search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / common / mbedtls / ssl_srv.c
blob3d15931aa01d8a72b2ce2d76f44e2b5563dce6b0
1 /*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_SRV_C)
23
24 #if defined(MBEDTLS_PLATFORM_C)
25 #include "mbedtls/platform.h"
26 #else
27 #include <stdlib.h>
28 #define mbedtls_calloc calloc
29 #define mbedtls_free free
30 #endif
31
32 #include "mbedtls/ssl.h"
33 #include "mbedtls/ssl_internal.h"
34 #include "mbedtls/debug.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/platform_util.h"
37
38 #include <string.h>
39
40 #if defined(MBEDTLS_ECP_C)
41 #include "mbedtls/ecp.h"
42 #endif
43
44 #if defined(MBEDTLS_HAVE_TIME)
45 #include "mbedtls/platform_time.h"
46 #endif
47
48 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
49 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
50 const unsigned char *info,
51 size_t ilen) {
52 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER)
53 return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
54
55 mbedtls_free(ssl->cli_id);
56
57 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL)
58 return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
59
60 memcpy(ssl->cli_id, info, ilen);
61 ssl->cli_id_len = ilen;
62
63 return (0);
64 }
65
66 void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
67 mbedtls_ssl_cookie_write_t *f_cookie_write,
68 mbedtls_ssl_cookie_check_t *f_cookie_check,
69 void *p_cookie) {
70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
73 }
74 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
75
76 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
77 static int ssl_parse_servername_ext(mbedtls_ssl_context *ssl,
78 const unsigned char *buf,
79 size_t len) {
80 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
81 size_t servername_list_size, hostname_len;
82 const unsigned char *p;
83
84 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
85
86 if (len < 2) {
87 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
88 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
89 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
90 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
91 }
92 servername_list_size = ((buf[0] << 8) | (buf[1]));
93 if (servername_list_size + 2 != len) {
94 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
95 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
96 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
97 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
98 }
99
100 p = buf + 2;
101 while (servername_list_size > 2) {
102 hostname_len = ((p[1] << 8) | p[2]);
103 if (hostname_len + 3 > servername_list_size) {
104 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
105 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
107 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
108 }
109
110 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
111 ret = ssl->conf->f_sni(ssl->conf->p_sni,
112 ssl, p + 3, hostname_len);
113 if (ret != 0) {
114 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
115 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
116 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME);
117 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
118 }
119 return (0);
120 }
121
122 servername_list_size -= hostname_len + 3;
123 p += hostname_len + 3;
124 }
125
126 if (servername_list_size != 0) {
127 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
128 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
129 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
130 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
131 }
132
133 return (0);
134 }
135 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
136
137 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
138 static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf) {
139 if (conf->f_psk != NULL)
140 return (1);
141
142 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL)
143 return (0);
144
145 if (conf->psk != NULL && conf->psk_len != 0)
146 return (1);
147
148 #if defined(MBEDTLS_USE_PSA_CRYPTO)
149 if (! mbedtls_svc_key_id_is_null(conf->psk_opaque))
150 return (1);
151 #endif /* MBEDTLS_USE_PSA_CRYPTO */
152
153 return (0);
154 }
155
156 #if defined(MBEDTLS_USE_PSA_CRYPTO)
157 static int ssl_use_opaque_psk(mbedtls_ssl_context const *ssl) {
158 if (ssl->conf->f_psk != NULL) {
159 /* If we've used a callback to select the PSK,
160 * the static configuration is irrelevant. */
161
162 if (! mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque))
163 return (1);
164
165 return (0);
166 }
167
168 if (! mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque))
169 return (1);
170
171 return (0);
172 }
173 #endif /* MBEDTLS_USE_PSA_CRYPTO */
174 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
175
176 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
177 const unsigned char *buf,
178 size_t len) {
179 #if defined(MBEDTLS_SSL_RENEGOTIATION)
180 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
181 /* Check verify-data in constant-time. The length OTOH is no secret */
182 if (len != 1 + ssl->verify_data_len ||
183 buf[0] != ssl->verify_data_len ||
184 mbedtls_ssl_safer_memcmp(buf + 1, ssl->peer_verify_data,
185 ssl->verify_data_len) != 0) {
186 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
187 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
188 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
189 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
190 }
191 } else
192 #endif /* MBEDTLS_SSL_RENEGOTIATION */
193 {
194 if (len != 1 || buf[0] != 0x0) {
195 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
196 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
197 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
198 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
199 }
200
201 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
202 }
203
204 return (0);
205 }
206
207 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
208 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
209
210 /*
211 * Status of the implementation of signature-algorithms extension:
212 *
213 * Currently, we are only considering the signature-algorithm extension
214 * to pick a ciphersuite which allows us to send the ServerKeyExchange
215 * message with a signature-hash combination that the user allows.
216 *
217 * We do *not* check whether all certificates in our certificate
218 * chain are signed with an allowed signature-hash pair.
219 * This needs to be done at a later stage.
220 *
221 */
222 static int ssl_parse_signature_algorithms_ext(mbedtls_ssl_context *ssl,
223 const unsigned char *buf,
224 size_t len) {
225 size_t sig_alg_list_size;
226
227 const unsigned char *p;
228 const unsigned char *end = buf + len;
229
230 mbedtls_md_type_t md_cur;
231 mbedtls_pk_type_t sig_cur;
232
233 if (len < 2) {
234 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
235 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
236 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
237 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
238 }
239 sig_alg_list_size = ((buf[0] << 8) | (buf[1]));
240 if (sig_alg_list_size + 2 != len ||
241 sig_alg_list_size % 2 != 0) {
242 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
243 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
244 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
245 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
246 }
247
248 /* Currently we only guarantee signing the ServerKeyExchange message according
249 * to the constraints specified in this extension (see above), so it suffices
250 * to remember only one suitable hash for each possible signature algorithm.
251 *
252 * This will change when we also consider certificate signatures,
253 * in which case we will need to remember the whole signature-hash
254 * pair list from the extension.
255 */
256
257 for (p = buf + 2; p < end; p += 2) {
258 /* Silently ignore unknown signature or hash algorithms. */
259
260 if ((sig_cur = mbedtls_ssl_pk_alg_from_sig(p[1])) == MBEDTLS_PK_NONE) {
261 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext"
262 " unknown sig alg encoding %d", p[1]));
263 continue;
264 }
265
266 /* Check if we support the hash the user proposes */
267 md_cur = mbedtls_ssl_md_alg_from_hash(p[0]);
268 if (md_cur == MBEDTLS_MD_NONE) {
269 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
270 " unknown hash alg encoding %d", p[0]));
271 continue;
272 }
273
274 if (mbedtls_ssl_check_sig_hash(ssl, md_cur) == 0) {
275 mbedtls_ssl_sig_hash_set_add(&ssl->handshake->hash_algs, sig_cur, md_cur);
276 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
277 " match sig %u and hash %u",
278 (unsigned) sig_cur, (unsigned) md_cur));
279 } else {
280 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: "
281 "hash alg %u not supported", (unsigned) md_cur));
282 }
283 }
284
285 return (0);
286 }
287 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
288 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
289
290 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
291 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
292 static int ssl_parse_supported_elliptic_curves(mbedtls_ssl_context *ssl,
293 const unsigned char *buf,
294 size_t len) {
295 size_t list_size, our_size;
296 const unsigned char *p;
297 const mbedtls_ecp_curve_info *curve_info, **curves;
298
299 if (len < 2) {
300 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
301 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
302 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
303 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
304 }
305 list_size = ((buf[0] << 8) | (buf[1]));
306 if (list_size + 2 != len ||
307 list_size % 2 != 0) {
308 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
309 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
310 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
311 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
312 }
313
314 /* Should never happen unless client duplicates the extension */
315 if (ssl->handshake->curves != NULL) {
316 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
317 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
318 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
319 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
320 }
321
322 /* Don't allow our peer to make us allocate too much memory,
323 * and leave room for a final 0 */
324 our_size = list_size / 2 + 1;
325 if (our_size > MBEDTLS_ECP_DP_MAX)
326 our_size = MBEDTLS_ECP_DP_MAX;
327
328 if ((curves = mbedtls_calloc(our_size, sizeof(*curves))) == NULL) {
329 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
330 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
331 return (MBEDTLS_ERR_SSL_ALLOC_FAILED);
332 }
333
334 ssl->handshake->curves = curves;
335
336 p = buf + 2;
337 while (list_size > 0 && our_size > 1) {
338 curve_info = mbedtls_ecp_curve_info_from_tls_id((p[0] << 8) | p[1]);
339
340 if (curve_info != NULL) {
341 *curves++ = curve_info;
342 our_size--;
343 }
344
345 list_size -= 2;
346 p += 2;
347 }
348
349 return (0);
350 }
351
352 static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
353 const unsigned char *buf,
354 size_t len) {
355 size_t list_size;
356 const unsigned char *p;
357
358 if (len == 0 || (size_t)(buf[0] + 1) != len) {
359 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
360 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
361 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
362 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
363 }
364 list_size = buf[0];
365
366 p = buf + 1;
367 while (list_size > 0) {
368 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
369 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
370 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
371 ssl->handshake->ecdh_ctx.point_format = p[0];
372 #endif
373 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
374 ssl->handshake->ecjpake_ctx.point_format = p[0];
375 #endif
376 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
377 return (0);
378 }
379
380 list_size--;
381 p++;
382 }
383
384 return (0);
385 }
386 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
387 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
388
389 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
390 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
391 const unsigned char *buf,
392 size_t len) {
393 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
394
395 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
396 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
397 return (0);
398 }
399
400 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
401 buf, len)) != 0) {
402 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
403 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
404 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
405 return (ret);
406 }
407
408 /* Only mark the extension as OK when we're sure it is */
409 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
410
411 return (0);
412 }
413 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
414
415 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
416 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
417 const unsigned char *buf,
418 size_t len) {
419 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
420 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
421 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
422 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
423 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
424 }
425
426 ssl->session_negotiate->mfl_code = buf[0];
427
428 return (0);
429 }
430 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
431
432 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
433 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
434 const unsigned char *buf,
435 size_t len) {
436 size_t peer_cid_len;
437
438 /* CID extension only makes sense in DTLS */
439 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
440 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
441 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
442 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
443 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
444 }
445
446 /*
447 * Quoting draft-ietf-tls-dtls-connection-id-05
448 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
449 *
450 * struct {
451 * opaque cid<0..2^8-1>;
452 * } ConnectionId;
453 */
454
455 if (len < 1) {
456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
458 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
459 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
460 }
461
462 peer_cid_len = *buf++;
463 len--;
464
465 if (len != peer_cid_len) {
466 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
467 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
468 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
469 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
470 }
471
472 /* Ignore CID if the user has disabled its use. */
473 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
474 /* Leave ssl->handshake->cid_in_use in its default
475 * value of MBEDTLS_SSL_CID_DISABLED. */
476 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
477 return (0);
478 }
479
480 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
481 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
482 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
483 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
484 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
485 }
486
487 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
488 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
489 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
490
491 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
492 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
493
494 return (0);
495 }
496 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
497
498 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
499 static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
500 const unsigned char *buf,
501 size_t len) {
502 if (len != 0) {
503 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
504 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
505 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
506 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
507 }
508
509 ((void) buf);
510
511 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED)
512 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
513
514 return (0);
515 }
516 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
517
518 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
519 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
520 const unsigned char *buf,
521 size_t len) {
522 if (len != 0) {
523 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
524 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
525 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
526 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
527 }
528
529 ((void) buf);
530
531 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
532 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
533 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
534 }
535
536 return (0);
537 }
538 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
539
540 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
541 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
542 const unsigned char *buf,
543 size_t len) {
544 if (len != 0) {
545 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
546 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
547 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
548 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
549 }
550
551 ((void) buf);
552
553 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
554 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
555 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
556 }
557
558 return (0);
559 }
560 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
561
562 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
563 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
564 unsigned char *buf,
565 size_t len) {
566 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
567 mbedtls_ssl_session session;
568
569 mbedtls_ssl_session_init(&session);
570
571 if (ssl->conf->f_ticket_parse == NULL ||
572 ssl->conf->f_ticket_write == NULL) {
573 return (0);
574 }
575
576 /* Remember the client asked us to send a new ticket */
577 ssl->handshake->new_session_ticket = 1;
578
579 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
580
581 if (len == 0)
582 return (0);
583
584 #if defined(MBEDTLS_SSL_RENEGOTIATION)
585 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
586 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
587 return (0);
588 }
589 #endif /* MBEDTLS_SSL_RENEGOTIATION */
590
591 /*
592 * Failures are ok: just ignore the ticket and proceed.
593 */
594 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
595 buf, len)) != 0) {
596 mbedtls_ssl_session_free(&session);
597
598 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC)
599 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
600 else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED)
601 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
602 else
603 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
604
605 return (0);
606 }
607
608 /*
609 * Keep the session ID sent by the client, since we MUST send it back to
610 * inform them we're accepting the ticket (RFC 5077 section 3.4)
611 */
612 session.id_len = ssl->session_negotiate->id_len;
613 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
614
615 mbedtls_ssl_session_free(ssl->session_negotiate);
616 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
617
618 /* Zeroize instead of free as we copied the content */
619 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
620
621 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
622
623 ssl->handshake->resume = 1;
624
625 /* Don't send a new ticket after all, this one is OK */
626 ssl->handshake->new_session_ticket = 0;
627
628 return (0);
629 }
630 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
631
632 #if defined(MBEDTLS_SSL_ALPN)
633 static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
634 const unsigned char *buf, size_t len) {
635 size_t list_len, cur_len, ours_len;
636 const unsigned char *theirs, *start, *end;
637 const char **ours;
638
639 /* If ALPN not configured, just ignore the extension */
640 if (ssl->conf->alpn_list == NULL)
641 return (0);
642
643 /*
644 * opaque ProtocolName<1..2^8-1>;
645 *
646 * struct {
647 * ProtocolName protocol_name_list<2..2^16-1>
648 * } ProtocolNameList;
649 */
650
651 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
652 if (len < 4) {
653 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
654 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
655 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
656 }
657
658 list_len = (buf[0] << 8) | buf[1];
659 if (list_len != len - 2) {
660 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
661 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
662 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
663 }
664
665 /*
666 * Validate peer's list (lengths)
667 */
668 start = buf + 2;
669 end = buf + len;
670 for (theirs = start; theirs != end; theirs += cur_len) {
671 cur_len = *theirs++;
672
673 /* Current identifier must fit in list */
674 if (cur_len > (size_t)(end - theirs)) {
675 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
676 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
677 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
678 }
679
680 /* Empty strings MUST NOT be included */
681 if (cur_len == 0) {
682 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
683 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
684 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
685 }
686 }
687
688 /*
689 * Use our order of preference
690 */
691 for (ours = ssl->conf->alpn_list; *ours != NULL; ours++) {
692 ours_len = strlen(*ours);
693 for (theirs = start; theirs != end; theirs += cur_len) {
694 cur_len = *theirs++;
695
696 if (cur_len == ours_len &&
697 memcmp(theirs, *ours, cur_len) == 0) {
698 ssl->alpn_chosen = *ours;
699 return (0);
700 }
701 }
702 }
703
704 /* If we get there, no match was found */
705 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
706 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL);
707 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
708 }
709 #endif /* MBEDTLS_SSL_ALPN */
710
711 #if defined(MBEDTLS_SSL_DTLS_SRTP)
712 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
713 const unsigned char *buf,
714 size_t len) {
715 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
716 size_t i, j;
717 size_t profile_length;
718 uint16_t mki_length;
719 /*! 2 bytes for profile length and 1 byte for mki len */
720 const size_t size_of_lengths = 3;
721
722 /* If use_srtp is not configured, just ignore the extension */
723 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
724 (ssl->conf->dtls_srtp_profile_list == NULL) ||
725 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
726 return (0);
727 }
728
729 /* RFC5764 section 4.1.1
730 * uint8 SRTPProtectionProfile[2];
731 *
732 * struct {
733 * SRTPProtectionProfiles SRTPProtectionProfiles;
734 * opaque srtp_mki<0..255>;
735 * } UseSRTPData;
736
737 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
738 */
739
740 /*
741 * Min length is 5: at least one protection profile(2 bytes)
742 * and length(2 bytes) + srtp_mki length(1 byte)
743 * Check here that we have at least 2 bytes of protection profiles length
744 * and one of srtp_mki length
745 */
746 if (len < size_of_lengths) {
747 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
748 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
749 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
750 }
751
752 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
753
754 /* first 2 bytes are protection profile length(in bytes) */
755 profile_length = (buf[0] << 8) | buf[1];
756 buf += 2;
757
758 /* The profile length cannot be bigger than input buffer size - lengths fields */
759 if (profile_length > len - size_of_lengths ||
760 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
761 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
762 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
763 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
764 }
765 /*
766 * parse the extension list values are defined in
767 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
768 */
769 for (j = 0; j < profile_length; j += 2) {
770 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
771 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
772
773 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
774 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
775 mbedtls_ssl_get_srtp_profile_as_string(
776 client_protection)));
777 } else {
778 continue;
779 }
780 /* check if suggested profile is in our list */
781 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
782 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
783 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
784 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
785 mbedtls_ssl_get_srtp_profile_as_string(
786 client_protection)));
787 break;
788 }
789 }
790 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET)
791 break;
792 }
793 buf += profile_length; /* buf points to the mki length */
794 mki_length = *buf;
795 buf++;
796
797 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
798 mki_length + profile_length + size_of_lengths != len) {
799 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
800 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
801 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
802 }
803
804 /* Parse the mki only if present and mki is supported locally */
805 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
806 mki_length > 0) {
807 ssl->dtls_srtp_info.mki_len = mki_length;
808
809 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
810
811 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
812 ssl->dtls_srtp_info.mki_len);
813 }
814
815 return (0);
816 }
817 #endif /* MBEDTLS_SSL_DTLS_SRTP */
818
819 /*
820 * Auxiliary functions for ServerHello parsing and related actions
821 */
822
823 #if defined(MBEDTLS_X509_CRT_PARSE_C)
824 /*
825 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
826 */
827 #if defined(MBEDTLS_ECDSA_C)
828 static int ssl_check_key_curve(mbedtls_pk_context *pk,
829 const mbedtls_ecp_curve_info **curves) {
830 const mbedtls_ecp_curve_info **crv = curves;
831 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
832
833 while (*crv != NULL) {
834 if ((*crv)->grp_id == grp_id)
835 return (0);
836 crv++;
837 }
838
839 return (-1);
840 }
841 #endif /* MBEDTLS_ECDSA_C */
842
843 /*
844 * Try picking a certificate for this ciphersuite,
845 * return 0 on success and -1 on failure.
846 */
847 static int ssl_pick_cert(mbedtls_ssl_context *ssl,
848 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) {
849 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
850 mbedtls_pk_type_t pk_alg =
851 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
852 uint32_t flags;
853
854 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
855 if (ssl->handshake->sni_key_cert != NULL)
856 list = ssl->handshake->sni_key_cert;
857 else
858 #endif
859 list = ssl->conf->key_cert;
860
861 if (pk_alg == MBEDTLS_PK_NONE)
862 return (0);
863
864 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
865
866 if (list == NULL) {
867 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
868 return (-1);
869 }
870
871 for (cur = list; cur != NULL; cur = cur->next) {
872 flags = 0;
873 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
874 cur->cert);
875
876 if (! mbedtls_pk_can_do(&cur->cert->pk, pk_alg)) {
877 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
878 continue;
879 }
880
881 /*
882 * This avoids sending the client a cert it'll reject based on
883 * keyUsage or other extensions.
884 *
885 * It also allows the user to provision different certificates for
886 * different uses based on keyUsage, eg if they want to avoid signing
887 * and decrypting with the same RSA key.
888 */
889 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
890 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
891 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
892 "(extended) key usage extension"));
893 continue;
894 }
895
896 #if defined(MBEDTLS_ECDSA_C)
897 if (pk_alg == MBEDTLS_PK_ECDSA &&
898 ssl_check_key_curve(&cur->cert->pk, ssl->handshake->curves) != 0) {
899 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
900 continue;
901 }
902 #endif
903
904 /*
905 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
906 * present them a SHA-higher cert rather than failing if it's the only
907 * one we got that satisfies the other conditions.
908 */
909 if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
910 cur->cert->sig_md != MBEDTLS_MD_SHA1) {
911 if (fallback == NULL)
912 fallback = cur;
913 {
914 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate not preferred: "
915 "sha-2 with pre-TLS 1.2 client"));
916 continue;
917 }
918 }
919
920 /* If we get there, we got a winner */
921 break;
922 }
923
924 if (cur == NULL)
925 cur = fallback;
926
927 /* Do not update ssl->handshake->key_cert unless there is a match */
928 if (cur != NULL) {
929 ssl->handshake->key_cert = cur;
930 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
931 ssl->handshake->key_cert->cert);
932 return (0);
933 }
934
935 return (-1);
936 }
937 #endif /* MBEDTLS_X509_CRT_PARSE_C */
938
939 /*
940 * Check if a given ciphersuite is suitable for use with our config/keys/etc
941 * Sets ciphersuite_info only if the suite matches.
942 */
943 static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
944 const mbedtls_ssl_ciphersuite_t **ciphersuite_info) {
945 const mbedtls_ssl_ciphersuite_t *suite_info;
946
947 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
948 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
949 mbedtls_pk_type_t sig_type;
950 #endif
951
952 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
953 if (suite_info == NULL) {
954 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
955 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
956 }
957
958 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
959 (unsigned int) suite_id, suite_info->name));
960
961 if (suite_info->min_minor_ver > ssl->minor_ver ||
962 suite_info->max_minor_ver < ssl->minor_ver) {
963 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
964 return (0);
965 }
966
967 #if defined(MBEDTLS_SSL_PROTO_DTLS)
968 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
969 (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS))
970 return (0);
971 #endif
972
973 #if defined(MBEDTLS_ARC4_C)
974 if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
975 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) {
976 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: rc4"));
977 return (0);
978 }
979 #endif
980
981 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
982 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
983 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
984 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
985 "not configured or ext missing"));
986 return (0);
987 }
988 #endif
989
990
991 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
992 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
993 (ssl->handshake->curves == NULL ||
994 ssl->handshake->curves[0] == NULL)) {
995 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
996 "no common elliptic curve"));
997 return (0);
998 }
999 #endif
1000
1001 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1002 /* If the ciphersuite requires a pre-shared key and we don't
1003 * have one, skip it now rather than failing later */
1004 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
1005 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
1006 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
1007 return (0);
1008 }
1009 #endif
1010
1011 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1012 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1013 /* If the ciphersuite requires signing, check whether
1014 * a suitable hash algorithm is present. */
1015 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
1016 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
1017 if (sig_type != MBEDTLS_PK_NONE &&
1018 mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs, sig_type) == MBEDTLS_MD_NONE) {
1019 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
1020 "for signature algorithm %u", (unsigned) sig_type));
1021 return (0);
1022 }
1023 }
1024
1025 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1026 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1027
1028 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1029 /*
1030 * Final check: if ciphersuite requires us to have a
1031 * certificate/key of a particular type:
1032 * - select the appropriate certificate if we have one, or
1033 * - try the next ciphersuite if we don't
1034 * This must be done last since we modify the key_cert list.
1035 */
1036 if (ssl_pick_cert(ssl, suite_info) != 0) {
1037 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
1038 "no suitable certificate"));
1039 return (0);
1040 }
1041 #endif
1042
1043 *ciphersuite_info = suite_info;
1044 return (0);
1045 }
1046
1047 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1048 static int ssl_parse_client_hello_v2(mbedtls_ssl_context *ssl) {
1049 int ret, got_common_suite;
1050 unsigned int i, j;
1051 size_t n;
1052 unsigned int ciph_len, sess_len, chal_len;
1053 unsigned char *buf, *p;
1054 const int *ciphersuites;
1055 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1056
1057 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello v2"));
1058
1059 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1060 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1061 MBEDTLS_SSL_DEBUG_MSG(1, ("client hello v2 illegal for renegotiation"));
1062 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1063 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1064 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1065 }
1066 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1067
1068 buf = ssl->in_hdr;
1069
1070 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, 5);
1071
1072 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message type: %d",
1073 buf[2]));
1074 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message len.: %d",
1075 ((buf[0] & 0x7F) << 8) | buf[1]));
1076 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, max. version: [%d:%d]",
1077 buf[3], buf[4]));
1078
1079 /*
1080 * SSLv2 Client Hello
1081 *
1082 * Record layer:
1083 * 0 . 1 message length
1084 *
1085 * SSL layer:
1086 * 2 . 2 message type
1087 * 3 . 4 protocol version
1088 */
1089 if (buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
1090 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3) {
1091 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1092 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1093 }
1094
1095 n = ((buf[0] << 8) | buf[1]) & 0x7FFF;
1096
1097 if (n < 17 || n > 512) {
1098 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1099 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1100 }
1101
1102 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1103 ssl->minor_ver = (buf[4] <= ssl->conf->max_minor_ver)
1104 ? buf[4] : ssl->conf->max_minor_ver;
1105
1106 if (ssl->minor_ver < ssl->conf->min_minor_ver) {
1107 MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
1108 " [%d:%d] < [%d:%d]",
1109 ssl->major_ver, ssl->minor_ver,
1110 ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
1111
1112 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1113 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1114 return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
1115 }
1116
1117 ssl->handshake->max_major_ver = buf[3];
1118 ssl->handshake->max_minor_ver = buf[4];
1119
1120 if ((ret = mbedtls_ssl_fetch_input(ssl, 2 + n)) != 0) {
1121 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1122 return (ret);
1123 }
1124
1125 ssl->handshake->update_checksum(ssl, buf + 2, n);
1126
1127 buf = ssl->in_msg;
1128 n = ssl->in_left - 5;
1129
1130 /*
1131 * 0 . 1 ciphersuitelist length
1132 * 2 . 3 session id length
1133 * 4 . 5 challenge length
1134 * 6 . .. ciphersuitelist
1135 * .. . .. session id
1136 * .. . .. challenge
1137 */
1138 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, n);
1139
1140 ciph_len = (buf[0] << 8) | buf[1];
1141 sess_len = (buf[2] << 8) | buf[3];
1142 chal_len = (buf[4] << 8) | buf[5];
1143
1144 MBEDTLS_SSL_DEBUG_MSG(3, ("ciph_len: %u, sess_len: %u, chal_len: %u",
1145 ciph_len, sess_len, chal_len));
1146
1147 /*
1148 * Make sure each parameter length is valid
1149 */
1150 if (ciph_len < 3 || (ciph_len % 3) != 0) {
1151 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1152 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1153 }
1154
1155 if (sess_len > 32) {
1156 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1157 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1158 }
1159
1160 if (chal_len < 8 || chal_len > 32) {
1161 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1162 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1163 }
1164
1165 if (n != 6 + ciph_len + sess_len + chal_len) {
1166 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1167 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1168 }
1169
1170 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1171 buf + 6, ciph_len);
1172 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1173 buf + 6 + ciph_len, sess_len);
1174 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, challenge",
1175 buf + 6 + ciph_len + sess_len, chal_len);
1176
1177 p = buf + 6 + ciph_len;
1178 ssl->session_negotiate->id_len = sess_len;
1179 memset(ssl->session_negotiate->id, 0,
1180 sizeof(ssl->session_negotiate->id));
1181 memcpy(ssl->session_negotiate->id, p, ssl->session_negotiate->id_len);
1182
1183 p += sess_len;
1184 memset(ssl->handshake->randbytes, 0, 64);
1185 memcpy(ssl->handshake->randbytes + 32 - chal_len, p, chal_len);
1186
1187 /*
1188 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1189 */
1190 for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
1191 if (p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1192 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1193 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1194 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1195 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1196 "during renegotiation"));
1197
1198 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1199 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1200 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1201 }
1202 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1203 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1204 break;
1205 }
1206 }
1207
1208 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1209 for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
1210 if (p[0] == 0 &&
1211 p[1] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8) & 0xff) &&
1212 p[2] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE) & 0xff)) {
1213 MBEDTLS_SSL_DEBUG_MSG(3, ("received FALLBACK_SCSV"));
1214
1215 if (ssl->minor_ver < ssl->conf->max_minor_ver) {
1216 MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
1217
1218 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1219 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
1220
1221 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1222 }
1223
1224 break;
1225 }
1226 }
1227 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1228
1229 got_common_suite = 0;
1230 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1231 ciphersuite_info = NULL;
1232 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1233 for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3)
1234 for (i = 0; ciphersuites[i] != 0; i++)
1235 #else
1236 for (i = 0; ciphersuites[i] != 0; i++)
1237 for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3)
1238 #endif
1239 {
1240 if (p[0] != 0 ||
1241 p[1] != ((ciphersuites[i] >> 8) & 0xFF) ||
1242 p[2] != ((ciphersuites[i]) & 0xFF))
1243 continue;
1244
1245 got_common_suite = 1;
1246
1247 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1248 &ciphersuite_info)) != 0)
1249 return (ret);
1250
1251 if (ciphersuite_info != NULL)
1252 goto have_ciphersuite_v2;
1253 }
1254
1255 if (got_common_suite) {
1256 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1257 "but none of them usable"));
1258 return (MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE);
1259 } else {
1260 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1261 return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
1262 }
1263
1264 have_ciphersuite_v2:
1265 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
1266
1267 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1268 ssl->handshake->ciphersuite_info = ciphersuite_info;
1269
1270 /*
1271 * SSLv2 Client Hello relevant renegotiation security checks
1272 */
1273 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1274 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1275 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1276 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1277 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1278 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1279 }
1280
1281 ssl->in_left = 0;
1282 ssl->state++;
1283
1284 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello v2"));
1285
1286 return (0);
1287 }
1288 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1289
1290 /* This function doesn't alert on errors that happen early during
1291 ClientHello parsing because they might indicate that the client is
1292 not talking SSL/TLS at all and would not understand our alert. */
1293 static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) {
1294 int ret, got_common_suite;
1295 size_t i, j;
1296 size_t ciph_offset, comp_offset, ext_offset;
1297 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1298 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1299 size_t cookie_offset, cookie_len;
1300 #endif
1301 unsigned char *buf, *p, *ext;
1302 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1303 int renegotiation_info_seen = 0;
1304 #endif
1305 int handshake_failure = 0;
1306 const int *ciphersuites;
1307 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1308 int major, minor;
1309
1310 /* If there is no signature-algorithm extension present,
1311 * we need to fall back to the default values for allowed
1312 * signature-hash pairs. */
1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1314 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1315 int sig_hash_alg_ext_present = 0;
1316 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1317 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1318
1319 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1320
1321 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1322 read_record_header:
1323 #endif
1324 /*
1325 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1326 * otherwise read it ourselves manually in order to support SSLv2
1327 * ClientHello, which doesn't use the same record layer format.
1328 */
1329 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1330 if (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
1331 #endif
1332 {
1333 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
1334 /* No alert on a read error. */
1335 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1336 return (ret);
1337 }
1338 }
1339
1340 buf = ssl->in_hdr;
1341
1342 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1343 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1344 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM)
1345 #endif
1346 if ((buf[0] & 0x80) != 0)
1347 return (ssl_parse_client_hello_v2(ssl));
1348 #endif
1349
1350 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
1351
1352 /*
1353 * SSLv3/TLS Client Hello
1354 *
1355 * Record layer:
1356 * 0 . 0 message type
1357 * 1 . 2 protocol version
1358 * 3 . 11 DTLS: epoch + record sequence number
1359 * 3 . 4 message length
1360 */
1361 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message type: %d",
1362 buf[0]));
1363
1364 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
1365 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1366 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1367 }
1368
1369 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message len.: %d",
1370 (ssl->in_len[0] << 8) | ssl->in_len[1]));
1371
1372 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, protocol version: [%d:%d]",
1373 buf[1], buf[2]));
1374
1375 mbedtls_ssl_read_version(&major, &minor, ssl->conf->transport, buf + 1);
1376
1377 /* According to RFC 5246 Appendix E.1, the version here is typically
1378 * "{03,00}, the lowest version number supported by the client, [or] the
1379 * value of ClientHello.client_version", so the only meaningful check here
1380 * is the major version shouldn't be less than 3 */
1381 if (major < MBEDTLS_SSL_MAJOR_VERSION_3) {
1382 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1383 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1384 }
1385
1386 /* For DTLS if this is the initial handshake, remember the client sequence
1387 * number to use it in our next message (RFC 6347 4.2.1) */
1388 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1389 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1390 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1391 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1392 #endif
1393 ) {
1394 /* Epoch should be 0 for initial handshakes */
1395 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
1396 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1397 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1398 }
1399
1400 memcpy(ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6);
1401
1402 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1403 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
1404 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
1405 ssl->next_record_offset = 0;
1406 ssl->in_left = 0;
1407 goto read_record_header;
1408 }
1409
1410 /* No MAC to check yet, so we can update right now */
1411 mbedtls_ssl_dtls_replay_update(ssl);
1412 #endif
1413 }
1414 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1415
1416 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
1417
1418 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1419 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1420 /* Set by mbedtls_ssl_read_record() */
1421 msg_len = ssl->in_hslen;
1422 } else
1423 #endif
1424 {
1425 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1426 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1427 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1428 }
1429
1430 if ((ret = mbedtls_ssl_fetch_input(ssl,
1431 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1432 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1433 return (ret);
1434 }
1435
1436 /* Done reading this record, get ready for the next one */
1437 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1438 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
1439 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1440 else
1441 #endif
1442 ssl->in_left = 0;
1443 }
1444
1445 buf = ssl->in_msg;
1446
1447 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
1448
1449 ssl->handshake->update_checksum(ssl, buf, msg_len);
1450
1451 /*
1452 * Handshake layer:
1453 * 0 . 0 handshake type
1454 * 1 . 3 handshake length
1455 * 4 . 5 DTLS only: message seqence number
1456 * 6 . 8 DTLS only: fragment offset
1457 * 9 . 11 DTLS only: fragment length
1458 */
1459 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1460 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1461 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1462 }
1463
1464 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
1465
1466 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1467 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1468 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1469 }
1470
1471 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %d",
1472 (buf[1] << 16) | (buf[2] << 8) | buf[3]));
1473
1474 /* We don't support fragmentation of ClientHello (yet?) */
1475 if (buf[1] != 0 ||
1476 msg_len != mbedtls_ssl_hs_hdr_len(ssl) + ((buf[2] << 8) | buf[3])) {
1477 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1478 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1479 }
1480
1481 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1482 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1483 /*
1484 * Copy the client's handshake message_seq on initial handshakes,
1485 * check sequence number on renego.
1486 */
1487 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1488 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1489 /* This couldn't be done in ssl_prepare_handshake_record() */
1490 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1491 ssl->in_msg[5];
1492
1493 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1494 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1495 "%u (expected %u)", cli_msg_seq,
1496 ssl->handshake->in_msg_seq));
1497 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1498 }
1499
1500 ssl->handshake->in_msg_seq++;
1501 } else
1502 #endif
1503 {
1504 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1505 ssl->in_msg[5];
1506 ssl->handshake->out_msg_seq = cli_msg_seq;
1507 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1508 }
1509
1510 /*
1511 * For now we don't support fragmentation, so make sure
1512 * fragment_offset == 0 and fragment_length == length
1513 */
1514 if (ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1515 memcmp(ssl->in_msg + 1, ssl->in_msg + 9, 3) != 0) {
1516 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1517 return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
1518 }
1519 }
1520 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1521
1522 buf += mbedtls_ssl_hs_hdr_len(ssl);
1523 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1524
1525 /*
1526 * ClientHello layer:
1527 * 0 . 1 protocol version
1528 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1529 * 34 . 35 session id length (1 byte)
1530 * 35 . 34+x session id
1531 * 35+x . 35+x DTLS only: cookie length (1 byte)
1532 * 36+x . .. DTLS only: cookie
1533 * .. . .. ciphersuite list length (2 bytes)
1534 * .. . .. ciphersuite list
1535 * .. . .. compression alg. list length (1 byte)
1536 * .. . .. compression alg. list
1537 * .. . .. extensions length (2 bytes, optional)
1538 * .. . .. extensions (optional)
1539 */
1540
1541 /*
1542 * Minimal length (with everything empty and extensions omitted) is
1543 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1544 * read at least up to session id length without worrying.
1545 */
1546 if (msg_len < 38) {
1547 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1548 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1549 }
1550
1551 /*
1552 * Check and save the protocol version
1553 */
1554 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
1555
1556 mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
1557 ssl->conf->transport, buf);
1558
1559 ssl->handshake->max_major_ver = ssl->major_ver;
1560 ssl->handshake->max_minor_ver = ssl->minor_ver;
1561
1562 if (ssl->major_ver < ssl->conf->min_major_ver ||
1563 ssl->minor_ver < ssl->conf->min_minor_ver) {
1564 MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
1565 " [%d:%d] < [%d:%d]",
1566 ssl->major_ver, ssl->minor_ver,
1567 ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
1568 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1569 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1570 return (MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION);
1571 }
1572
1573 if (ssl->major_ver > ssl->conf->max_major_ver) {
1574 ssl->major_ver = ssl->conf->max_major_ver;
1575 ssl->minor_ver = ssl->conf->max_minor_ver;
1576 } else if (ssl->minor_ver > ssl->conf->max_minor_ver)
1577 ssl->minor_ver = ssl->conf->max_minor_ver;
1578
1579 /*
1580 * Save client random (inc. Unix time)
1581 */
1582 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
1583
1584 memcpy(ssl->handshake->randbytes, buf + 2, 32);
1585
1586 /*
1587 * Check the session ID length and save session ID
1588 */
1589 sess_len = buf[34];
1590
1591 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1592 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1593 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1594 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1595 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1596 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1597 }
1598
1599 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
1600
1601 ssl->session_negotiate->id_len = sess_len;
1602 memset(ssl->session_negotiate->id, 0,
1603 sizeof(ssl->session_negotiate->id));
1604 memcpy(ssl->session_negotiate->id, buf + 35,
1605 ssl->session_negotiate->id_len);
1606
1607 /*
1608 * Check the cookie length and content
1609 */
1610 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1611 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1612 cookie_offset = 35 + sess_len;
1613 cookie_len = buf[cookie_offset];
1614
1615 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1616 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1617 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1618 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1619 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1620 }
1621
1622 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1623 buf + cookie_offset + 1, cookie_len);
1624
1625 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1626 if (ssl->conf->f_cookie_check != NULL
1627 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1628 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1629 #endif
1630 ) {
1631 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1632 buf + cookie_offset + 1, cookie_len,
1633 ssl->cli_id, ssl->cli_id_len) != 0) {
1634 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
1635 ssl->handshake->verify_cookie_len = 1;
1636 } else {
1637 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
1638 ssl->handshake->verify_cookie_len = 0;
1639 }
1640 } else
1641 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1642 {
1643 /* We know we didn't send a cookie, so it should be empty */
1644 if (cookie_len != 0) {
1645 /* This may be an attacker's probe, so don't send an alert */
1646 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1647 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1648 }
1649
1650 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
1651 }
1652
1653 /*
1654 * Check the ciphersuitelist length (will be parsed later)
1655 */
1656 ciph_offset = cookie_offset + 1 + cookie_len;
1657 } else
1658 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1659 ciph_offset = 35 + sess_len;
1660
1661 ciph_len = (buf[ciph_offset + 0] << 8)
1662 | (buf[ciph_offset + 1]);
1663
1664 if (ciph_len < 2 ||
1665 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1666 (ciph_len % 2) != 0) {
1667 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1668 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1669 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1670 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1671 }
1672
1673 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1674 buf + ciph_offset + 2, ciph_len);
1675
1676 /*
1677 * Check the compression algorithms length and pick one
1678 */
1679 comp_offset = ciph_offset + 2 + ciph_len;
1680
1681 comp_len = buf[comp_offset];
1682
1683 if (comp_len < 1 ||
1684 comp_len > 16 ||
1685 comp_len + comp_offset + 1 > msg_len) {
1686 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1687 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1688 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1689 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1690 }
1691
1692 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1693 buf + comp_offset + 1, comp_len);
1694
1695 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1696 #if defined(MBEDTLS_ZLIB_SUPPORT)
1697 for (i = 0; i < comp_len; ++i) {
1698 if (buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE) {
1699 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1700 break;
1701 }
1702 }
1703 #endif
1704
1705 /* See comments in ssl_write_client_hello() */
1706 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1707 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
1708 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1709 #endif
1710
1711 /* Do not parse the extensions if the protocol is SSLv3 */
1712 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1713 if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
1714 #endif
1715 /*
1716 * Check the extension length
1717 */
1718 ext_offset = comp_offset + 1 + comp_len;
1719 if (msg_len > ext_offset) {
1720 if (msg_len < ext_offset + 2) {
1721 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1722 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1723 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1724 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1725 }
1726
1727 ext_len = (buf[ext_offset + 0] << 8)
1728 | (buf[ext_offset + 1]);
1729
1730 if ((ext_len > 0 && ext_len < 4) ||
1731 msg_len != ext_offset + 2 + ext_len) {
1732 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1733 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1734 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1735 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1736 }
1737 } else
1738 ext_len = 0;
1739
1740 ext = buf + ext_offset + 2;
1741 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1742
1743 while (ext_len != 0) {
1744 unsigned int ext_id;
1745 unsigned int ext_size;
1746 if (ext_len < 4) {
1747 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1748 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1749 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1750 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1751 }
1752 ext_id = ((ext[0] << 8) | (ext[1]));
1753 ext_size = ((ext[2] << 8) | (ext[3]));
1754
1755 if (ext_size + 4 > ext_len) {
1756 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1757 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1758 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1759 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1760 }
1761 switch (ext_id) {
1762 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1763 case MBEDTLS_TLS_EXT_SERVERNAME:
1764 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1765 if (ssl->conf->f_sni == NULL)
1766 break;
1767
1768 ret = ssl_parse_servername_ext(ssl, ext + 4, ext_size);
1769 if (ret != 0)
1770 return (ret);
1771 break;
1772 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1773
1774 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1775 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1776 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1777 renegotiation_info_seen = 1;
1778 #endif
1779
1780 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1781 if (ret != 0)
1782 return (ret);
1783 break;
1784
1785 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1786 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1787 case MBEDTLS_TLS_EXT_SIG_ALG:
1788 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1789
1790 ret = ssl_parse_signature_algorithms_ext(ssl, ext + 4, ext_size);
1791 if (ret != 0)
1792 return (ret);
1793
1794 sig_hash_alg_ext_present = 1;
1795 break;
1796 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1797 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1798
1799 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1800 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1801 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1802 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
1803
1804 ret = ssl_parse_supported_elliptic_curves(ssl, ext + 4, ext_size);
1805 if (ret != 0)
1806 return (ret);
1807 break;
1808
1809 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1810 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
1811 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1812
1813 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1814 if (ret != 0)
1815 return (ret);
1816 break;
1817 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1818 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1819
1820 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1821 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1822 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
1823
1824 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1825 if (ret != 0)
1826 return (ret);
1827 break;
1828 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1829
1830 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1831 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1832 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
1833
1834 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1835 if (ret != 0)
1836 return (ret);
1837 break;
1838 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1839
1840 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1841 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1842 MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated hmac extension"));
1843
1844 ret = ssl_parse_truncated_hmac_ext(ssl, ext + 4, ext_size);
1845 if (ret != 0)
1846 return (ret);
1847 break;
1848 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1849
1850 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1851 case MBEDTLS_TLS_EXT_CID:
1852 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1853
1854 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1855 if (ret != 0)
1856 return (ret);
1857 break;
1858 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1859
1860 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1861 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1862 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
1863
1864 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1865 if (ret != 0)
1866 return (ret);
1867 break;
1868 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1869
1870 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1871 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1872 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
1873
1874 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1875 if (ret != 0)
1876 return (ret);
1877 break;
1878 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1879
1880 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1881 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1882 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
1883
1884 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1885 if (ret != 0)
1886 return (ret);
1887 break;
1888 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1889
1890 #if defined(MBEDTLS_SSL_ALPN)
1891 case MBEDTLS_TLS_EXT_ALPN:
1892 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
1893
1894 ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size);
1895 if (ret != 0)
1896 return (ret);
1897 break;
1898 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1899
1900 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1901 case MBEDTLS_TLS_EXT_USE_SRTP:
1902 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
1903
1904 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
1905 if (ret != 0)
1906 return (ret);
1907 break;
1908 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1909
1910 default:
1911 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
1912 ext_id));
1913 }
1914
1915 ext_len -= 4 + ext_size;
1916 ext += 4 + ext_size;
1917
1918 if (ext_len > 0 && ext_len < 4) {
1919 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1920 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1921 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1922 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1923 }
1924 }
1925 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1926 }
1927 #endif
1928
1929 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1930 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1931 if (p[0] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8) & 0xff) &&
1932 p[1] == (unsigned char)((MBEDTLS_SSL_FALLBACK_SCSV_VALUE) & 0xff)) {
1933 MBEDTLS_SSL_DEBUG_MSG(2, ("received FALLBACK_SCSV"));
1934
1935 if (ssl->minor_ver < ssl->conf->max_minor_ver) {
1936 MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
1937
1938 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1939 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
1940
1941 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1942 }
1943
1944 break;
1945 }
1946 }
1947 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1948
1949 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1950 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1951
1952 /*
1953 * Try to fall back to default hash SHA1 if the client
1954 * hasn't provided any preferred signature-hash combinations.
1955 */
1956 if (sig_hash_alg_ext_present == 0) {
1957 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
1958
1959 if (mbedtls_ssl_check_sig_hash(ssl, md_default) != 0)
1960 md_default = MBEDTLS_MD_NONE;
1961
1962 mbedtls_ssl_sig_hash_set_const_hash(&ssl->handshake->hash_algs, md_default);
1963 }
1964
1965 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1966 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1967
1968 /*
1969 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1970 */
1971 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
1972 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1973 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1974 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1975 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1976 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1977 "during renegotiation"));
1978 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1979 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1980 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
1981 }
1982 #endif
1983 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1984 break;
1985 }
1986 }
1987
1988 /*
1989 * Renegotiation security checks
1990 */
1991 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1992 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1993 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1994 handshake_failure = 1;
1995 }
1996 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1997 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1998 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1999 renegotiation_info_seen == 0) {
2000 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
2001 handshake_failure = 1;
2002 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2003 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2004 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
2005 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
2006 handshake_failure = 1;
2007 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2008 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2009 renegotiation_info_seen == 1) {
2010 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
2011 handshake_failure = 1;
2012 }
2013 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2014
2015 if (handshake_failure == 1) {
2016 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2017 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2018 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO);
2019 }
2020
2021 /*
2022 * Search for a matching ciphersuite
2023 * (At the end because we need information from the EC-based extensions
2024 * and certificate from the SNI callback triggered by the SNI extension.)
2025 */
2026 got_common_suite = 0;
2027 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
2028 ciphersuite_info = NULL;
2029 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
2030 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2)
2031 for (i = 0; ciphersuites[i] != 0; i++)
2032 #else
2033 for (i = 0; ciphersuites[i] != 0; i++)
2034 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2)
2035 #endif
2036 {
2037 if (p[0] != ((ciphersuites[i] >> 8) & 0xFF) ||
2038 p[1] != ((ciphersuites[i]) & 0xFF))
2039 continue;
2040
2041 got_common_suite = 1;
2042
2043 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
2044 &ciphersuite_info)) != 0)
2045 return (ret);
2046
2047 if (ciphersuite_info != NULL)
2048 goto have_ciphersuite;
2049 }
2050
2051 if (got_common_suite) {
2052 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
2053 "but none of them usable"));
2054 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2055 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2056 return (MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE);
2057 } else {
2058 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
2059 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2060 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2061 return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
2062 }
2063
2064 have_ciphersuite:
2065 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
2066
2067 ssl->session_negotiate->ciphersuite = ciphersuites[i];
2068 ssl->handshake->ciphersuite_info = ciphersuite_info;
2069
2070 ssl->state++;
2071
2072 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2073 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
2074 mbedtls_ssl_recv_flight_completed(ssl);
2075 #endif
2076
2077 /* Debugging-only output for testsuite */
2078 #if defined(MBEDTLS_DEBUG_C) && \
2079 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2080 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2081 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
2082 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
2083 if (sig_alg != MBEDTLS_PK_NONE) {
2084 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
2085 sig_alg);
2086 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %d",
2087 mbedtls_ssl_hash_from_md_alg(md_alg)));
2088 } else {
2089 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
2090 "%u - should not happen", (unsigned) sig_alg));
2091 }
2092 }
2093 #endif
2094
2095 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
2096
2097 return (0);
2098 }
2099
2100 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2101 static void ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
2102 unsigned char *buf,
2103 size_t *olen) {
2104 unsigned char *p = buf;
2105
2106 if (ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) {
2107 *olen = 0;
2108 return;
2109 }
2110
2111 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding truncated hmac extension"));
2112
2113 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8) & 0xFF);
2114 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_TRUNCATED_HMAC) & 0xFF);
2115
2116 *p++ = 0x00;
2117 *p++ = 0x00;
2118
2119 *olen = 4;
2120 }
2121 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2122
2123 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2124 static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
2125 unsigned char *buf,
2126 size_t *olen) {
2127 unsigned char *p = buf;
2128 size_t ext_len;
2129 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2130
2131 *olen = 0;
2132
2133 /* Skip writing the extension if we don't want to use it or if
2134 * the client hasn't offered it. */
2135 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED)
2136 return;
2137
2138 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
2139 * which is at most 255, so the increment cannot overflow. */
2140 if (end < p || (size_t)(end - p) < (unsigned)(ssl->own_cid_len + 5)) {
2141 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2142 return;
2143 }
2144
2145 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
2146
2147 /*
2148 * Quoting draft-ietf-tls-dtls-connection-id-05
2149 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
2150 *
2151 * struct {
2152 * opaque cid<0..2^8-1>;
2153 * } ConnectionId;
2154 */
2155
2156 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID >> 8) & 0xFF);
2157 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_CID) & 0xFF);
2158 ext_len = (size_t) ssl->own_cid_len + 1;
2159 *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
2160 *p++ = (unsigned char)((ext_len) & 0xFF);
2161
2162 *p++ = (uint8_t) ssl->own_cid_len;
2163 memcpy(p, ssl->own_cid, ssl->own_cid_len);
2164
2165 *olen = ssl->own_cid_len + 5;
2166 }
2167 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2168
2169 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2170 static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
2171 unsigned char *buf,
2172 size_t *olen) {
2173 unsigned char *p = buf;
2174 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2175 const mbedtls_cipher_info_t *cipher = NULL;
2176
2177 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
2178 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
2179 *olen = 0;
2180 return;
2181 }
2182
2183 /*
2184 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2185 * from a client and then selects a stream or Authenticated Encryption
2186 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2187 * encrypt-then-MAC response extension back to the client."
2188 */
2189 if ((suite = mbedtls_ssl_ciphersuite_from_id(
2190 ssl->session_negotiate->ciphersuite)) == NULL ||
2191 (cipher = mbedtls_cipher_info_from_type(suite->cipher)) == NULL ||
2192 cipher->mode != MBEDTLS_MODE_CBC) {
2193 *olen = 0;
2194 return;
2195 }
2196
2197 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
2198
2199 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8) & 0xFF);
2200 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC) & 0xFF);
2201
2202 *p++ = 0x00;
2203 *p++ = 0x00;
2204
2205 *olen = 4;
2206 }
2207 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2208
2209 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2210 static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
2211 unsigned char *buf,
2212 size_t *olen) {
2213 unsigned char *p = buf;
2214
2215 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
2216 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
2217 *olen = 0;
2218 return;
2219 }
2220
2221 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
2222 "extension"));
2223
2224 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8) & 0xFF);
2225 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET) & 0xFF);
2226
2227 *p++ = 0x00;
2228 *p++ = 0x00;
2229
2230 *olen = 4;
2231 }
2232 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2233
2234 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2235 static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
2236 unsigned char *buf,
2237 size_t *olen) {
2238 unsigned char *p = buf;
2239
2240 if (ssl->handshake->new_session_ticket == 0) {
2241 *olen = 0;
2242 return;
2243 }
2244
2245 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
2246
2247 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET >> 8) & 0xFF);
2248 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SESSION_TICKET) & 0xFF);
2249
2250 *p++ = 0x00;
2251 *p++ = 0x00;
2252
2253 *olen = 4;
2254 }
2255 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2256
2257 static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
2258 unsigned char *buf,
2259 size_t *olen) {
2260 unsigned char *p = buf;
2261
2262 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
2263 *olen = 0;
2264 return;
2265 }
2266
2267 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
2268
2269 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8) & 0xFF);
2270 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_RENEGOTIATION_INFO) & 0xFF);
2271
2272 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2273 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2274 *p++ = 0x00;
2275 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
2276 *p++ = ssl->verify_data_len * 2 & 0xFF;
2277
2278 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
2279 p += ssl->verify_data_len;
2280 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
2281 p += ssl->verify_data_len;
2282 } else
2283 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2284 {
2285 *p++ = 0x00;
2286 *p++ = 0x01;
2287 *p++ = 0x00;
2288 }
2289
2290 *olen = p - buf;
2291 }
2292
2293 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2294 static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
2295 unsigned char *buf,
2296 size_t *olen) {
2297 unsigned char *p = buf;
2298
2299 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
2300 *olen = 0;
2301 return;
2302 }
2303
2304 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
2305
2306 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8) & 0xFF);
2307 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH) & 0xFF);
2308
2309 *p++ = 0x00;
2310 *p++ = 1;
2311
2312 *p++ = ssl->session_negotiate->mfl_code;
2313
2314 *olen = 5;
2315 }
2316 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2317
2318 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2319 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2320 static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
2321 unsigned char *buf,
2322 size_t *olen) {
2323 unsigned char *p = buf;
2324 ((void) ssl);
2325
2326 if ((ssl->handshake->cli_exts &
2327 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
2328 *olen = 0;
2329 return;
2330 }
2331
2332 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
2333
2334 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8) & 0xFF);
2335 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS) & 0xFF);
2336
2337 *p++ = 0x00;
2338 *p++ = 2;
2339
2340 *p++ = 1;
2341 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2342
2343 *olen = 6;
2344 }
2345 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2346
2347 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2348 static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
2349 unsigned char *buf,
2350 size_t *olen) {
2351 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2352 unsigned char *p = buf;
2353 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2354 size_t kkpp_len;
2355
2356 *olen = 0;
2357
2358 /* Skip costly computation if not needed */
2359 if (ssl->handshake->ciphersuite_info->key_exchange !=
2360 MBEDTLS_KEY_EXCHANGE_ECJPAKE)
2361 return;
2362
2363 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
2364
2365 if (end - p < 4) {
2366 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2367 return;
2368 }
2369
2370 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8) & 0xFF);
2371 *p++ = (unsigned char)((MBEDTLS_TLS_EXT_ECJPAKE_KKPP) & 0xFF);
2372
2373 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
2374 p + 2, end - p - 2, &kkpp_len,
2375 ssl->conf->f_rng, ssl->conf->p_rng);
2376 if (ret != 0) {
2377 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
2378 return;
2379 }
2380
2381 *p++ = (unsigned char)((kkpp_len >> 8) & 0xFF);
2382 *p++ = (unsigned char)((kkpp_len) & 0xFF);
2383
2384 *olen = kkpp_len + 4;
2385 }
2386 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2387
2388 #if defined(MBEDTLS_SSL_ALPN )
2389 static void ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2390 unsigned char *buf, size_t *olen) {
2391 if (ssl->alpn_chosen == NULL) {
2392 *olen = 0;
2393 return;
2394 }
2395
2396 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding alpn extension"));
2397
2398 /*
2399 * 0 . 1 ext identifier
2400 * 2 . 3 ext length
2401 * 4 . 5 protocol list length
2402 * 6 . 6 protocol name length
2403 * 7 . 7+n protocol name
2404 */
2405 buf[0] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN >> 8) & 0xFF);
2406 buf[1] = (unsigned char)((MBEDTLS_TLS_EXT_ALPN) & 0xFF);
2407
2408 *olen = 7 + strlen(ssl->alpn_chosen);
2409
2410 buf[2] = (unsigned char)(((*olen - 4) >> 8) & 0xFF);
2411 buf[3] = (unsigned char)(((*olen - 4)) & 0xFF);
2412
2413 buf[4] = (unsigned char)(((*olen - 6) >> 8) & 0xFF);
2414 buf[5] = (unsigned char)(((*olen - 6)) & 0xFF);
2415
2416 buf[6] = (unsigned char)(((*olen - 7)) & 0xFF);
2417
2418 memcpy(buf + 7, ssl->alpn_chosen, *olen - 7);
2419 }
2420 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2421
2422 #if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
2423 static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
2424 unsigned char *buf,
2425 size_t *olen) {
2426 size_t mki_len = 0, ext_len = 0;
2427 uint16_t profile_value = 0;
2428 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2429
2430 *olen = 0;
2431
2432 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
2433 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
2434 return;
2435 }
2436
2437 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
2438
2439 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
2440 mki_len = ssl->dtls_srtp_info.mki_len;
2441 }
2442
2443 /* The extension total size is 9 bytes :
2444 * - 2 bytes for the extension tag
2445 * - 2 bytes for the total size
2446 * - 2 bytes for the protection profile length
2447 * - 2 bytes for the protection profile
2448 * - 1 byte for the mki length
2449 * + the actual mki length
2450 * Check we have enough room in the output buffer */
2451 if ((size_t)(end - buf) < mki_len + 9) {
2452 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2453 return;
2454 }
2455
2456 /* extension */
2457 buf[0] = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP >> 8) & 0xFF);
2458 buf[1] = (unsigned char)((MBEDTLS_TLS_EXT_USE_SRTP) & 0xFF);
2459 /*
2460 * total length 5 and mki value: only one profile(2 bytes)
2461 * and length(2 bytes) and srtp_mki )
2462 */
2463 ext_len = 5 + mki_len;
2464 buf[2] = (unsigned char)((ext_len >> 8) & 0xFF);
2465 buf[3] = (unsigned char)(ext_len & 0xFF);
2466
2467 /* protection profile length: 2 */
2468 buf[4] = 0x00;
2469 buf[5] = 0x02;
2470 profile_value = mbedtls_ssl_check_srtp_profile_value(
2471 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2472 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2473 buf[6] = (unsigned char)((profile_value >> 8) & 0xFF);
2474 buf[7] = (unsigned char)(profile_value & 0xFF);
2475 } else {
2476 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
2477 return;
2478 }
2479
2480 buf[8] = mki_len & 0xFF;
2481 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2482
2483 *olen = 9 + mki_len;
2484 }
2485 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2486
2487 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2488 static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) {
2489 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2490 unsigned char *p = ssl->out_msg + 4;
2491 unsigned char *cookie_len_byte;
2492
2493 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
2494
2495 /*
2496 * struct {
2497 * ProtocolVersion server_version;
2498 * opaque cookie<0..2^8-1>;
2499 * } HelloVerifyRequest;
2500 */
2501
2502 /* The RFC is not clear on this point, but sending the actual negotiated
2503 * version looks like the most interoperable thing to do. */
2504 mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
2505 ssl->conf->transport, p);
2506 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
2507 p += 2;
2508
2509 /* If we get here, f_cookie_check is not null */
2510 if (ssl->conf->f_cookie_write == NULL) {
2511 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2512 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
2513 }
2514
2515 /* Skip length byte until we know the length */
2516 cookie_len_byte = p++;
2517
2518 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2519 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2520 ssl->cli_id, ssl->cli_id_len)) != 0) {
2521 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2522 return (ret);
2523 }
2524
2525 *cookie_len_byte = (unsigned char)(p - (cookie_len_byte + 1));
2526
2527 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
2528
2529 ssl->out_msglen = p - ssl->out_msg;
2530 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2531 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2532
2533 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2534
2535 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2536 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2537 return (ret);
2538 }
2539
2540 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2541 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2542 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2543 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2544 return (ret);
2545 }
2546 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2547
2548 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
2549
2550 return (0);
2551 }
2552 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2553
2554 static int ssl_write_server_hello(mbedtls_ssl_context *ssl) {
2555 #if defined(MBEDTLS_HAVE_TIME)
2556 mbedtls_time_t t;
2557 #endif
2558 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2559 size_t olen, ext_len = 0, n;
2560 unsigned char *buf, *p;
2561
2562 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2563
2564 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2565 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2566 ssl->handshake->verify_cookie_len != 0) {
2567 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2568 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2569
2570 return (ssl_write_hello_verify_request(ssl));
2571 }
2572 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2573
2574 if (ssl->conf->f_rng == NULL) {
2575 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2576 return (MBEDTLS_ERR_SSL_NO_RNG);
2577 }
2578
2579 /*
2580 * 0 . 0 handshake type
2581 * 1 . 3 handshake length
2582 * 4 . 5 protocol version
2583 * 6 . 9 UNIX time()
2584 * 10 . 37 random bytes
2585 */
2586 buf = ssl->out_msg;
2587 p = buf + 4;
2588
2589 mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
2590 ssl->conf->transport, p);
2591 p += 2;
2592
2593 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2594 buf[4], buf[5]));
2595
2596 #if defined(MBEDTLS_HAVE_TIME)
2597 t = mbedtls_time(NULL);
2598 *p++ = (unsigned char)(t >> 24);
2599 *p++ = (unsigned char)(t >> 16);
2600 *p++ = (unsigned char)(t >> 8);
2601 *p++ = (unsigned char)(t);
2602
2603 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2604 (long long) t));
2605 #else
2606 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0)
2607 return (ret);
2608
2609 p += 4;
2610 #endif /* MBEDTLS_HAVE_TIME */
2611
2612 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0)
2613 return (ret);
2614
2615 p += 28;
2616
2617 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2618
2619 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
2620
2621 /*
2622 * Resume is 0 by default, see ssl_handshake_init().
2623 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2624 * If not, try looking up session ID in our cache.
2625 */
2626 if (ssl->handshake->resume == 0 &&
2627 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2628 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
2629 #endif
2630 ssl->session_negotiate->id_len != 0 &&
2631 ssl->conf->f_get_cache != NULL &&
2632 ssl->conf->f_get_cache(ssl->conf->p_cache, ssl->session_negotiate) == 0) {
2633 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
2634 ssl->handshake->resume = 1;
2635 }
2636
2637 if (ssl->handshake->resume == 0) {
2638 /*
2639 * New session, create a new session id,
2640 * unless we're about to issue a session ticket
2641 */
2642 ssl->state++;
2643
2644 #if defined(MBEDTLS_HAVE_TIME)
2645 ssl->session_negotiate->start = mbedtls_time(NULL);
2646 #endif
2647
2648 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2649 if (ssl->handshake->new_session_ticket != 0) {
2650 ssl->session_negotiate->id_len = n = 0;
2651 memset(ssl->session_negotiate->id, 0, 32);
2652 } else
2653 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2654 {
2655 ssl->session_negotiate->id_len = n = 32;
2656 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2657 n)) != 0)
2658 return (ret);
2659 }
2660 } else {
2661 /*
2662 * Resuming a session
2663 */
2664 n = ssl->session_negotiate->id_len;
2665 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2666
2667 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2668 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2669 return (ret);
2670 }
2671 }
2672
2673 /*
2674 * 38 . 38 session id length
2675 * 39 . 38+n session id
2676 * 39+n . 40+n chosen ciphersuite
2677 * 41+n . 41+n chosen compression alg.
2678 * 42+n . 43+n extensions length
2679 * 44+n . 43+n+m extensions
2680 */
2681 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2682 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2683 p += ssl->session_negotiate->id_len;
2684
2685 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2686 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2687 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2688 ssl->handshake->resume ? "a" : "no"));
2689
2690 *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite >> 8);
2691 *p++ = (unsigned char)(ssl->session_negotiate->ciphersuite);
2692 *p++ = (unsigned char)(ssl->session_negotiate->compression);
2693
2694 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2695 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2696 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2697 (unsigned int) ssl->session_negotiate->compression));
2698
2699 /* Do not write the extensions if the protocol is SSLv3 */
2700 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2701 if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
2702 #endif
2703
2704 /*
2705 * First write extensions, then the total length
2706 */
2707 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2708 ext_len += olen;
2709
2710 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2711 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2712 ext_len += olen;
2713 #endif
2714
2715 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2716 ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len, &olen);
2717 ext_len += olen;
2718 #endif
2719
2720 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2721 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2722 ext_len += olen;
2723 #endif
2724
2725 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2726 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2727 ext_len += olen;
2728 #endif
2729
2730 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2731 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2732 ext_len += olen;
2733 #endif
2734
2735 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2736 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2737 ext_len += olen;
2738 #endif
2739
2740 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2741 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2742 if (mbedtls_ssl_ciphersuite_uses_ec(
2743 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite))) {
2744 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2745 ext_len += olen;
2746 }
2747 #endif
2748
2749 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2750 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2751 ext_len += olen;
2752 #endif
2753
2754 #if defined(MBEDTLS_SSL_ALPN)
2755 ssl_write_alpn_ext(ssl, p + 2 + ext_len, &olen);
2756 ext_len += olen;
2757 #endif
2758
2759 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2760 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2761 ext_len += olen;
2762 #endif
2763
2764 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2765 ext_len));
2766
2767 if (ext_len > 0) {
2768 *p++ = (unsigned char)((ext_len >> 8) & 0xFF);
2769 *p++ = (unsigned char)((ext_len) & 0xFF);
2770 p += ext_len;
2771 }
2772
2773 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2774 }
2775 #endif
2776
2777 ssl->out_msglen = p - buf;
2778 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2779 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2780
2781 ret = mbedtls_ssl_write_handshake_msg(ssl);
2782
2783 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2784
2785 return (ret);
2786 }
2787
2788 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2789 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) {
2790 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2791 ssl->handshake->ciphersuite_info;
2792
2793 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2794
2795 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2796 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2797 ssl->state++;
2798 return (0);
2799 }
2800
2801 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2802 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
2803 }
2804 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2805 static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) {
2806 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2807 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2808 ssl->handshake->ciphersuite_info;
2809 uint16_t dn_size, total_dn_size; /* excluding length bytes */
2810 size_t ct_len, sa_len; /* including length bytes */
2811 unsigned char *buf, *p;
2812 const unsigned char *const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2813 const mbedtls_x509_crt *crt;
2814 int authmode;
2815
2816 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2817
2818 ssl->state++;
2819
2820 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2821 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET)
2822 authmode = ssl->handshake->sni_authmode;
2823 else
2824 #endif
2825 authmode = ssl->conf->authmode;
2826
2827 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
2828 authmode == MBEDTLS_SSL_VERIFY_NONE) {
2829 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2830 return (0);
2831 }
2832
2833 /*
2834 * 0 . 0 handshake type
2835 * 1 . 3 handshake length
2836 * 4 . 4 cert type count
2837 * 5 .. m-1 cert types
2838 * m .. m+1 sig alg length (TLS 1.2 only)
2839 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2840 * n .. n+1 length of all DNs
2841 * n+2 .. n+3 length of DN 1
2842 * n+4 .. ... Distinguished Name #1
2843 * ... .. ... length of DN 2, etc.
2844 */
2845 buf = ssl->out_msg;
2846 p = buf + 4;
2847
2848 /*
2849 * Supported certificate types
2850 *
2851 * ClientCertificateType certificate_types<1..2^8-1>;
2852 * enum { (255) } ClientCertificateType;
2853 */
2854 ct_len = 0;
2855
2856 #if defined(MBEDTLS_RSA_C)
2857 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2858 #endif
2859 #if defined(MBEDTLS_ECDSA_C)
2860 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2861 #endif
2862
2863 p[0] = (unsigned char) ct_len++;
2864 p += ct_len;
2865
2866 sa_len = 0;
2867 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2868 /*
2869 * Add signature_algorithms for verify (TLS 1.2)
2870 *
2871 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2872 *
2873 * struct {
2874 * HashAlgorithm hash;
2875 * SignatureAlgorithm signature;
2876 * } SignatureAndHashAlgorithm;
2877 *
2878 * enum { (255) } HashAlgorithm;
2879 * enum { (255) } SignatureAlgorithm;
2880 */
2881 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
2882 const int *cur;
2883
2884 /*
2885 * Supported signature algorithms
2886 */
2887 for (cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++) {
2888 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*cur);
2889
2890 if (MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md(ssl, hash))
2891 continue;
2892
2893 #if defined(MBEDTLS_RSA_C)
2894 p[2 + sa_len++] = hash;
2895 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2896 #endif
2897 #if defined(MBEDTLS_ECDSA_C)
2898 p[2 + sa_len++] = hash;
2899 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2900 #endif
2901 }
2902
2903 p[0] = (unsigned char)(sa_len >> 8);
2904 p[1] = (unsigned char)(sa_len);
2905 sa_len += 2;
2906 p += sa_len;
2907 }
2908 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2909
2910 /*
2911 * DistinguishedName certificate_authorities<0..2^16-1>;
2912 * opaque DistinguishedName<1..2^16-1>;
2913 */
2914 p += 2;
2915
2916 total_dn_size = 0;
2917
2918 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
2919 /* NOTE: If trusted certificates are provisioned
2920 * via a CA callback (configured through
2921 * `mbedtls_ssl_conf_ca_cb()`, then the
2922 * CertificateRequest is currently left empty. */
2923
2924 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2925 if (ssl->handshake->sni_ca_chain != NULL)
2926 crt = ssl->handshake->sni_ca_chain;
2927 else
2928 #endif
2929 crt = ssl->conf->ca_chain;
2930
2931 while (crt != NULL && crt->version != 0) {
2932 /* It follows from RFC 5280 A.1 that this length
2933 * can be represented in at most 11 bits. */
2934 dn_size = (uint16_t) crt->subject_raw.len;
2935
2936 if (end < p || (size_t)(end - p) < 2 + (size_t) dn_size) {
2937 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
2938 break;
2939 }
2940
2941 *p++ = (unsigned char)(dn_size >> 8);
2942 *p++ = (unsigned char)(dn_size);
2943 memcpy(p, crt->subject_raw.p, dn_size);
2944 p += dn_size;
2945
2946 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
2947
2948 total_dn_size += 2 + dn_size;
2949 crt = crt->next;
2950 }
2951 }
2952
2953 ssl->out_msglen = p - buf;
2954 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2955 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2956 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)(total_dn_size >> 8);
2957 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)(total_dn_size);
2958
2959 ret = mbedtls_ssl_write_handshake_msg(ssl);
2960
2961 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
2962
2963 return (ret);
2964 }
2965 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2966
2967 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2968 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2969 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) {
2970 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2971
2972 if (! mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECKEY)) {
2973 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2974 return (MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH);
2975 }
2976
2977 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
2978 mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)),
2979 MBEDTLS_ECDH_OURS)) != 0) {
2980 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2981 return (ret);
2982 }
2983
2984 return (0);
2985 }
2986 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2987 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2988
2989 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
2990 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
2991 static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
2992 size_t *signature_len) {
2993 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2994 * signature length which will be added in ssl_write_server_key_exchange
2995 * after the call to ssl_prepare_server_key_exchange.
2996 * ssl_write_server_key_exchange also takes care of incrementing
2997 * ssl->out_msglen. */
2998 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2999 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
3000 - sig_start);
3001 int ret = ssl->conf->f_async_resume(ssl,
3002 sig_start, signature_len, sig_max_len);
3003 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3004 ssl->handshake->async_in_progress = 0;
3005 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3006 }
3007 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
3008 return (ret);
3009 }
3010 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3011 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3012
3013 /* Prepare the ServerKeyExchange message, up to and including
3014 * calculating the signature if any, but excluding formatting the
3015 * signature and sending the message. */
3016 static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
3017 size_t *signature_len) {
3018 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3019 ssl->handshake->ciphersuite_info;
3020
3021 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
3022 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3023 unsigned char *dig_signed = NULL;
3024 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3025 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
3026
3027 (void) ciphersuite_info; /* unused in some configurations */
3028 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3029 (void) signature_len;
3030 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3031
3032 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
3033
3034 /*
3035 *
3036 * Part 1: Provide key exchange parameters for chosen ciphersuite.
3037 *
3038 */
3039
3040 /*
3041 * - ECJPAKE key exchanges
3042 */
3043 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3044 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3045 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3046 size_t len = 0;
3047
3048 ret = mbedtls_ecjpake_write_round_two(
3049 &ssl->handshake->ecjpake_ctx,
3050 ssl->out_msg + ssl->out_msglen,
3051 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
3052 ssl->conf->f_rng, ssl->conf->p_rng);
3053 if (ret != 0) {
3054 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3055 return (ret);
3056 }
3057
3058 ssl->out_msglen += len;
3059 }
3060 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3061
3062 /*
3063 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
3064 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
3065 * we use empty support identity hints here.
3066 **/
3067 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
3068 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3069 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3070 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3071 ssl->out_msg[ssl->out_msglen++] = 0x00;
3072 ssl->out_msg[ssl->out_msglen++] = 0x00;
3073 }
3074 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
3075 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3076
3077 /*
3078 * - DHE key exchanges
3079 */
3080 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
3081 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
3082 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3083 size_t len = 0;
3084
3085 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
3086 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
3087 return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3088 }
3089
3090 /*
3091 * Ephemeral DH parameters:
3092 *
3093 * struct {
3094 * opaque dh_p<1..2^16-1>;
3095 * opaque dh_g<1..2^16-1>;
3096 * opaque dh_Ys<1..2^16-1>;
3097 * } ServerDHParams;
3098 */
3099 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
3100 &ssl->conf->dhm_P,
3101 &ssl->conf->dhm_G)) != 0) {
3102 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
3103 return (ret);
3104 }
3105
3106 if ((ret = mbedtls_dhm_make_params(
3107 &ssl->handshake->dhm_ctx,
3108 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3109 ssl->out_msg + ssl->out_msglen, &len,
3110 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3111 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
3112 return (ret);
3113 }
3114
3115 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3116 dig_signed = ssl->out_msg + ssl->out_msglen;
3117 #endif
3118
3119 ssl->out_msglen += len;
3120
3121 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
3122 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
3123 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
3124 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
3125 }
3126 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
3127
3128 /*
3129 * - ECDHE key exchanges
3130 */
3131 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
3132 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
3133 /*
3134 * Ephemeral ECDH parameters:
3135 *
3136 * struct {
3137 * ECParameters curve_params;
3138 * ECPoint public;
3139 * } ServerECDHParams;
3140 */
3141 const mbedtls_ecp_curve_info **curve = NULL;
3142 const mbedtls_ecp_group_id *gid;
3143 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3144 size_t len = 0;
3145
3146 /* Match our preference list against the offered curves */
3147 for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++)
3148 for (curve = ssl->handshake->curves; *curve != NULL; curve++)
3149 if ((*curve)->grp_id == *gid)
3150 goto curve_matching_done;
3151
3152 curve_matching_done:
3153 if (curve == NULL || *curve == NULL) {
3154 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
3155 return (MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN);
3156 }
3157
3158 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", (*curve)->name));
3159
3160 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3161 (*curve)->grp_id)) != 0) {
3162 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3163 return (ret);
3164 }
3165
3166 if ((ret = mbedtls_ecdh_make_params(
3167 &ssl->handshake->ecdh_ctx, &len,
3168 ssl->out_msg + ssl->out_msglen,
3169 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3170 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3171 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3172 return (ret);
3173 }
3174
3175 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3176 dig_signed = ssl->out_msg + ssl->out_msglen;
3177 #endif
3178
3179 ssl->out_msglen += len;
3180
3181 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3182 MBEDTLS_DEBUG_ECDH_Q);
3183 }
3184 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3185
3186 /*
3187 *
3188 * Part 2: For key exchanges involving the server signing the
3189 * exchange parameters, compute and add the signature here.
3190 *
3191 */
3192 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3193 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3194 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3195 size_t hashlen = 0;
3196 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3197 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3198
3199 /*
3200 * 2.1: Choose hash algorithm:
3201 * A: For TLS 1.2, obey signature-hash-algorithm extension
3202 * to choose appropriate hash.
3203 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3204 * (RFC 4492, Sec. 5.4)
3205 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3206 */
3207
3208 mbedtls_md_type_t md_alg;
3209
3210 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3211 mbedtls_pk_type_t sig_alg =
3212 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3213 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3214 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3215 * (RFC 5246, Sec. 7.4.1.4.1). */
3216 if (sig_alg == MBEDTLS_PK_NONE ||
3217 (md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
3218 sig_alg)) == MBEDTLS_MD_NONE) {
3219 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3220 /* (... because we choose a cipher suite
3221 * only if there is a matching hash.) */
3222 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
3223 }
3224 } else
3225 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3226 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3227 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3228 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3229 /* B: Default hash SHA1 */
3230 md_alg = MBEDTLS_MD_SHA1;
3231 } else
3232 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3233 MBEDTLS_SSL_PROTO_TLS1_1 */
3234 {
3235 /* C: MD5 + SHA1 */
3236 md_alg = MBEDTLS_MD_NONE;
3237 }
3238
3239 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
3240
3241 /*
3242 * 2.2: Compute the hash to be signed
3243 */
3244 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3245 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3246 if (md_alg == MBEDTLS_MD_NONE) {
3247 hashlen = 36;
3248 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash,
3249 dig_signed,
3250 dig_signed_len);
3251 if (ret != 0)
3252 return (ret);
3253 } else
3254 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3255 MBEDTLS_SSL_PROTO_TLS1_1 */
3256 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3257 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3258 if (md_alg != MBEDTLS_MD_NONE) {
3259 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3260 dig_signed,
3261 dig_signed_len,
3262 md_alg);
3263 if (ret != 0)
3264 return (ret);
3265 } else
3266 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3267 MBEDTLS_SSL_PROTO_TLS1_2 */
3268 {
3269 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3270 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
3271 }
3272
3273 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3274
3275 /*
3276 * 2.3: Compute and add the signature
3277 */
3278 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3279 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3280 /*
3281 * For TLS 1.2, we need to specify signature and hash algorithm
3282 * explicitly through a prefix to the signature.
3283 *
3284 * struct {
3285 * HashAlgorithm hash;
3286 * SignatureAlgorithm signature;
3287 * } SignatureAndHashAlgorithm;
3288 *
3289 * struct {
3290 * SignatureAndHashAlgorithm algorithm;
3291 * opaque signature<0..2^16-1>;
3292 * } DigitallySigned;
3293 *
3294 */
3295
3296 ssl->out_msg[ssl->out_msglen++] =
3297 mbedtls_ssl_hash_from_md_alg(md_alg);
3298 ssl->out_msg[ssl->out_msglen++] =
3299 mbedtls_ssl_sig_from_pk_alg(sig_alg);
3300 }
3301 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3302
3303 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3304 if (ssl->conf->f_async_sign_start != NULL) {
3305 ret = ssl->conf->f_async_sign_start(ssl,
3306 mbedtls_ssl_own_cert(ssl),
3307 md_alg, hash, hashlen);
3308 switch (ret) {
3309 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3310 /* act as if f_async_sign was null */
3311 break;
3312 case 0:
3313 ssl->handshake->async_in_progress = 1;
3314 return (ssl_resume_server_key_exchange(ssl, signature_len));
3315 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3316 ssl->handshake->async_in_progress = 1;
3317 return (MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS);
3318 default:
3319 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3320 return (ret);
3321 }
3322 }
3323 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3324
3325 if (mbedtls_ssl_own_key(ssl) == NULL) {
3326 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3327 return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
3328 }
3329
3330 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3331 * signature length which will be added in ssl_write_server_key_exchange
3332 * after the call to ssl_prepare_server_key_exchange.
3333 * ssl_write_server_key_exchange also takes care of incrementing
3334 * ssl->out_msglen. */
3335 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3336 md_alg, hash, hashlen,
3337 ssl->out_msg + ssl->out_msglen + 2,
3338 signature_len,
3339 ssl->conf->f_rng,
3340 ssl->conf->p_rng)) != 0) {
3341 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3342 return (ret);
3343 }
3344 }
3345 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3346
3347 return (0);
3348 }
3349
3350 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3351 * that do not include a ServerKeyExchange message, do nothing. Either
3352 * way, if successful, move on to the next step in the SSL state
3353 * machine. */
3354 static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) {
3355 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3356 size_t signature_len = 0;
3357 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3358 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3359 ssl->handshake->ciphersuite_info;
3360 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3361
3362 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
3363
3364 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3365 /* Extract static ECDH parameters and abort if ServerKeyExchange
3366 * is not needed. */
3367 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
3368 /* For suites involving ECDH, extract DH parameters
3369 * from certificate at this point. */
3370 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3371 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3372 ssl_get_ecdh_params_from_cert(ssl);
3373 }
3374 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3375
3376 /* Key exchanges not involving ephemeral keys don't use
3377 * ServerKeyExchange, so end here. */
3378 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
3379 ssl->state++;
3380 return (0);
3381 }
3382 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3383
3384 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3385 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3386 /* If we have already prepared the message and there is an ongoing
3387 * signature operation, resume signing. */
3388 if (ssl->handshake->async_in_progress != 0) {
3389 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3390 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3391 } else
3392 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3393 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3394 {
3395 /* ServerKeyExchange is needed. Prepare the message. */
3396 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3397 }
3398
3399 if (ret != 0) {
3400 /* If we're starting to write a new message, set ssl->out_msglen
3401 * to 0. But if we're resuming after an asynchronous message,
3402 * out_msglen is the amount of data written so far and mst be
3403 * preserved. */
3404 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS)
3405 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3406 else
3407 ssl->out_msglen = 0;
3408 return (ret);
3409 }
3410
3411 /* If there is a signature, write its length.
3412 * ssl_prepare_server_key_exchange already wrote the signature
3413 * itself at its proper place in the output buffer. */
3414 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3415 if (signature_len != 0) {
3416 ssl->out_msg[ssl->out_msglen++] = (unsigned char)(signature_len >> 8);
3417 ssl->out_msg[ssl->out_msglen++] = (unsigned char)(signature_len);
3418
3419 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3420 ssl->out_msg + ssl->out_msglen,
3421 signature_len);
3422
3423 /* Skip over the already-written signature */
3424 ssl->out_msglen += signature_len;
3425 }
3426 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3427
3428 /* Add header and send. */
3429 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3430 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3431
3432 ssl->state++;
3433
3434 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3435 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3436 return (ret);
3437 }
3438
3439 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3440 return (0);
3441 }
3442
3443 static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) {
3444 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3445
3446 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
3447
3448 ssl->out_msglen = 4;
3449 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3450 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3451
3452 ssl->state++;
3453
3454 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3455 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM)
3456 mbedtls_ssl_send_flight_completed(ssl);
3457 #endif
3458
3459 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3460 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3461 return (ret);
3462 }
3463
3464 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3465 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3466 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3467 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3468 return (ret);
3469 }
3470 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3471
3472 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
3473
3474 return (0);
3475 }
3476
3477 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3478 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3479 static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3480 const unsigned char *end) {
3481 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3482 size_t n;
3483
3484 /*
3485 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3486 */
3487 if (*p + 2 > end) {
3488 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3489 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3490 }
3491
3492 n = ((*p)[0] << 8) | (*p)[1];
3493 *p += 2;
3494
3495 if (*p + n > end) {
3496 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3497 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3498 }
3499
3500 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3501 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3502 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
3503 }
3504
3505 *p += n;
3506
3507 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3508
3509 return (ret);
3510 }
3511 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3512 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3513
3514 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3515 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3516
3517 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3518 static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3519 unsigned char *peer_pms,
3520 size_t *peer_pmslen,
3521 size_t peer_pmssize) {
3522 int ret = ssl->conf->f_async_resume(ssl,
3523 peer_pms, peer_pmslen, peer_pmssize);
3524 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3525 ssl->handshake->async_in_progress = 0;
3526 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3527 }
3528 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3529 return (ret);
3530 }
3531 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3532
3533 static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3534 const unsigned char *p,
3535 const unsigned char *end,
3536 unsigned char *peer_pms,
3537 size_t *peer_pmslen,
3538 size_t peer_pmssize) {
3539 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3540 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3541 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert(ssl)->pk;
3542 size_t len = mbedtls_pk_get_len(public_key);
3543
3544 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3545 /* If we have already started decoding the message and there is an ongoing
3546 * decryption operation, resume signing. */
3547 if (ssl->handshake->async_in_progress != 0) {
3548 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3549 return (ssl_resume_decrypt_pms(ssl,
3550 peer_pms, peer_pmslen, peer_pmssize));
3551 }
3552 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3553
3554 /*
3555 * Prepare to decrypt the premaster using own private RSA key
3556 */
3557 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3558 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3559 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
3560 if (p + 2 > end) {
3561 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3562 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3563 }
3564 if (*p++ != ((len >> 8) & 0xFF) ||
3565 *p++ != ((len) & 0xFF)) {
3566 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3567 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3568 }
3569 }
3570 #endif
3571
3572 if (p + len != end) {
3573 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3574 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3575 }
3576
3577 /*
3578 * Decrypt the premaster secret
3579 */
3580 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3581 if (ssl->conf->f_async_decrypt_start != NULL) {
3582 ret = ssl->conf->f_async_decrypt_start(ssl,
3583 mbedtls_ssl_own_cert(ssl),
3584 p, len);
3585 switch (ret) {
3586 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3587 /* act as if f_async_decrypt_start was null */
3588 break;
3589 case 0:
3590 ssl->handshake->async_in_progress = 1;
3591 return (ssl_resume_decrypt_pms(ssl,
3592 peer_pms,
3593 peer_pmslen,
3594 peer_pmssize));
3595 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3596 ssl->handshake->async_in_progress = 1;
3597 return (MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS);
3598 default:
3599 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3600 return (ret);
3601 }
3602 }
3603 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3604
3605 if (! mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3606 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3607 return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
3608 }
3609
3610 ret = mbedtls_pk_decrypt(private_key, p, len,
3611 peer_pms, peer_pmslen, peer_pmssize,
3612 ssl->conf->f_rng, ssl->conf->p_rng);
3613 return (ret);
3614 }
3615
3616 static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3617 const unsigned char *p,
3618 const unsigned char *end,
3619 size_t pms_offset) {
3620 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3621 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3622 unsigned char ver[2];
3623 unsigned char fake_pms[48], peer_pms[48];
3624 unsigned char mask;
3625 size_t i, peer_pmslen;
3626 unsigned int diff;
3627
3628 /* In case of a failure in decryption, the decryption may write less than
3629 * 2 bytes of output, but we always read the first two bytes. It doesn't
3630 * matter in the end because diff will be nonzero in that case due to
3631 * ret being nonzero, and we only care whether diff is 0.
3632 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3633 * also makes memory analyzers happy (don't access uninitialized memory,
3634 * even if it's an unsigned char). */
3635 peer_pms[0] = peer_pms[1] = ~0;
3636 peer_pmslen = 0;
3637
3638 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3639 peer_pms,
3640 &peer_pmslen,
3641 sizeof(peer_pms));
3642
3643 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3644 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS)
3645 return (ret);
3646 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3647
3648 mbedtls_ssl_write_version(ssl->handshake->max_major_ver,
3649 ssl->handshake->max_minor_ver,
3650 ssl->conf->transport, ver);
3651
3652 /* Avoid data-dependent branches while checking for invalid
3653 * padding, to protect against timing-based Bleichenbacher-type
3654 * attacks. */
3655 diff = (unsigned int) ret;
3656 diff |= peer_pmslen ^ 48;
3657 diff |= peer_pms[0] ^ ver[0];
3658 diff |= peer_pms[1] ^ ver[1];
3659
3660 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3661 /* MSVC has a warning about unary minus on unsigned, but this is
3662 * well-defined and precisely what we want to do here */
3663 #if defined(_MSC_VER)
3664 #pragma warning( push )
3665 #pragma warning( disable : 4146 )
3666 #endif
3667 mask = - ((diff | - diff) >> (sizeof(unsigned int) * 8 - 1));
3668 #if defined(_MSC_VER)
3669 #pragma warning( pop )
3670 #endif
3671
3672 /*
3673 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3674 * must not cause the connection to end immediately; instead, send a
3675 * bad_record_mac later in the handshake.
3676 * To protect against timing-based variants of the attack, we must
3677 * not have any branch that depends on whether the decryption was
3678 * successful. In particular, always generate the fake premaster secret,
3679 * regardless of whether it will ultimately influence the output or not.
3680 */
3681 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3682 if (ret != 0) {
3683 /* It's ok to abort on an RNG failure, since this does not reveal
3684 * anything about the RSA decryption. */
3685 return (ret);
3686 }
3687
3688 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3689 if (diff != 0)
3690 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3691 #endif
3692
3693 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3694 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3695 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3696 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
3697 }
3698 ssl->handshake->pmslen = 48;
3699
3700 /* Set pms to either the true or the fake PMS, without
3701 * data-dependent branches. */
3702 for (i = 0; i < ssl->handshake->pmslen; i++)
3703 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
3704
3705 return (0);
3706 }
3707 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3708 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3709
3710 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3711 static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3712 const unsigned char *end) {
3713 int ret = 0;
3714 uint16_t n;
3715
3716 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3717 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3718 return (MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED);
3719 }
3720
3721 /*
3722 * Receive client pre-shared key identity name
3723 */
3724 if (end - *p < 2) {
3725 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3726 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3727 }
3728
3729 n = ((*p)[0] << 8) | (*p)[1];
3730 *p += 2;
3731
3732 if (n == 0 || n > end - *p) {
3733 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3734 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3735 }
3736
3737 if (ssl->conf->f_psk != NULL) {
3738 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0)
3739 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3740 } else {
3741 /* Identity is not a big secret since clients send it in the clear,
3742 * but treat it carefully anyway, just in case */
3743 if (n != ssl->conf->psk_identity_len ||
3744 mbedtls_ssl_safer_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3745 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3746 }
3747 }
3748
3749 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3750 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3751 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3752 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3753 return (MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY);
3754 }
3755
3756 *p += n;
3757
3758 return (0);
3759 }
3760 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3761
3762 static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) {
3763 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3764 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3765 unsigned char *p, *end;
3766
3767 ciphersuite_info = ssl->handshake->ciphersuite_info;
3768
3769 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
3770
3771 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3772 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3773 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
3774 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3775 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
3776 (ssl->handshake->async_in_progress != 0)) {
3777 /* We've already read a record and there is an asynchronous
3778 * operation in progress to decrypt it. So skip reading the
3779 * record. */
3780 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
3781 } else
3782 #endif
3783 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3784 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3785 return (ret);
3786 }
3787
3788 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3789 end = ssl->in_msg + ssl->in_hslen;
3790
3791 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3792 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3793 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3794 }
3795
3796 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
3797 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3798 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3799 }
3800
3801 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3802 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3803 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3804 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3805 return (ret);
3806 }
3807
3808 if (p != end) {
3809 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3810 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3811 }
3812
3813 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3814 ssl->handshake->premaster,
3815 MBEDTLS_PREMASTER_SIZE,
3816 &ssl->handshake->pmslen,
3817 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3818 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3819 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS);
3820 }
3821
3822 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3823 } else
3824 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3825 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3826 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3827 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3828 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3829 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3830 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3831 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3832 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
3833 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3834 p, end - p)) != 0) {
3835 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3836 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
3837 }
3838
3839 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3840 MBEDTLS_DEBUG_ECDH_QP);
3841
3842 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3843 &ssl->handshake->pmslen,
3844 ssl->handshake->premaster,
3845 MBEDTLS_MPI_MAX_SIZE,
3846 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3847 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3848 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS);
3849 }
3850
3851 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3852 MBEDTLS_DEBUG_ECDH_Z);
3853 } else
3854 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3855 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3856 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3857 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3858 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3859 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3860 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3861 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3862 return (ret);
3863 }
3864
3865 if (p != end) {
3866 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3867 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3868 }
3869
3870 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3871 /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically
3872 * and skip the intermediate PMS. */
3873 if (ssl_use_opaque_psk(ssl) == 1)
3874 MBEDTLS_SSL_DEBUG_MSG(1, ("skip PMS generation for opaque PSK"));
3875 else
3876 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3877 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3878 ciphersuite_info->key_exchange)) != 0) {
3879 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3880 return (ret);
3881 }
3882 } else
3883 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3884 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3885 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3886 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3887 if (ssl->handshake->async_in_progress != 0) {
3888 /* There is an asynchronous operation in progress to
3889 * decrypt the encrypted premaster secret, so skip
3890 * directly to resuming this operation. */
3891 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
3892 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3893 * won't actually use it, but maintain p anyway for robustness. */
3894 p += ssl->conf->psk_identity_len + 2;
3895 } else
3896 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3897 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3898 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3899 return (ret);
3900 }
3901
3902 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3903 /* Opaque PSKs are currently only supported for PSK-only. */
3904 if (ssl_use_opaque_psk(ssl) == 1)
3905 return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
3906 #endif
3907
3908 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
3909 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
3910 return (ret);
3911 }
3912
3913 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3914 ciphersuite_info->key_exchange)) != 0) {
3915 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3916 return (ret);
3917 }
3918 } else
3919 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3920 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3921 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3922 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3923 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3924 return (ret);
3925 }
3926 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
3927 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
3928 return (ret);
3929 }
3930
3931 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3932 /* Opaque PSKs are currently only supported for PSK-only. */
3933 if (ssl_use_opaque_psk(ssl) == 1)
3934 return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
3935 #endif
3936
3937 if (p != end) {
3938 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
3939 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE);
3940 }
3941
3942 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3943 ciphersuite_info->key_exchange)) != 0) {
3944 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3945 return (ret);
3946 }
3947 } else
3948 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3949 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3950 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3951 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
3952 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
3953 return (ret);
3954 }
3955
3956 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
3957 p, end - p)) != 0) {
3958 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
3959 return (MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP);
3960 }
3961
3962 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3963 /* Opaque PSKs are currently only supported for PSK-only. */
3964 if (ssl_use_opaque_psk(ssl) == 1)
3965 return (MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
3966 #endif
3967
3968 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3969 MBEDTLS_DEBUG_ECDH_QP);
3970
3971 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3972 ciphersuite_info->key_exchange)) != 0) {
3973 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
3974 return (ret);
3975 }
3976 } else
3977 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3978 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3979 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3980 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
3981 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
3982 return (ret);
3983 }
3984 } else
3985 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3986 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3987 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3988 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
3989 p, end - p);
3990 if (ret != 0) {
3991 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
3992 return (MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE);
3993 }
3994
3995 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3996 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3997 ssl->conf->f_rng, ssl->conf->p_rng);
3998 if (ret != 0) {
3999 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4000 return (ret);
4001 }
4002 } else
4003 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4004 {
4005 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4006 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
4007 }
4008
4009 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4010 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4011 return (ret);
4012 }
4013
4014 ssl->state++;
4015
4016 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
4017
4018 return (0);
4019 }
4020
4021 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
4022 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) {
4023 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4024 ssl->handshake->ciphersuite_info;
4025
4026 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4027
4028 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4029 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4030 ssl->state++;
4031 return (0);
4032 }
4033
4034 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4035 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
4036 }
4037 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4038 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) {
4039 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4040 size_t i, sig_len;
4041 unsigned char hash[48];
4042 unsigned char *hash_start = hash;
4043 size_t hashlen;
4044 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4045 mbedtls_pk_type_t pk_alg;
4046 #endif
4047 mbedtls_md_type_t md_alg;
4048 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4049 ssl->handshake->ciphersuite_info;
4050 mbedtls_pk_context *peer_pk;
4051
4052 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4053
4054 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4055 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4056 ssl->state++;
4057 return (0);
4058 }
4059
4060 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4061 if (ssl->session_negotiate->peer_cert == NULL) {
4062 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4063 ssl->state++;
4064 return (0);
4065 }
4066 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4067 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4068 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4069 ssl->state++;
4070 return (0);
4071 }
4072 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4073
4074 /* Read the message without adding it to the checksum */
4075 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4076 if (0 != ret) {
4077 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4078 return (ret);
4079 }
4080
4081 ssl->state++;
4082
4083 /* Process the message contents */
4084 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4085 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4086 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4087 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4088 }
4089
4090 i = mbedtls_ssl_hs_hdr_len(ssl);
4091
4092 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4093 peer_pk = &ssl->handshake->peer_pubkey;
4094 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4095 if (ssl->session_negotiate->peer_cert == NULL) {
4096 /* Should never happen */
4097 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
4098 }
4099 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4100 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4101
4102 /*
4103 * struct {
4104 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4105 * opaque signature<0..2^16-1>;
4106 * } DigitallySigned;
4107 */
4108 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4109 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4110 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
4111 md_alg = MBEDTLS_MD_NONE;
4112 hashlen = 36;
4113
4114 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
4115 if (mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECDSA)) {
4116 hash_start += 16;
4117 hashlen -= 16;
4118 md_alg = MBEDTLS_MD_SHA1;
4119 }
4120 } else
4121 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
4122 MBEDTLS_SSL_PROTO_TLS1_1 */
4123 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4124 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
4125 if (i + 2 > ssl->in_hslen) {
4126 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4127 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4128 }
4129
4130 /*
4131 * Hash
4132 */
4133 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4134
4135 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4136 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4137 " for verify message"));
4138 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4139 }
4140
4141 #if !defined(MBEDTLS_MD_SHA1)
4142 if (MBEDTLS_MD_SHA1 == md_alg)
4143 hash_start += 16;
4144 #endif
4145
4146 /* Info from md_alg will be used instead */
4147 hashlen = 0;
4148
4149 i++;
4150
4151 /*
4152 * Signature
4153 */
4154 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4155 == MBEDTLS_PK_NONE) {
4156 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4157 " for verify message"));
4158 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4159 }
4160
4161 /*
4162 * Check the certificate's key type matches the signature alg
4163 */
4164 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4165 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4166 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4167 }
4168
4169 i++;
4170 } else
4171 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4172 {
4173 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4174 return (MBEDTLS_ERR_SSL_INTERNAL_ERROR);
4175 }
4176
4177 if (i + 2 > ssl->in_hslen) {
4178 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4179 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4180 }
4181
4182 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i + 1];
4183 i += 2;
4184
4185 if (i + sig_len != ssl->in_hslen) {
4186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4187 return (MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY);
4188 }
4189
4190 /* Calculate hash and verify signature */
4191 {
4192 size_t dummy_hlen;
4193 ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4194 }
4195
4196 if ((ret = mbedtls_pk_verify(peer_pk,
4197 md_alg, hash_start, hashlen,
4198 ssl->in_msg + i, sig_len)) != 0) {
4199 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4200 return (ret);
4201 }
4202
4203 mbedtls_ssl_update_handshake_status(ssl);
4204
4205 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
4206
4207 return (ret);
4208 }
4209 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4210
4211 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4212 static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) {
4213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4214 size_t tlen;
4215 uint32_t lifetime;
4216
4217 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
4218
4219 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4220 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4221
4222 /*
4223 * struct {
4224 * uint32 ticket_lifetime_hint;
4225 * opaque ticket<0..2^16-1>;
4226 * } NewSessionTicket;
4227 *
4228 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4229 * 8 . 9 ticket_len (n)
4230 * 10 . 9+n ticket content
4231 */
4232
4233 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4234 ssl->session_negotiate,
4235 ssl->out_msg + 10,
4236 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4237 &tlen, &lifetime)) != 0) {
4238 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
4239 tlen = 0;
4240 }
4241
4242 ssl->out_msg[4] = (lifetime >> 24) & 0xFF;
4243 ssl->out_msg[5] = (lifetime >> 16) & 0xFF;
4244 ssl->out_msg[6] = (lifetime >> 8) & 0xFF;
4245 ssl->out_msg[7] = (lifetime) & 0xFF;
4246
4247 ssl->out_msg[8] = (unsigned char)((tlen >> 8) & 0xFF);
4248 ssl->out_msg[9] = (unsigned char)((tlen) & 0xFF);
4249
4250 ssl->out_msglen = 10 + tlen;
4251
4252 /*
4253 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4254 * ChangeCipherSpec share the same state.
4255 */
4256 ssl->handshake->new_session_ticket = 0;
4257
4258 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4259 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4260 return (ret);
4261 }
4262
4263 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
4264
4265 return (0);
4266 }
4267 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4268
4269 /*
4270 * SSL handshake -- server side -- single step
4271 */
4272 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl) {
4273 int ret = 0;
4274
4275 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL)
4276 return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
4277
4278 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4279
4280 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0)
4281 return (ret);
4282
4283 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4284 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4285 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4286 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0)
4287 return (ret);
4288 }
4289 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4290
4291 switch (ssl->state) {
4292 case MBEDTLS_SSL_HELLO_REQUEST:
4293 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4294 break;
4295
4296 /*
4297 * <== ClientHello
4298 */
4299 case MBEDTLS_SSL_CLIENT_HELLO:
4300 ret = ssl_parse_client_hello(ssl);
4301 break;
4302
4303 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4304 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4305 return (MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED);
4306 #endif
4307
4308 /*
4309 * ==> ServerHello
4310 * Certificate
4311 * ( ServerKeyExchange )
4312 * ( CertificateRequest )
4313 * ServerHelloDone
4314 */
4315 case MBEDTLS_SSL_SERVER_HELLO:
4316 ret = ssl_write_server_hello(ssl);
4317 break;
4318
4319 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4320 ret = mbedtls_ssl_write_certificate(ssl);
4321 break;
4322
4323 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4324 ret = ssl_write_server_key_exchange(ssl);
4325 break;
4326
4327 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4328 ret = ssl_write_certificate_request(ssl);
4329 break;
4330
4331 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4332 ret = ssl_write_server_hello_done(ssl);
4333 break;
4334
4335 /*
4336 * <== ( Certificate/Alert )
4337 * ClientKeyExchange
4338 * ( CertificateVerify )
4339 * ChangeCipherSpec
4340 * Finished
4341 */
4342 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4343 ret = mbedtls_ssl_parse_certificate(ssl);
4344 break;
4345
4346 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4347 ret = ssl_parse_client_key_exchange(ssl);
4348 break;
4349
4350 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4351 ret = ssl_parse_certificate_verify(ssl);
4352 break;
4353
4354 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4355 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4356 break;
4357
4358 case MBEDTLS_SSL_CLIENT_FINISHED:
4359 ret = mbedtls_ssl_parse_finished(ssl);
4360 break;
4361
4362 /*
4363 * ==> ( NewSessionTicket )
4364 * ChangeCipherSpec
4365 * Finished
4366 */
4367 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4368 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4369 if (ssl->handshake->new_session_ticket != 0)
4370 ret = ssl_write_new_session_ticket(ssl);
4371 else
4372 #endif
4373 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4374 break;
4375
4376 case MBEDTLS_SSL_SERVER_FINISHED:
4377 ret = mbedtls_ssl_write_finished(ssl);
4378 break;
4379
4380 case MBEDTLS_SSL_FLUSH_BUFFERS:
4381 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4382 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4383 break;
4384
4385 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4386 mbedtls_ssl_handshake_wrapup(ssl);
4387 break;
4388
4389 default:
4390 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4391 return (MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
4392 }
4393
4394 return (ret);
4395 }
4396 #endif /* MBEDTLS_SSL_SRV_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware