ret );
3826 }
3827
3828 if( p != end )
3829 {
3830 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3831 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3832 }
3833
3834 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3835 ciphersuite_info->key_exchange ) ) != 0 )
3836 {
3837 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3838 return( ret );
3839 }
3840 }
3841 else
3842#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3843#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3844 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3845 {
3846#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3847 if ( ssl->handshake->async_in_progress != 0 )
3848 {
3849 /* There is an asynchronous operation in progress to
3850 * decrypt the encrypted premaster secret, so skip
3851 * directly to resuming this operation. */
3852 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
3853 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3854 * won't actually use it, but maintain p anyway for robustness. */
3855 p += ssl->conf->psk_identity_len + 2;
3856 }
3857 else
3858#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3859 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3860 {
3861 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3862 return( ret );
3863 }
3864
3865 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
3866 {
3867 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
3868 return( ret );
3869 }
3870
3871 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3872 ciphersuite_info->key_exchange ) ) != 0 )
3873 {
3874 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3875 return( ret );
3876 }
3877 }
3878 else
3879#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3880#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3881 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3882 {
3883 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3884 {
3885 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3886 return( ret );
3887 }
3888 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3889 {
3890 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3891 return( ret );
3892 }
3893
3894 if( p != end )
3895 {
3896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3897 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3898 }
3899
3900 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3901 ciphersuite_info->key_exchange ) ) != 0 )
3902 {
3903 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3904 return( ret );
3905 }
3906 }
3907 else
3908#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3909#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3910 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3911 {
3912 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3913 {
3914 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3915 return( ret );
3916 }
3917
3918 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3919 p, end - p ) ) != 0 )
3920 {
3921 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3922 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3923 }
3924
3925 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3926 MBEDTLS_DEBUG_ECDH_QP );
3927
3928 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3929 ciphersuite_info->key_exchange ) ) != 0 )
3930 {
3931 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3932 return( ret );
3933 }
3934 }
3935 else
3936#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3937#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3938 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3939 {
3940 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
3941 {
3942 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
3943 return( ret );
3944 }
3945 }
3946 else
3947#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3948#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3949 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3950 {
3951 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
3952 p, end - p );
3953 if( ret != 0 )
3954 {
3955 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
3956 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
3957 }
3958
3959 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3960 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3961 ssl->conf->f_rng, ssl->conf->p_rng );
3962 if( ret != 0 )
3963 {
3964 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3965 return( ret );
3966 }
3967 }
3968 else
3969#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3970 {
3971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3972 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3973 }
3974
3975 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3976 {
3977 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3978 return( ret );
3979 }
3980
3981 ssl->state++;
3982
3983 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
3984
3985 return( 0 );
3986}
3987
3988#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3989 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3990 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3991 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3992 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3993 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3994static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
3995{
3996 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3997 ssl->transform_negotiate->ciphersuite_info;
3998
3999 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4000
4001 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
4002 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
4003 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
4004 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
4005 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4006 {
4007 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4008 ssl->state++;
4009 return( 0 );
4010 }
4011
4012 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4013 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4014}
4015#else
4016static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4017{
4018 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4019 size_t i, sig_len;
4020 unsigned char hash[48];
4021 unsigned char *hash_start = hash;
4022 size_t hashlen;
4023#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4024 mbedtls_pk_type_t pk_alg;
4025#endif
4026 mbedtls_md_type_t md_alg;
4027 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4028 ssl->transform_negotiate->ciphersuite_info;
4029
4030 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4031
4032 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
4033 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
4034 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
4035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
4036 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
4037 ssl->session_negotiate->peer_cert == NULL )
4038 {
4039 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4040 ssl->state++;
4041 return( 0 );
4042 }
4043
4044 /* Read the message without adding it to the checksum */
4045 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
4046 if( 0 != ret )
4047 {
4048 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
4049 return( ret );
4050 }
4051
4052 ssl->state++;
4053
4054 /* Process the message contents */
4055 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4056 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
4057 {
4058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4059 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4060 }
4061
4062 i = mbedtls_ssl_hs_hdr_len( ssl );
4063
4064 /*
4065 * struct {
4066 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4067 * opaque signature<0..2^16-1>;
4068 * } DigitallySigned;
4069 */
4070#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4071 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4072 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
4073 {
4074 md_alg = MBEDTLS_MD_NONE;
4075 hashlen = 36;
4076
4077 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
4078 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
4079 MBEDTLS_PK_ECDSA ) )
4080 {
4081 hash_start += 16;
4082 hashlen -= 16;
4083 md_alg = MBEDTLS_MD_SHA1;
4084 }
4085 }
4086 else
4087#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
4088 MBEDTLS_SSL_PROTO_TLS1_1 */
4089#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4090 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
4091 {
4092 if( i + 2 > ssl->in_hslen )
4093 {
4094 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4095 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4096 }
4097
4098 /*
4099 * Hash
4100 */
4101 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
4102
4103 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
4104 {
4105 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4106 " for verify message" ) );
4107 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4108 }
4109
4110#if !defined(MBEDTLS_MD_SHA1)
4111 if( MBEDTLS_MD_SHA1 == md_alg )
4112 hash_start += 16;
4113#endif
4114
4115 /* Info from md_alg will be used instead */
4116 hashlen = 0;
4117
4118 i++;
4119
4120 /*
4121 * Signature
4122 */
4123 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
4124 == MBEDTLS_PK_NONE )
4125 {
4126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4127 " for verify message" ) );
4128 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4129 }
4130
4131 /*
4132 * Check the certificate's key type matches the signature alg
4133 */
4134 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
4135 {
4136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
4137 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4138 }
4139
4140 i++;
4141 }
4142 else
4143#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4144 {
4145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4146 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4147 }
4148
4149 if( i + 2 > ssl->in_hslen )
4150 {
4151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4152 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4153 }
4154
4155 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
4156 i += 2;
4157
4158 if( i + sig_len != ssl->in_hslen )
4159 {
4160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4161 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4162 }
4163
4164 /* Calculate hash and verify signature */
4165 ssl->handshake->calc_verify( ssl, hash );
4166
4167 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
4168 md_alg, hash_start, hashlen,
4169 ssl->in_msg + i, sig_len ) ) != 0 )
4170 {
4171 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
4172 return( ret );
4173 }
4174
4175 mbedtls_ssl_update_handshake_status( ssl );
4176
4177 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
4178
4179 return( ret );
4180}
4181#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
4182 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
4183 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
4184 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
4185 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
4186 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
4187
4188#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4189static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
4190{
4191 int ret;
4192 size_t tlen;
4193 uint32_t lifetime;
4194
4195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
4196
4197 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4198 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4199
4200 /*
4201 * struct {
4202 * uint32 ticket_lifetime_hint;
4203 * opaque ticket<0..2^16-1>;
4204 * } NewSessionTicket;
4205 *
4206 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4207 * 8 . 9 ticket_len (n)
4208 * 10 . 9+n ticket content
4209 */
4210
4211 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
4212 ssl->session_negotiate,
4213 ssl->out_msg + 10,
4214 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4215 &tlen, &lifetime ) ) != 0 )
4216 {
4217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
4218 tlen = 0;
4219 }
4220
4221 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
4222 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
4223 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
4224 ssl->out_msg[7] = ( lifetime ) & 0xFF;
4225
4226 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
4227 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
4228
4229 ssl->out_msglen = 10 + tlen;
4230
4231 /*
4232 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4233 * ChangeCipherSpec share the same state.
4234 */
4235 ssl->handshake->new_session_ticket = 0;
4236
4237 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4238 {
4239 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4240 return( ret );
4241 }
4242
4243 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
4244
4245 return( 0 );
4246}
4247#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4248
4249/*
4250 * SSL handshake -- server side -- single step
4251 */
4252int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
4253{
4254 int ret = 0;
4255
4256 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
4257 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4258
4259 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
4260
4261 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
4262 return( ret );
4263
4264#if defined(MBEDTLS_SSL_PROTO_DTLS)
4265 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4266 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
4267 {
4268 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
4269 return( ret );
4270 }
4271#endif /* MBEDTLS_SSL_PROTO_DTLS */
4272
4273 switch( ssl->state )
4274 {
4275 case MBEDTLS_SSL_HELLO_REQUEST:
4276 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4277 break;
4278
4279 /*
4280 * <== ClientHello
4281 */
4282 case MBEDTLS_SSL_CLIENT_HELLO:
4283 ret = ssl_parse_client_hello( ssl );
4284 break;
4285
4286#if defined(MBEDTLS_SSL_PROTO_DTLS)
4287 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4288 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4289#endif
4290
4291 /*
4292 * ==> ServerHello
4293 * Certificate
4294 * ( ServerKeyExchange )
4295 * ( CertificateRequest )
4296 * ServerHelloDone
4297 */
4298 case MBEDTLS_SSL_SERVER_HELLO:
4299 ret = ssl_write_server_hello( ssl );
4300 break;
4301
4302 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4303 ret = mbedtls_ssl_write_certificate( ssl );
4304 break;
4305
4306 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4307 ret = ssl_write_server_key_exchange( ssl );
4308 break;
4309
4310 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4311 ret = ssl_write_certificate_request( ssl );
4312 break;
4313
4314 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4315 ret = ssl_write_server_hello_done( ssl );
4316 break;
4317
4318 /*
4319 * <== ( Certificate/Alert )
4320 * ClientKeyExchange
4321 * ( CertificateVerify )
4322 * ChangeCipherSpec
4323 * Finished
4324 */
4325 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4326 ret = mbedtls_ssl_parse_certificate( ssl );
4327 break;
4328
4329 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4330 ret = ssl_parse_client_key_exchange( ssl );
4331 break;
4332
4333 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4334 ret = ssl_parse_certificate_verify( ssl );
4335 break;
4336
4337 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4338 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4339 break;
4340
4341 case MBEDTLS_SSL_CLIENT_FINISHED:
4342 ret = mbedtls_ssl_parse_finished( ssl );
4343 break;
4344
4345 /*
4346 * ==> ( NewSessionTicket )
4347 * ChangeCipherSpec
4348 * Finished
4349 */
4350 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4351#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4352 if( ssl->handshake->new_session_ticket != 0 )
4353 ret = ssl_write_new_session_ticket( ssl );
4354 else
4355#endif
4356 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4357 break;
4358
4359 case MBEDTLS_SSL_SERVER_FINISHED:
4360 ret = mbedtls_ssl_write_finished( ssl );
4361 break;
4362
4363 case MBEDTLS_SSL_FLUSH_BUFFERS:
4364 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4365 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4366 break;
4367
4368 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4369 mbedtls_ssl_handshake_wrapup( ssl );
4370 break;
4371
4372 default:
4373 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4374 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4375 }
4376
4377 return( ret );
4378}
4379#endif /* MBEDTLS_SSL_SRV_C */
Note: See TracBrowser for help on using the repository browser.