1/*
2 * SSLv3/TLSv1 server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_SRV_C)
23
24#include "mbedtls/platform.h"
25
26#include "mbedtls/ssl.h"
27#include "mbedtls/ssl_internal.h"
28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
30#include "mbedtls/platform_util.h"
31#include "constant_time_internal.h"
32#include "mbedtls/constant_time.h"
33
34#include <string.h>
35
36#if defined(MBEDTLS_ECP_C)
37#include "mbedtls/ecp.h"
38#endif
39
40#if defined(MBEDTLS_HAVE_TIME)
41#include "mbedtls/platform_time.h"
42#endif
43
44#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
45int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
46 const unsigned char *info,
47 size_t ilen)
48{
49 if (ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER) {
50 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
51 }
52
53 mbedtls_free(ssl->cli_id);
54
55 if ((ssl->cli_id = mbedtls_calloc(1, ilen)) == NULL) {
56 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
57 }
58
59 memcpy(ssl->cli_id, info, ilen);
60 ssl->cli_id_len = ilen;
61
62 return 0;
63}
64
65void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
66 mbedtls_ssl_cookie_write_t *f_cookie_write,
67 mbedtls_ssl_cookie_check_t *f_cookie_check,
68 void *p_cookie)
69{
70 conf->f_cookie_write = f_cookie_write;
71 conf->f_cookie_check = f_cookie_check;
72 conf->p_cookie = p_cookie;
73}
74#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
75
76#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
77MBEDTLS_CHECK_RETURN_CRITICAL
78static int ssl_parse_servername_ext(mbedtls_ssl_context *ssl,
79 const unsigned char *buf,
80 size_t len)
81{
82 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
83 size_t servername_list_size, hostname_len;
84 const unsigned char *p;
85
86 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
87
88 if (len < 2) {
89 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
90 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
91 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
92 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
93 }
94 servername_list_size = ((buf[0] << 8) | (buf[1]));
95 if (servername_list_size + 2 != len) {
96 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
97 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
98 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
99 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
100 }
101
102 p = buf + 2;
103 while (servername_list_size > 2) {
104 hostname_len = ((p[1] << 8) | p[2]);
105 if (hostname_len + 3 > servername_list_size) {
106 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
107 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
108 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
109 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
110 }
111
112 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
113 ret = ssl->conf->f_sni(ssl->conf->p_sni,
114 ssl, p + 3, hostname_len);
115 if (ret != 0) {
116 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
117 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
118 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME);
119 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
120 }
121 return 0;
122 }
123
124 servername_list_size -= hostname_len + 3;
125 p += hostname_len + 3;
126 }
127
128 if (servername_list_size != 0) {
129 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
130 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
131 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
132 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
133 }
134
135 return 0;
136}
137#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
138
139#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
140MBEDTLS_CHECK_RETURN_CRITICAL
141static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
142{
143 if (conf->f_psk != NULL) {
144 return 1;
145 }
146
147 if (conf->psk_identity_len == 0 || conf->psk_identity == NULL) {
148 return 0;
149 }
150
151 if (conf->psk != NULL && conf->psk_len != 0) {
152 return 1;
153 }
154
155#if defined(MBEDTLS_USE_PSA_CRYPTO)
156 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
157 return 1;
158 }
159#endif /* MBEDTLS_USE_PSA_CRYPTO */
160
161 return 0;
162}
163
164#if defined(MBEDTLS_USE_PSA_CRYPTO)
165MBEDTLS_CHECK_RETURN_CRITICAL
166static int ssl_use_opaque_psk(mbedtls_ssl_context const *ssl)
167{
168 if (ssl->conf->f_psk != NULL) {
169 /* If we've used a callback to select the PSK,
170 * the static configuration is irrelevant. */
171
172 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
173 return 1;
174 }
175
176 return 0;
177 }
178
179 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
180 return 1;
181 }
182
183 return 0;
184}
185#endif /* MBEDTLS_USE_PSA_CRYPTO */
186#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
187
188MBEDTLS_CHECK_RETURN_CRITICAL
189static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
190 const unsigned char *buf,
191 size_t len)
192{
193#if defined(MBEDTLS_SSL_RENEGOTIATION)
194 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
195 /* Check verify-data in constant-time. The length OTOH is no secret */
196 if (len != 1 + ssl->verify_data_len ||
197 buf[0] != ssl->verify_data_len ||
198 mbedtls_ct_memcmp(buf + 1, ssl->peer_verify_data,
199 ssl->verify_data_len) != 0) {
200 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
201 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
202 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
203 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
204 }
205 } else
206#endif /* MBEDTLS_SSL_RENEGOTIATION */
207 {
208 if (len != 1 || buf[0] != 0x0) {
209 MBEDTLS_SSL_DEBUG_MSG(1, ("non-zero length renegotiation info"));
210 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
211 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
212 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
213 }
214
215 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
216 }
217
218 return 0;
219}
220
221#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
222 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
223
224/*
225 * Status of the implementation of signature-algorithms extension:
226 *
227 * Currently, we are only considering the signature-algorithm extension
228 * to pick a ciphersuite which allows us to send the ServerKeyExchange
229 * message with a signature-hash combination that the user allows.
230 *
231 * We do *not* check whether all certificates in our certificate
232 * chain are signed with an allowed signature-hash pair.
233 * This needs to be done at a later stage.
234 *
235 */
236MBEDTLS_CHECK_RETURN_CRITICAL
237static int ssl_parse_signature_algorithms_ext(mbedtls_ssl_context *ssl,
238 const unsigned char *buf,
239 size_t len)
240{
241 size_t sig_alg_list_size;
242
243 const unsigned char *p;
244 const unsigned char *end = buf + len;
245
246 mbedtls_md_type_t md_cur;
247 mbedtls_pk_type_t sig_cur;
248
249 if (len < 2) {
250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
251 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
252 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
253 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
254 }
255 sig_alg_list_size = ((buf[0] << 8) | (buf[1]));
256 if (sig_alg_list_size + 2 != len ||
257 sig_alg_list_size % 2 != 0) {
258 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
259 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
261 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
262 }
263
264 /* Currently we only guarantee signing the ServerKeyExchange message according
265 * to the constraints specified in this extension (see above), so it suffices
266 * to remember only one suitable hash for each possible signature algorithm.
267 *
268 * This will change when we also consider certificate signatures,
269 * in which case we will need to remember the whole signature-hash
270 * pair list from the extension.
271 */
272
273 for (p = buf + 2; p < end; p += 2) {
274 /* Silently ignore unknown signature or hash algorithms. */
275
276 if ((sig_cur = mbedtls_ssl_pk_alg_from_sig(p[1])) == MBEDTLS_PK_NONE) {
277 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext"
278 " unknown sig alg encoding %d", p[1]));
279 continue;
280 }
281
282 /* Check if we support the hash the user proposes */
283 md_cur = mbedtls_ssl_md_alg_from_hash(p[0]);
284 if (md_cur == MBEDTLS_MD_NONE) {
285 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
286 " unknown hash alg encoding %d", p[0]));
287 continue;
288 }
289
290 if (mbedtls_ssl_check_sig_hash(ssl, md_cur) == 0) {
291 mbedtls_ssl_sig_hash_set_add(&ssl->handshake->hash_algs, sig_cur, md_cur);
292 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext:"
293 " match sig %u and hash %u",
294 (unsigned) sig_cur, (unsigned) md_cur));
295 } else {
296 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: "
297 "hash alg %u not supported", (unsigned) md_cur));
298 }
299 }
300
301 return 0;
302}
303#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
304 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
305
306#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
307 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
308MBEDTLS_CHECK_RETURN_CRITICAL
309static int ssl_parse_supported_elliptic_curves(mbedtls_ssl_context *ssl,
310 const unsigned char *buf,
311 size_t len)
312{
313 size_t list_size, our_size;
314 const unsigned char *p;
315 const mbedtls_ecp_curve_info *curve_info, **curves;
316
317 if (len < 2) {
318 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
319 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
320 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
321 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
322 }
323 list_size = ((buf[0] << 8) | (buf[1]));
324 if (list_size + 2 != len ||
325 list_size % 2 != 0) {
326 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
327 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
328 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
329 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
330 }
331
332 /* Should never happen unless client duplicates the extension */
333 if (ssl->handshake->curves != NULL) {
334 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
335 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
336 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
337 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
338 }
339
340 /* Don't allow our peer to make us allocate too much memory,
341 * and leave room for a final 0 */
342 our_size = list_size / 2 + 1;
343 if (our_size > MBEDTLS_ECP_DP_MAX) {
344 our_size = MBEDTLS_ECP_DP_MAX;
345 }
346
347 if ((curves = mbedtls_calloc(our_size, sizeof(*curves))) == NULL) {
348 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
349 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
350 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
351 }
352
353 ssl->handshake->curves = curves;
354
355 p = buf + 2;
356 while (list_size > 0 && our_size > 1) {
357 curve_info = mbedtls_ecp_curve_info_from_tls_id((p[0] << 8) | p[1]);
358
359 if (curve_info != NULL) {
360 *curves++ = curve_info;
361 our_size--;
362 }
363
364 list_size -= 2;
365 p += 2;
366 }
367
368 return 0;
369}
370
371MBEDTLS_CHECK_RETURN_CRITICAL
372static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
373 const unsigned char *buf,
374 size_t len)
375{
376 size_t list_size;
377 const unsigned char *p;
378
379 if (len == 0 || (size_t) (buf[0] + 1) != len) {
380 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
381 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
382 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
383 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
384 }
385 list_size = buf[0];
386
387 p = buf + 1;
388 while (list_size > 0) {
389 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
390 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
391#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
392 ssl->handshake->ecdh_ctx.point_format = p[0];
393#endif
394#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
395 ssl->handshake->ecjpake_ctx.point_format = p[0];
396#endif
397 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
398 return 0;
399 }
400
401 list_size--;
402 p++;
403 }
404
405 return 0;
406}
407#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
408 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
409
410#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
411MBEDTLS_CHECK_RETURN_CRITICAL
412static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
413 const unsigned char *buf,
414 size_t len)
415{
416 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
417
418 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
419 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
420 return 0;
421 }
422
423 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
424 buf, len)) != 0) {
425 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
426 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
427 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
428 return ret;
429 }
430
431 /* Only mark the extension as OK when we're sure it is */
432 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
433
434 return 0;
435}
436#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
437
438#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
439MBEDTLS_CHECK_RETURN_CRITICAL
440static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
441 const unsigned char *buf,
442 size_t len)
443{
444 if (len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID) {
445 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
446 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
447 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
448 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
449 }
450
451 ssl->session_negotiate->mfl_code = buf[0];
452
453 return 0;
454}
455#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
456
457#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
458MBEDTLS_CHECK_RETURN_CRITICAL
459static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
460 const unsigned char *buf,
461 size_t len)
462{
463 size_t peer_cid_len;
464
465 /* CID extension only makes sense in DTLS */
466 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
467 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
468 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
469 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
470 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
471 }
472
473 /*
474 * Quoting draft-ietf-tls-dtls-connection-id-05
475 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
476 *
477 * struct {
478 * opaque cid<0..2^8-1>;
479 * } ConnectionId;
480 */
481
482 if (len < 1) {
483 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
484 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
485 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
486 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
487 }
488
489 peer_cid_len = *buf++;
490 len--;
491
492 if (len != peer_cid_len) {
493 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
494 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
495 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
496 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
497 }
498
499 /* Ignore CID if the user has disabled its use. */
500 if (ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
501 /* Leave ssl->handshake->cid_in_use in its default
502 * value of MBEDTLS_SSL_CID_DISABLED. */
503 MBEDTLS_SSL_DEBUG_MSG(3, ("Client sent CID extension, but CID disabled"));
504 return 0;
505 }
506
507 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
508 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
509 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
510 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
511 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
512 }
513
514 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
515 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
516 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
517
518 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
519 MBEDTLS_SSL_DEBUG_BUF(3, "Client CID", buf, peer_cid_len);
520
521 return 0;
522}
523#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
524
525#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
526MBEDTLS_CHECK_RETURN_CRITICAL
527static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
528 const unsigned char *buf,
529 size_t len)
530{
531 if (len != 0) {
532 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
533 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
534 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
535 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
536 }
537
538 ((void) buf);
539
540 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED) {
541 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
542 }
543
544 return 0;
545}
546#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
547
548#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
549MBEDTLS_CHECK_RETURN_CRITICAL
550static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
551 const unsigned char *buf,
552 size_t len)
553{
554 if (len != 0) {
555 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
556 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
557 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
558 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
559 }
560
561 ((void) buf);
562
563 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
564 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
565 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
566 }
567
568 return 0;
569}
570#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
571
572#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
573MBEDTLS_CHECK_RETURN_CRITICAL
574static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
575 const unsigned char *buf,
576 size_t len)
577{
578 if (len != 0) {
579 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
580 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
582 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
583 }
584
585 ((void) buf);
586
587 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
588 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
589 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
590 }
591
592 return 0;
593}
594#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
595
596#if defined(MBEDTLS_SSL_SESSION_TICKETS)
597MBEDTLS_CHECK_RETURN_CRITICAL
598static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
599 unsigned char *buf,
600 size_t len)
601{
602 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
603 mbedtls_ssl_session session;
604
605 mbedtls_ssl_session_init(&session);
606
607 if (ssl->conf->f_ticket_parse == NULL ||
608 ssl->conf->f_ticket_write == NULL) {
609 return 0;
610 }
611
612 /* Remember the client asked us to send a new ticket */
613 ssl->handshake->new_session_ticket = 1;
614
615 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, len));
616
617 if (len == 0) {
618 return 0;
619 }
620
621#if defined(MBEDTLS_SSL_RENEGOTIATION)
622 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
623 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket rejected: renegotiating"));
624 return 0;
625 }
626#endif /* MBEDTLS_SSL_RENEGOTIATION */
627
628 /*
629 * Failures are ok: just ignore the ticket and proceed.
630 */
631 if ((ret = ssl->conf->f_ticket_parse(ssl->conf->p_ticket, &session,
632 buf, len)) != 0) {
633 mbedtls_ssl_session_free(&session);
634
635 if (ret == MBEDTLS_ERR_SSL_INVALID_MAC) {
636 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is not authentic"));
637 } else if (ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) {
638 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket is expired"));
639 } else {
640 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_parse", ret);
641 }
642
643 return 0;
644 }
645
646 /*
647 * Keep the session ID sent by the client, since we MUST send it back to
648 * inform them we're accepting the ticket (RFC 5077 section 3.4)
649 */
650 session.id_len = ssl->session_negotiate->id_len;
651 memcpy(&session.id, ssl->session_negotiate->id, session.id_len);
652
653 mbedtls_ssl_session_free(ssl->session_negotiate);
654 memcpy(ssl->session_negotiate, &session, sizeof(mbedtls_ssl_session));
655
656 /* Zeroize instead of free as we copied the content */
657 mbedtls_platform_zeroize(&session, sizeof(mbedtls_ssl_session));
658
659 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from ticket"));
660
661 ssl->handshake->resume = 1;
662
663 /* Don't send a new ticket after all, this one is OK */
664 ssl->handshake->new_session_ticket = 0;
665
666 return 0;
667}
668#endif /* MBEDTLS_SSL_SESSION_TICKETS */
669
670#if defined(MBEDTLS_SSL_ALPN)
671MBEDTLS_CHECK_RETURN_CRITICAL
672static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
673 const unsigned char *buf, size_t len)
674{
675 size_t list_len, cur_len, ours_len;
676 const unsigned char *theirs, *start, *end;
677 const char **ours;
678
679 /* If ALPN not configured, just ignore the extension */
680 if (ssl->conf->alpn_list == NULL) {
681 return 0;
682 }
683
684 /*
685 * opaque ProtocolName<1..2^8-1>;
686 *
687 * struct {
688 * ProtocolName protocol_name_list<2..2^16-1>
689 * } ProtocolNameList;
690 */
691
692 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
693 if (len < 4) {
694 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
695 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
696 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
697 }
698
699 list_len = (buf[0] << 8) | buf[1];
700 if (list_len != len - 2) {
701 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
702 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
703 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
704 }
705
706 /*
707 * Validate peer's list (lengths)
708 */
709 start = buf + 2;
710 end = buf + len;
711 for (theirs = start; theirs != end; theirs += cur_len) {
712 cur_len = *theirs++;
713
714 /* Current identifier must fit in list */
715 if (cur_len > (size_t) (end - theirs)) {
716 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
717 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
718 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
719 }
720
721 /* Empty strings MUST NOT be included */
722 if (cur_len == 0) {
723 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
724 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
725 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
726 }
727 }
728
729 /*
730 * Use our order of preference
731 */
732 for (ours = ssl->conf->alpn_list; *ours != NULL; ours++) {
733 ours_len = strlen(*ours);
734 for (theirs = start; theirs != end; theirs += cur_len) {
735 cur_len = *theirs++;
736
737 if (cur_len == ours_len &&
738 memcmp(theirs, *ours, cur_len) == 0) {
739 ssl->alpn_chosen = *ours;
740 return 0;
741 }
742 }
743 }
744
745 /* If we get there, no match was found */
746 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
747 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL);
748 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
749}
750#endif /* MBEDTLS_SSL_ALPN */
751
752#if defined(MBEDTLS_SSL_DTLS_SRTP)
753MBEDTLS_CHECK_RETURN_CRITICAL
754static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
755 const unsigned char *buf,
756 size_t len)
757{
758 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
759 size_t i, j;
760 size_t profile_length;
761 uint16_t mki_length;
762 /*! 2 bytes for profile length and 1 byte for mki len */
763 const size_t size_of_lengths = 3;
764
765 /* If use_srtp is not configured, just ignore the extension */
766 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
767 (ssl->conf->dtls_srtp_profile_list == NULL) ||
768 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
769 return 0;
770 }
771
772 /* RFC5764 section 4.1.1
773 * uint8 SRTPProtectionProfile[2];
774 *
775 * struct {
776 * SRTPProtectionProfiles SRTPProtectionProfiles;
777 * opaque srtp_mki<0..255>;
778 * } UseSRTPData;
779
780 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
781 */
782
783 /*
784 * Min length is 5: at least one protection profile(2 bytes)
785 * and length(2 bytes) + srtp_mki length(1 byte)
786 * Check here that we have at least 2 bytes of protection profiles length
787 * and one of srtp_mki length
788 */
789 if (len < size_of_lengths) {
790 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
791 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
792 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
793 }
794
795 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
796
797 /* first 2 bytes are protection profile length(in bytes) */
798 profile_length = (buf[0] << 8) | buf[1];
799 buf += 2;
800
801 /* The profile length cannot be bigger than input buffer size - lengths fields */
802 if (profile_length > len - size_of_lengths ||
803 profile_length % 2 != 0) { /* profiles are 2 bytes long, so the length must be even */
804 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
805 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
806 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
807 }
808 /*
809 * parse the extension list values are defined in
810 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
811 */
812 for (j = 0; j < profile_length; j += 2) {
813 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
814 client_protection = mbedtls_ssl_check_srtp_profile_value(protection_profile_value);
815
816 if (client_protection != MBEDTLS_TLS_SRTP_UNSET) {
817 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
818 mbedtls_ssl_get_srtp_profile_as_string(
819 client_protection)));
820 } else {
821 continue;
822 }
823 /* check if suggested profile is in our list */
824 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
825 if (client_protection == ssl->conf->dtls_srtp_profile_list[i]) {
826 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
827 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
828 mbedtls_ssl_get_srtp_profile_as_string(
829 client_protection)));
830 break;
831 }
832 }
833 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET) {
834 break;
835 }
836 }
837 buf += profile_length; /* buf points to the mki length */
838 mki_length = *buf;
839 buf++;
840
841 if (mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
842 mki_length + profile_length + size_of_lengths != len) {
843 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
844 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
845 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
846 }
847
848 /* Parse the mki only if present and mki is supported locally */
849 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
850 mki_length > 0) {
851 ssl->dtls_srtp_info.mki_len = mki_length;
852
853 memcpy(ssl->dtls_srtp_info.mki_value, buf, mki_length);
854
855 MBEDTLS_SSL_DEBUG_BUF(3, "using mki", ssl->dtls_srtp_info.mki_value,
856 ssl->dtls_srtp_info.mki_len);
857 }
858
859 return 0;
860}
861#endif /* MBEDTLS_SSL_DTLS_SRTP */
862
863/*
864 * Auxiliary functions for ServerHello parsing and related actions
865 */
866
867#if defined(MBEDTLS_X509_CRT_PARSE_C)
868/*
869 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
870 */
871#if defined(MBEDTLS_ECDSA_C)
872MBEDTLS_CHECK_RETURN_CRITICAL
873static int ssl_check_key_curve(mbedtls_pk_context *pk,
874 const mbedtls_ecp_curve_info **curves)
875{
876 const mbedtls_ecp_curve_info **crv = curves;
877 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
878
879 while (*crv != NULL) {
880 if ((*crv)->grp_id == grp_id) {
881 return 0;
882 }
883 crv++;
884 }
885
886 return -1;
887}
888#endif /* MBEDTLS_ECDSA_C */
889
890/*
891 * Try picking a certificate for this ciphersuite,
892 * return 0 on success and -1 on failure.
893 */
894MBEDTLS_CHECK_RETURN_CRITICAL
895static int ssl_pick_cert(mbedtls_ssl_context *ssl,
896 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
897{
898 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
899 mbedtls_pk_type_t pk_alg =
900 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
901 uint32_t flags;
902
903#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
904 if (ssl->handshake->sni_key_cert != NULL) {
905 list = ssl->handshake->sni_key_cert;
906 } else
907#endif
908 list = ssl->conf->key_cert;
909
910 if (pk_alg == MBEDTLS_PK_NONE) {
911 return 0;
912 }
913
914 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite requires certificate"));
915
916 if (list == NULL) {
917 MBEDTLS_SSL_DEBUG_MSG(3, ("server has no certificate"));
918 return -1;
919 }
920
921 for (cur = list; cur != NULL; cur = cur->next) {
922 flags = 0;
923 MBEDTLS_SSL_DEBUG_CRT(3, "candidate certificate chain, certificate",
924 cur->cert);
925
926 if (!mbedtls_pk_can_do(&cur->cert->pk, pk_alg)) {
927 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
928 continue;
929 }
930
931 /*
932 * This avoids sending the client a cert it'll reject based on
933 * keyUsage or other extensions.
934 *
935 * It also allows the user to provision different certificates for
936 * different uses based on keyUsage, eg if they want to avoid signing
937 * and decrypting with the same RSA key.
938 */
939 if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
940 MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
941 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
942 "(extended) key usage extension"));
943 continue;
944 }
945
946#if defined(MBEDTLS_ECDSA_C)
947 if (pk_alg == MBEDTLS_PK_ECDSA &&
948 ssl_check_key_curve(&cur->cert->pk, ssl->handshake->curves) != 0) {
949 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: elliptic curve"));
950 continue;
951 }
952#endif
953
954 /*
955 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
956 * present them a SHA-higher cert rather than failing if it's the only
957 * one we got that satisfies the other conditions.
958 */
959 if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
960 cur->cert->sig_md != MBEDTLS_MD_SHA1) {
961 if (fallback == NULL) {
962 fallback = cur;
963 }
964 {
965 MBEDTLS_SSL_DEBUG_MSG(3, ("certificate not preferred: "
966 "sha-2 with pre-TLS 1.2 client"));
967 continue;
968 }
969 }
970
971 /* If we get there, we got a winner */
972 break;
973 }
974
975 if (cur == NULL) {
976 cur = fallback;
977 }
978
979 /* Do not update ssl->handshake->key_cert unless there is a match */
980 if (cur != NULL) {
981 ssl->handshake->key_cert = cur;
982 MBEDTLS_SSL_DEBUG_CRT(3, "selected certificate chain, certificate",
983 ssl->handshake->key_cert->cert);
984 return 0;
985 }
986
987 return -1;
988}
989#endif /* MBEDTLS_X509_CRT_PARSE_C */
990
991/*
992 * Check if a given ciphersuite is suitable for use with our config/keys/etc
993 * Sets ciphersuite_info only if the suite matches.
994 */
995MBEDTLS_CHECK_RETURN_CRITICAL
996static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
997 const mbedtls_ssl_ciphersuite_t **ciphersuite_info)
998{
999 const mbedtls_ssl_ciphersuite_t *suite_info;
1000
1001#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1002 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1003 mbedtls_pk_type_t sig_type;
1004#endif
1005
1006 suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
1007 if (suite_info == NULL) {
1008 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
1009 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1010 }
1011
1012 MBEDTLS_SSL_DEBUG_MSG(3, ("trying ciphersuite: %#04x (%s)",
1013 (unsigned int) suite_id, suite_info->name));
1014
1015 if (suite_info->min_minor_ver > ssl->minor_ver ||
1016 suite_info->max_minor_ver < ssl->minor_ver) {
1017 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: version"));
1018 return 0;
1019 }
1020
1021#if defined(MBEDTLS_SSL_PROTO_DTLS)
1022 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1023 (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS)) {
1024 return 0;
1025 }
1026#endif
1027
1028#if defined(MBEDTLS_ARC4_C)
1029 if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
1030 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) {
1031 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: rc4"));
1032 return 0;
1033 }
1034#endif
1035
1036#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1037 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
1038 (ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK) == 0) {
1039 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: ecjpake "
1040 "not configured or ext missing"));
1041 return 0;
1042 }
1043#endif
1044
1045
1046#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1047 if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
1048 (ssl->handshake->curves == NULL ||
1049 ssl->handshake->curves[0] == NULL)) {
1050 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
1051 "no common elliptic curve"));
1052 return 0;
1053 }
1054#endif
1055
1056#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1057 /* If the ciphersuite requires a pre-shared key and we don't
1058 * have one, skip it now rather than failing later */
1059 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
1060 ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
1061 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no pre-shared key"));
1062 return 0;
1063 }
1064#endif
1065
1066#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1067 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1068 /* If the ciphersuite requires signing, check whether
1069 * a suitable hash algorithm is present. */
1070 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
1071 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
1072 if (sig_type != MBEDTLS_PK_NONE &&
1073 mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
1074 sig_type) == MBEDTLS_MD_NONE) {
1075 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
1076 "for signature algorithm %u", (unsigned) sig_type));
1077 return 0;
1078 }
1079 }
1080
1081#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1082 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1083
1084#if defined(MBEDTLS_X509_CRT_PARSE_C)
1085 /*
1086 * Final check: if ciphersuite requires us to have a
1087 * certificate/key of a particular type:
1088 * - select the appropriate certificate if we have one, or
1089 * - try the next ciphersuite if we don't
1090 * This must be done last since we modify the key_cert list.
1091 */
1092 if (ssl_pick_cert(ssl, suite_info) != 0) {
1093 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: "
1094 "no suitable certificate"));
1095 return 0;
1096 }
1097#endif
1098
1099 *ciphersuite_info = suite_info;
1100 return 0;
1101}
1102
1103#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1104MBEDTLS_CHECK_RETURN_CRITICAL
1105static int ssl_parse_client_hello_v2(mbedtls_ssl_context *ssl)
1106{
1107 int ret, got_common_suite;
1108 unsigned int i, j;
1109 size_t n;
1110 unsigned int ciph_len, sess_len, chal_len;
1111 unsigned char *buf, *p;
1112 const int *ciphersuites;
1113 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1114
1115 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello v2"));
1116
1117#if defined(MBEDTLS_SSL_RENEGOTIATION)
1118 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1119 MBEDTLS_SSL_DEBUG_MSG(1, ("client hello v2 illegal for renegotiation"));
1120 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1121 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1122 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1123 }
1124#endif /* MBEDTLS_SSL_RENEGOTIATION */
1125
1126 buf = ssl->in_hdr;
1127
1128 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, 5);
1129
1130 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message type: %d",
1131 buf[2]));
1132 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, message len.: %d",
1133 ((buf[0] & 0x7F) << 8) | buf[1]));
1134 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v2, max. version: [%d:%d]",
1135 buf[3], buf[4]));
1136
1137 /*
1138 * SSLv2 Client Hello
1139 *
1140 * Record layer:
1141 * 0 . 1 message length
1142 *
1143 * SSL layer:
1144 * 2 . 2 message type
1145 * 3 . 4 protocol version
1146 */
1147 if (buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
1148 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3) {
1149 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1150 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1151 }
1152
1153 n = ((buf[0] << 8) | buf[1]) & 0x7FFF;
1154
1155 if (n < 17 || n > 512) {
1156 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1157 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1158 }
1159
1160 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1161 ssl->minor_ver = (buf[4] <= ssl->conf->max_minor_ver)
1162 ? buf[4] : ssl->conf->max_minor_ver;
1163
1164 if (ssl->minor_ver < ssl->conf->min_minor_ver) {
1165 MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
1166 " [%d:%d] < [%d:%d]",
1167 ssl->major_ver, ssl->minor_ver,
1168 ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
1169
1170 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1171 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1172 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
1173 }
1174
1175 ssl->handshake->max_major_ver = buf[3];
1176 ssl->handshake->max_minor_ver = buf[4];
1177
1178 if ((ret = mbedtls_ssl_fetch_input(ssl, 2 + n)) != 0) {
1179 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1180 return ret;
1181 }
1182
1183 ssl->handshake->update_checksum(ssl, buf + 2, n);
1184
1185 buf = ssl->in_msg;
1186 n = ssl->in_left - 5;
1187
1188 /*
1189 * 0 . 1 ciphersuitelist length
1190 * 2 . 3 session id length
1191 * 4 . 5 challenge length
1192 * 6 . .. ciphersuitelist
1193 * .. . .. session id
1194 * .. . .. challenge
1195 */
1196 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, n);
1197
1198 ciph_len = (buf[0] << 8) | buf[1];
1199 sess_len = (buf[2] << 8) | buf[3];
1200 chal_len = (buf[4] << 8) | buf[5];
1201
1202 MBEDTLS_SSL_DEBUG_MSG(3, ("ciph_len: %u, sess_len: %u, chal_len: %u",
1203 ciph_len, sess_len, chal_len));
1204
1205 /*
1206 * Make sure each parameter length is valid
1207 */
1208 if (ciph_len < 3 || (ciph_len % 3) != 0) {
1209 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1210 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1211 }
1212
1213 if (sess_len > 32) {
1214 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1215 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1216 }
1217
1218 if (chal_len < 8 || chal_len > 32) {
1219 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1220 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1221 }
1222
1223 if (n != 6 + ciph_len + sess_len + chal_len) {
1224 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1225 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1226 }
1227
1228 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1229 buf + 6, ciph_len);
1230 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id",
1231 buf + 6 + ciph_len, sess_len);
1232 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, challenge",
1233 buf + 6 + ciph_len + sess_len, chal_len);
1234
1235 p = buf + 6 + ciph_len;
1236 ssl->session_negotiate->id_len = sess_len;
1237 memset(ssl->session_negotiate->id, 0,
1238 sizeof(ssl->session_negotiate->id));
1239 memcpy(ssl->session_negotiate->id, p, ssl->session_negotiate->id_len);
1240
1241 p += sess_len;
1242 memset(ssl->handshake->randbytes, 0, 64);
1243 memcpy(ssl->handshake->randbytes + 32 - chal_len, p, chal_len);
1244
1245 /*
1246 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1247 */
1248 for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
1249 if (p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
1250 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
1251#if defined(MBEDTLS_SSL_RENEGOTIATION)
1252 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1253 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
1254 "during renegotiation"));
1255
1256 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1257 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1258 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1259 }
1260#endif /* MBEDTLS_SSL_RENEGOTIATION */
1261 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1262 break;
1263 }
1264 }
1265
1266#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1267 for (i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3) {
1268 if (p[0] == 0 &&
1269 MBEDTLS_GET_UINT16_BE(p, 1) != MBEDTLS_SSL_FALLBACK_SCSV_VALUE) {
1270 MBEDTLS_SSL_DEBUG_MSG(3, ("received FALLBACK_SCSV"));
1271
1272 if (ssl->minor_ver < ssl->conf->max_minor_ver) {
1273 MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
1274
1275 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1276 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
1277
1278 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1279 }
1280
1281 break;
1282 }
1283 }
1284#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1285
1286 got_common_suite = 0;
1287 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1288 ciphersuite_info = NULL;
1289#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1290 for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3) {
1291 for (i = 0; ciphersuites[i] != 0; i++) {
1292 if (p[0] != 0 ||
1293 MBEDTLS_GET_UINT16_BE(p, 1) != ciphersuites[i]) {
1294 continue;
1295 }
1296
1297 got_common_suite = 1;
1298
1299 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1300 &ciphersuite_info)) != 0) {
1301 return ret;
1302 }
1303
1304 if (ciphersuite_info != NULL) {
1305 goto have_ciphersuite_v2;
1306 }
1307 }
1308 }
1309#else
1310 for (i = 0; ciphersuites[i] != 0; i++) {
1311 for (j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3) {
1312 if (p[0] != 0 ||
1313 MBEDTLS_GET_UINT16_BE(p, 1) != ciphersuites[i]) {
1314 continue;
1315 }
1316
1317 got_common_suite = 1;
1318
1319 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
1320 &ciphersuite_info)) != 0) {
1321 return ret;
1322 }
1323
1324 if (ciphersuite_info != NULL) {
1325 goto have_ciphersuite_v2;
1326 }
1327 }
1328 }
1329#endif
1330
1331 if (got_common_suite) {
1332 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
1333 "but none of them usable"));
1334 return MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE;
1335 } else {
1336 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
1337 return MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN;
1338 }
1339
1340have_ciphersuite_v2:
1341 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
1342
1343 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1344 ssl->handshake->ciphersuite_info = ciphersuite_info;
1345
1346 /*
1347 * SSLv2 Client Hello relevant renegotiation security checks
1348 */
1349 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1350 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
1351 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
1352 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1353 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1354 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1355 }
1356
1357 ssl->in_left = 0;
1358 ssl->state++;
1359
1360 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello v2"));
1361
1362 return 0;
1363}
1364#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1365
1366/* This function doesn't alert on errors that happen early during
1367 ClientHello parsing because they might indicate that the client is
1368 not talking SSL/TLS at all and would not understand our alert. */
1369MBEDTLS_CHECK_RETURN_CRITICAL
1370static int ssl_parse_client_hello(mbedtls_ssl_context *ssl)
1371{
1372 int ret, got_common_suite;
1373 size_t i, j;
1374 size_t ciph_offset, comp_offset, ext_offset;
1375 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1376#if defined(MBEDTLS_SSL_PROTO_DTLS)
1377 size_t cookie_offset, cookie_len;
1378#endif
1379 unsigned char *buf, *p, *ext;
1380#if defined(MBEDTLS_SSL_RENEGOTIATION)
1381 int renegotiation_info_seen = 0;
1382#endif
1383 int handshake_failure = 0;
1384 const int *ciphersuites;
1385 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1386 int major, minor;
1387
1388 /* If there is no signature-algorithm extension present,
1389 * we need to fall back to the default values for allowed
1390 * signature-hash pairs. */
1391#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1392 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1393 int sig_hash_alg_ext_present = 0;
1394#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1395 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1396
1397 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
1398
1399 int renegotiating = 0;
1400#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1401read_record_header:
1402#endif
1403 /*
1404 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1405 * otherwise read it ourselves manually in order to support SSLv2
1406 * ClientHello, which doesn't use the same record layer format.
1407 */
1408#if defined(MBEDTLS_SSL_RENEGOTIATION)
1409 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1410 renegotiating = 1;
1411 }
1412#endif
1413 if (!renegotiating) {
1414 if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
1415 /* No alert on a read error. */
1416 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1417 return ret;
1418 }
1419 }
1420
1421 buf = ssl->in_hdr;
1422
1423#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1424 int is_dtls = 0;
1425#if defined(MBEDTLS_SSL_PROTO_DTLS)
1426 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1427 is_dtls = 1;
1428 }
1429#endif
1430 if (!is_dtls) {
1431 if ((buf[0] & 0x80) != 0) {
1432 return ssl_parse_client_hello_v2(ssl);
1433 }
1434 }
1435#endif
1436
1437 MBEDTLS_SSL_DEBUG_BUF(4, "record header", buf, mbedtls_ssl_in_hdr_len(ssl));
1438
1439 /*
1440 * SSLv3/TLS Client Hello
1441 *
1442 * Record layer:
1443 * 0 . 0 message type
1444 * 1 . 2 protocol version
1445 * 3 . 11 DTLS: epoch + record sequence number
1446 * 3 . 4 message length
1447 */
1448 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message type: %d",
1449 buf[0]));
1450
1451 if (buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE) {
1452 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1453 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1454 }
1455
1456 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, message len.: %d",
1457 (ssl->in_len[0] << 8) | ssl->in_len[1]));
1458
1459 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, protocol version: [%d:%d]",
1460 buf[1], buf[2]));
1461
1462 mbedtls_ssl_read_version(&major, &minor, ssl->conf->transport, buf + 1);
1463
1464 /* According to RFC 5246 Appendix E.1, the version here is typically
1465 * "{03,00}, the lowest version number supported by the client, [or] the
1466 * value of ClientHello.client_version", so the only meaningful check here
1467 * is the major version shouldn't be less than 3 */
1468 if (major < MBEDTLS_SSL_MAJOR_VERSION_3) {
1469 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1470 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1471 }
1472
1473 /* For DTLS if this is the initial handshake, remember the client sequence
1474 * number to use it in our next message (RFC 6347 4.2.1) */
1475#if defined(MBEDTLS_SSL_PROTO_DTLS)
1476 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1477#if defined(MBEDTLS_SSL_RENEGOTIATION)
1478 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1479#endif
1480 ) {
1481 /* Epoch should be 0 for initial handshakes */
1482 if (ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0) {
1483 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1484 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1485 }
1486
1487 memcpy(ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6);
1488
1489#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1490 if (mbedtls_ssl_dtls_replay_check(ssl) != 0) {
1491 MBEDTLS_SSL_DEBUG_MSG(1, ("replayed record, discarding"));
1492 ssl->next_record_offset = 0;
1493 ssl->in_left = 0;
1494 goto read_record_header;
1495 }
1496
1497 /* No MAC to check yet, so we can update right now */
1498 mbedtls_ssl_dtls_replay_update(ssl);
1499#endif
1500 }
1501#endif /* MBEDTLS_SSL_PROTO_DTLS */
1502
1503 msg_len = (ssl->in_len[0] << 8) | ssl->in_len[1];
1504
1505#if defined(MBEDTLS_SSL_RENEGOTIATION)
1506 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1507 /* Set by mbedtls_ssl_read_record() */
1508 msg_len = ssl->in_hslen;
1509 } else
1510#endif
1511 {
1512 if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
1513 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1514 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1515 }
1516
1517 if ((ret = mbedtls_ssl_fetch_input(ssl,
1518 mbedtls_ssl_in_hdr_len(ssl) + msg_len)) != 0) {
1519 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
1520 return ret;
1521 }
1522
1523 /* Done reading this record, get ready for the next one */
1524#if defined(MBEDTLS_SSL_PROTO_DTLS)
1525 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1526 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len(ssl);
1527 } else
1528#endif
1529 ssl->in_left = 0;
1530 }
1531
1532 buf = ssl->in_msg;
1533
1534 MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
1535
1536 ssl->handshake->update_checksum(ssl, buf, msg_len);
1537
1538 /*
1539 * Handshake layer:
1540 * 0 . 0 handshake type
1541 * 1 . 3 handshake length
1542 * 4 . 5 DTLS only: message sequence number
1543 * 6 . 8 DTLS only: fragment offset
1544 * 9 . 11 DTLS only: fragment length
1545 */
1546 if (msg_len < mbedtls_ssl_hs_hdr_len(ssl)) {
1547 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1548 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1549 }
1550
1551 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake type: %d", buf[0]));
1552
1553 if (buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO) {
1554 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1555 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1556 }
1557
1558 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %d",
1559 (buf[1] << 16) | (buf[2] << 8) | buf[3]));
1560
1561 if (buf[1] != 0) {
1562 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
1563 (unsigned) buf[1]));
1564 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1565 }
1566 /* We don't support fragmentation of ClientHello (yet?) */
1567 if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + ((buf[2] << 8) | buf[3])) {
1568 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
1569 (unsigned) msg_len,
1570 (unsigned) mbedtls_ssl_hs_hdr_len(ssl),
1571 (unsigned) (buf[2] << 8) | buf[3]));
1572 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1573 }
1574
1575#if defined(MBEDTLS_SSL_PROTO_DTLS)
1576 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1577 /*
1578 * Copy the client's handshake message_seq on initial handshakes,
1579 * check sequence number on renego.
1580 */
1581#if defined(MBEDTLS_SSL_RENEGOTIATION)
1582 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1583 /* This couldn't be done in ssl_prepare_handshake_record() */
1584 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1585 ssl->in_msg[5];
1586
1587 if (cli_msg_seq != ssl->handshake->in_msg_seq) {
1588 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
1589 "%u (expected %u)", cli_msg_seq,
1590 ssl->handshake->in_msg_seq));
1591 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1592 }
1593
1594 ssl->handshake->in_msg_seq++;
1595 } else
1596#endif
1597 {
1598 unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
1599 ssl->in_msg[5];
1600 ssl->handshake->out_msg_seq = cli_msg_seq;
1601 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1602 }
1603
1604 /*
1605 * For now we don't support fragmentation, so make sure
1606 * fragment_offset == 0 and fragment_length == length
1607 */
1608 MBEDTLS_SSL_DEBUG_MSG(
1609 4, ("fragment_offset=%u fragment_length=%u length=%u",
1610 (unsigned) (ssl->in_msg[6] << 16 | ssl->in_msg[7] << 8 | ssl->in_msg[8]),
1611 (unsigned) (ssl->in_msg[9] << 16 | ssl->in_msg[10] << 8 | ssl->in_msg[11]),
1612 (unsigned) (ssl->in_msg[1] << 16 | ssl->in_msg[2] << 8 | ssl->in_msg[3])));
1613 if (ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1614 memcmp(ssl->in_msg + 1, ssl->in_msg + 9, 3) != 0) {
1615 MBEDTLS_SSL_DEBUG_MSG(1, ("ClientHello fragmentation not supported"));
1616 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1617 }
1618 }
1619#endif /* MBEDTLS_SSL_PROTO_DTLS */
1620
1621 buf += mbedtls_ssl_hs_hdr_len(ssl);
1622 msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
1623
1624 /*
1625 * ClientHello layer:
1626 * 0 . 1 protocol version
1627 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1628 * 34 . 35 session id length (1 byte)
1629 * 35 . 34+x session id
1630 * 35+x . 35+x DTLS only: cookie length (1 byte)
1631 * 36+x . .. DTLS only: cookie
1632 * .. . .. ciphersuite list length (2 bytes)
1633 * .. . .. ciphersuite list
1634 * .. . .. compression alg. list length (1 byte)
1635 * .. . .. compression alg. list
1636 * .. . .. extensions length (2 bytes, optional)
1637 * .. . .. extensions (optional)
1638 */
1639
1640 /*
1641 * Minimal length (with everything empty and extensions omitted) is
1642 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1643 * read at least up to session id length without worrying.
1644 */
1645 if (msg_len < 38) {
1646 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1647 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1648 }
1649
1650 /*
1651 * Check and save the protocol version
1652 */
1653 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, version", buf, 2);
1654
1655 mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
1656 ssl->conf->transport, buf);
1657
1658 ssl->handshake->max_major_ver = ssl->major_ver;
1659 ssl->handshake->max_minor_ver = ssl->minor_ver;
1660
1661 if (ssl->major_ver < ssl->conf->min_major_ver ||
1662 ssl->minor_ver < ssl->conf->min_minor_ver) {
1663 MBEDTLS_SSL_DEBUG_MSG(1, ("client only supports ssl smaller than minimum"
1664 " [%d:%d] < [%d:%d]",
1665 ssl->major_ver, ssl->minor_ver,
1666 ssl->conf->min_major_ver, ssl->conf->min_minor_ver));
1667 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1668 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1669 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
1670 }
1671
1672 if (ssl->major_ver > ssl->conf->max_major_ver) {
1673 ssl->major_ver = ssl->conf->max_major_ver;
1674 ssl->minor_ver = ssl->conf->max_minor_ver;
1675 } else if (ssl->minor_ver > ssl->conf->max_minor_ver) {
1676 ssl->minor_ver = ssl->conf->max_minor_ver;
1677 }
1678
1679 /*
1680 * Save client random (inc. Unix time)
1681 */
1682 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", buf + 2, 32);
1683
1684 memcpy(ssl->handshake->randbytes, buf + 2, 32);
1685
1686 /*
1687 * Check the session ID length and save session ID
1688 */
1689 sess_len = buf[34];
1690
1691 if (sess_len > sizeof(ssl->session_negotiate->id) ||
1692 sess_len + 34 + 2 > msg_len) { /* 2 for cipherlist length field */
1693 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1694 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1695 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1696 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1697 }
1698
1699 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 35, sess_len);
1700
1701 ssl->session_negotiate->id_len = sess_len;
1702 memset(ssl->session_negotiate->id, 0,
1703 sizeof(ssl->session_negotiate->id));
1704 memcpy(ssl->session_negotiate->id, buf + 35,
1705 ssl->session_negotiate->id_len);
1706
1707 /*
1708 * Check the cookie length and content
1709 */
1710#if defined(MBEDTLS_SSL_PROTO_DTLS)
1711 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1712 cookie_offset = 35 + sess_len;
1713 cookie_len = buf[cookie_offset];
1714
1715 if (cookie_offset + 1 + cookie_len + 2 > msg_len) {
1716 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1717 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1718 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1719 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1720 }
1721
1722 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1723 buf + cookie_offset + 1, cookie_len);
1724
1725#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1726 if (ssl->conf->f_cookie_check != NULL
1727#if defined(MBEDTLS_SSL_RENEGOTIATION)
1728 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1729#endif
1730 ) {
1731 if (ssl->conf->f_cookie_check(ssl->conf->p_cookie,
1732 buf + cookie_offset + 1, cookie_len,
1733 ssl->cli_id, ssl->cli_id_len) != 0) {
1734 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification failed"));
1735 ssl->handshake->verify_cookie_len = 1;
1736 } else {
1737 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification passed"));
1738 ssl->handshake->verify_cookie_len = 0;
1739 }
1740 } else
1741#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1742 {
1743 /* We know we didn't send a cookie, so it should be empty */
1744 if (cookie_len != 0) {
1745 /* This may be an attacker's probe, so don't send an alert */
1746 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1747 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1748 }
1749
1750 MBEDTLS_SSL_DEBUG_MSG(2, ("cookie verification skipped"));
1751 }
1752
1753 /*
1754 * Check the ciphersuitelist length (will be parsed later)
1755 */
1756 ciph_offset = cookie_offset + 1 + cookie_len;
1757 } else
1758#endif /* MBEDTLS_SSL_PROTO_DTLS */
1759 ciph_offset = 35 + sess_len;
1760
1761 ciph_len = (buf[ciph_offset + 0] << 8)
1762 | (buf[ciph_offset + 1]);
1763
1764 if (ciph_len < 2 ||
1765 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1766 (ciph_len % 2) != 0) {
1767 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1768 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1769 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1770 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1771 }
1772
1773 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
1774 buf + ciph_offset + 2, ciph_len);
1775
1776 /*
1777 * Check the compression algorithms length and pick one
1778 */
1779 comp_offset = ciph_offset + 2 + ciph_len;
1780
1781 comp_len = buf[comp_offset];
1782
1783 if (comp_len < 1 ||
1784 comp_len > 16 ||
1785 comp_len + comp_offset + 1 > msg_len) {
1786 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1787 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1788 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1789 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1790 }
1791
1792 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, compression",
1793 buf + comp_offset + 1, comp_len);
1794
1795 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1796#if defined(MBEDTLS_ZLIB_SUPPORT)
1797 for (i = 0; i < comp_len; ++i) {
1798 if (buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE) {
1799 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1800 break;
1801 }
1802 }
1803#endif
1804
1805 /* See comments in ssl_write_client_hello() */
1806#if defined(MBEDTLS_SSL_PROTO_DTLS)
1807 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1808 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1809 }
1810#endif
1811
1812 /* Do not parse the extensions if the protocol is SSLv3 */
1813#if defined(MBEDTLS_SSL_PROTO_SSL3)
1814 if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
1815#endif
1816 /*
1817 * Check the extension length
1818 */
1819 ext_offset = comp_offset + 1 + comp_len;
1820 if (msg_len > ext_offset) {
1821 if (msg_len < ext_offset + 2) {
1822 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1823 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1824 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1825 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1826 }
1827
1828 ext_len = (buf[ext_offset + 0] << 8)
1829 | (buf[ext_offset + 1]);
1830
1831 if (msg_len != ext_offset + 2 + ext_len) {
1832 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1833 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1834 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1835 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1836 }
1837 } else {
1838 ext_len = 0;
1839 }
1840
1841 ext = buf + ext_offset + 2;
1842 MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", ext, ext_len);
1843
1844 while (ext_len != 0) {
1845 unsigned int ext_id;
1846 unsigned int ext_size;
1847 if (ext_len < 4) {
1848 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1849 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1850 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1851 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1852 }
1853 ext_id = ((ext[0] << 8) | (ext[1]));
1854 ext_size = ((ext[2] << 8) | (ext[3]));
1855
1856 if (ext_size + 4 > ext_len) {
1857 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
1858 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1859 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1860 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
1861 }
1862 switch (ext_id) {
1863#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1864 case MBEDTLS_TLS_EXT_SERVERNAME:
1865 MBEDTLS_SSL_DEBUG_MSG(3, ("found ServerName extension"));
1866 if (ssl->conf->f_sni == NULL) {
1867 break;
1868 }
1869
1870 ret = ssl_parse_servername_ext(ssl, ext + 4, ext_size);
1871 if (ret != 0) {
1872 return ret;
1873 }
1874 break;
1875#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1876
1877 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1878 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
1879#if defined(MBEDTLS_SSL_RENEGOTIATION)
1880 renegotiation_info_seen = 1;
1881#endif
1882
1883 ret = ssl_parse_renegotiation_info(ssl, ext + 4, ext_size);
1884 if (ret != 0) {
1885 return ret;
1886 }
1887 break;
1888
1889#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1890 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1891 case MBEDTLS_TLS_EXT_SIG_ALG:
1892 MBEDTLS_SSL_DEBUG_MSG(3, ("found signature_algorithms extension"));
1893
1894 ret = ssl_parse_signature_algorithms_ext(ssl, ext + 4, ext_size);
1895 if (ret != 0) {
1896 return ret;
1897 }
1898
1899 sig_hash_alg_ext_present = 1;
1900 break;
1901#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1902 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1903
1904#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1905 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1906 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1907 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
1908
1909 ret = ssl_parse_supported_elliptic_curves(ssl, ext + 4, ext_size);
1910 if (ret != 0) {
1911 return ret;
1912 }
1913 break;
1914
1915 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1916 MBEDTLS_SSL_DEBUG_MSG(3, ("found supported point formats extension"));
1917 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1918
1919 ret = ssl_parse_supported_point_formats(ssl, ext + 4, ext_size);
1920 if (ret != 0) {
1921 return ret;
1922 }
1923 break;
1924#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1925 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1926
1927#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1928 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1929 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake kkpp extension"));
1930
1931 ret = ssl_parse_ecjpake_kkpp(ssl, ext + 4, ext_size);
1932 if (ret != 0) {
1933 return ret;
1934 }
1935 break;
1936#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1937
1938#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1939 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1940 MBEDTLS_SSL_DEBUG_MSG(3, ("found max fragment length extension"));
1941
1942 ret = ssl_parse_max_fragment_length_ext(ssl, ext + 4, ext_size);
1943 if (ret != 0) {
1944 return ret;
1945 }
1946 break;
1947#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1948
1949#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1950 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1951 MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated hmac extension"));
1952
1953 ret = ssl_parse_truncated_hmac_ext(ssl, ext + 4, ext_size);
1954 if (ret != 0) {
1955 return ret;
1956 }
1957 break;
1958#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1959
1960#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1961 case MBEDTLS_TLS_EXT_CID:
1962 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
1963
1964 ret = ssl_parse_cid_ext(ssl, ext + 4, ext_size);
1965 if (ret != 0) {
1966 return ret;
1967 }
1968 break;
1969#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1970
1971#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1972 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1973 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt then mac extension"));
1974
1975 ret = ssl_parse_encrypt_then_mac_ext(ssl, ext + 4, ext_size);
1976 if (ret != 0) {
1977 return ret;
1978 }
1979 break;
1980#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1981
1982#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1983 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1984 MBEDTLS_SSL_DEBUG_MSG(3, ("found extended master secret extension"));
1985
1986 ret = ssl_parse_extended_ms_ext(ssl, ext + 4, ext_size);
1987 if (ret != 0) {
1988 return ret;
1989 }
1990 break;
1991#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1992
1993#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1994 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1995 MBEDTLS_SSL_DEBUG_MSG(3, ("found session ticket extension"));
1996
1997 ret = ssl_parse_session_ticket_ext(ssl, ext + 4, ext_size);
1998 if (ret != 0) {
1999 return ret;
2000 }
2001 break;
2002#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2003
2004#if defined(MBEDTLS_SSL_ALPN)
2005 case MBEDTLS_TLS_EXT_ALPN:
2006 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
2007
2008 ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size);
2009 if (ret != 0) {
2010 return ret;
2011 }
2012 break;
2013#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2014
2015#if defined(MBEDTLS_SSL_DTLS_SRTP)
2016 case MBEDTLS_TLS_EXT_USE_SRTP:
2017 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
2018
2019 ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size);
2020 if (ret != 0) {
2021 return ret;
2022 }
2023 break;
2024#endif /* MBEDTLS_SSL_DTLS_SRTP */
2025
2026 default:
2027 MBEDTLS_SSL_DEBUG_MSG(3, ("unknown extension found: %u (ignoring)",
2028 ext_id));
2029 }
2030
2031 ext_len -= 4 + ext_size;
2032 ext += 4 + ext_size;
2033 }
2034#if defined(MBEDTLS_SSL_PROTO_SSL3)
2035}
2036#endif
2037
2038#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
2039 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
2040 if (MBEDTLS_GET_UINT16_BE(p, 0) == MBEDTLS_SSL_FALLBACK_SCSV_VALUE) {
2041 MBEDTLS_SSL_DEBUG_MSG(2, ("received FALLBACK_SCSV"));
2042
2043 if (ssl->minor_ver < ssl->conf->max_minor_ver) {
2044 MBEDTLS_SSL_DEBUG_MSG(1, ("inapropriate fallback"));
2045
2046 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2047 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK);
2048
2049 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
2050 }
2051
2052 break;
2053 }
2054 }
2055#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
2056
2057#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2058 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2059
2060 /*
2061 * Try to fall back to default hash SHA1 if the client
2062 * hasn't provided any preferred signature-hash combinations.
2063 */
2064 if (sig_hash_alg_ext_present == 0) {
2065 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
2066
2067 if (mbedtls_ssl_check_sig_hash(ssl, md_default) != 0) {
2068 md_default = MBEDTLS_MD_NONE;
2069 }
2070
2071 mbedtls_ssl_sig_hash_set_const_hash(&ssl->handshake->hash_algs, md_default);
2072 }
2073
2074#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
2075 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
2076
2077 /*
2078 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
2079 */
2080 for (i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2) {
2081 if (p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO) {
2082 MBEDTLS_SSL_DEBUG_MSG(3, ("received TLS_EMPTY_RENEGOTIATION_INFO "));
2083#if defined(MBEDTLS_SSL_RENEGOTIATION)
2084 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
2085 MBEDTLS_SSL_DEBUG_MSG(1, ("received RENEGOTIATION SCSV "
2086 "during renegotiation"));
2087 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2088 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2089 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
2090 }
2091#endif
2092 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
2093 break;
2094 }
2095 }
2096
2097 /*
2098 * Renegotiation security checks
2099 */
2100 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2101 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
2102 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation, breaking off handshake"));
2103 handshake_failure = 1;
2104 }
2105#if defined(MBEDTLS_SSL_RENEGOTIATION)
2106 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2107 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2108 renegotiation_info_seen == 0) {
2109 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension missing (secure)"));
2110 handshake_failure = 1;
2111 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2112 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2113 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
2114 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
2115 handshake_failure = 1;
2116 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2117 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2118 renegotiation_info_seen == 1) {
2119 MBEDTLS_SSL_DEBUG_MSG(1, ("renegotiation_info extension present (legacy)"));
2120 handshake_failure = 1;
2121 }
2122#endif /* MBEDTLS_SSL_RENEGOTIATION */
2123
2124 if (handshake_failure == 1) {
2125 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2126 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2127 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO;
2128 }
2129
2130 /*
2131 * Search for a matching ciphersuite
2132 * (At the end because we need information from the EC-based extensions
2133 * and certificate from the SNI callback triggered by the SNI extension.)
2134 */
2135 got_common_suite = 0;
2136 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
2137 ciphersuite_info = NULL;
2138#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
2139 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
2140 for (i = 0; ciphersuites[i] != 0; i++) {
2141 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
2142 continue;
2143 }
2144
2145 got_common_suite = 1;
2146
2147 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
2148 &ciphersuite_info)) != 0) {
2149 return ret;
2150 }
2151
2152 if (ciphersuite_info != NULL) {
2153 goto have_ciphersuite;
2154 }
2155 }
2156 }
2157#else
2158 for (i = 0; ciphersuites[i] != 0; i++) {
2159 for (j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2) {
2160 if (MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i]) {
2161 continue;
2162 }
2163
2164 got_common_suite = 1;
2165
2166 if ((ret = ssl_ciphersuite_match(ssl, ciphersuites[i],
2167 &ciphersuite_info)) != 0) {
2168 return ret;
2169 }
2170
2171 if (ciphersuite_info != NULL) {
2172 goto have_ciphersuite;
2173 }
2174 }
2175 }
2176#endif
2177
2178 if (got_common_suite) {
2179 MBEDTLS_SSL_DEBUG_MSG(1, ("got ciphersuites in common, "
2180 "but none of them usable"));
2181 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2182 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2183 return MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE;
2184 } else {
2185 MBEDTLS_SSL_DEBUG_MSG(1, ("got no ciphersuites in common"));
2186 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2187 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2188 return MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN;
2189 }
2190
2191have_ciphersuite:
2192 MBEDTLS_SSL_DEBUG_MSG(2, ("selected ciphersuite: %s", ciphersuite_info->name));
2193
2194 ssl->session_negotiate->ciphersuite = ciphersuites[i];
2195 ssl->handshake->ciphersuite_info = ciphersuite_info;
2196
2197 ssl->state++;
2198
2199#if defined(MBEDTLS_SSL_PROTO_DTLS)
2200 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2201 mbedtls_ssl_recv_flight_completed(ssl);
2202 }
2203#endif
2204
2205 /* Debugging-only output for testsuite */
2206#if defined(MBEDTLS_DEBUG_C) && \
2207 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2208 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2209 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
2210 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
2211 if (sig_alg != MBEDTLS_PK_NONE) {
2212 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
2213 sig_alg);
2214 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %d",
2215 mbedtls_ssl_hash_from_md_alg(md_alg)));
2216 } else {
2217 MBEDTLS_SSL_DEBUG_MSG(3, ("no hash algorithm for signature algorithm "
2218 "%u - should not happen", (unsigned) sig_alg));
2219 }
2220 }
2221#endif
2222
2223 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client hello"));
2224
2225 return 0;
2226}
2227
2228#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2229static void ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
2230 unsigned char *buf,
2231 size_t *olen)
2232{
2233 unsigned char *p = buf;
2234
2235 if (ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) {
2236 *olen = 0;
2237 return;
2238 }
2239
2240 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding truncated hmac extension"));
2241
2242 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0);
2243 p += 2;
2244
2245 *p++ = 0x00;
2246 *p++ = 0x00;
2247
2248 *olen = 4;
2249}
2250#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2251
2252#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2253static void ssl_write_cid_ext(mbedtls_ssl_context *ssl,
2254 unsigned char *buf,
2255 size_t *olen)
2256{
2257 unsigned char *p = buf;
2258 size_t ext_len;
2259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2260
2261 *olen = 0;
2262
2263 /* Skip writing the extension if we don't want to use it or if
2264 * the client hasn't offered it. */
2265 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED) {
2266 return;
2267 }
2268
2269 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
2270 * which is at most 255, so the increment cannot overflow. */
2271 if (end < p || (size_t) (end - p) < (unsigned) (ssl->own_cid_len + 5)) {
2272 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2273 return;
2274 }
2275
2276 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding CID extension"));
2277
2278 /*
2279 * Quoting draft-ietf-tls-dtls-connection-id-05
2280 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
2281 *
2282 * struct {
2283 * opaque cid<0..2^8-1>;
2284 * } ConnectionId;
2285 */
2286 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
2287 p += 2;
2288 ext_len = (size_t) ssl->own_cid_len + 1;
2289 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
2290 p += 2;
2291
2292 *p++ = (uint8_t) ssl->own_cid_len;
2293 memcpy(p, ssl->own_cid, ssl->own_cid_len);
2294
2295 *olen = ssl->own_cid_len + 5;
2296}
2297#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2298
2299#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2300static void ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
2301 unsigned char *buf,
2302 size_t *olen)
2303{
2304 unsigned char *p = buf;
2305 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2306 const mbedtls_cipher_info_t *cipher = NULL;
2307
2308 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
2309 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
2310 }
2311
2312 /*
2313 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2314 * from a client and then selects a stream or Authenticated Encryption
2315 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2316 * encrypt-then-MAC response extension back to the client."
2317 */
2318 if ((suite = mbedtls_ssl_ciphersuite_from_id(
2319 ssl->session_negotiate->ciphersuite)) == NULL ||
2320 (cipher = mbedtls_cipher_info_from_type(suite->cipher)) == NULL ||
2321 cipher->mode != MBEDTLS_MODE_CBC) {
2322 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
2323 }
2324
2325 if (ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
2326 *olen = 0;
2327 return;
2328 }
2329
2330 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding encrypt then mac extension"));
2331
2332 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
2333 p += 2;
2334
2335 *p++ = 0x00;
2336 *p++ = 0x00;
2337
2338 *olen = 4;
2339}
2340#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2341
2342#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2343static void ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
2344 unsigned char *buf,
2345 size_t *olen)
2346{
2347 unsigned char *p = buf;
2348
2349 if (ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
2350 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
2351 *olen = 0;
2352 return;
2353 }
2354
2355 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding extended master secret "
2356 "extension"));
2357
2358 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
2359 p += 2;
2360
2361 *p++ = 0x00;
2362 *p++ = 0x00;
2363
2364 *olen = 4;
2365}
2366#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2367
2368#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2369static void ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
2370 unsigned char *buf,
2371 size_t *olen)
2372{
2373 unsigned char *p = buf;
2374
2375 if (ssl->handshake->new_session_ticket == 0) {
2376 *olen = 0;
2377 return;
2378 }
2379
2380 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding session ticket extension"));
2381
2382 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
2383 p += 2;
2384
2385 *p++ = 0x00;
2386 *p++ = 0x00;
2387
2388 *olen = 4;
2389}
2390#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2391
2392static void ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
2393 unsigned char *buf,
2394 size_t *olen)
2395{
2396 unsigned char *p = buf;
2397
2398 if (ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION) {
2399 *olen = 0;
2400 return;
2401 }
2402
2403 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, secure renegotiation extension"));
2404
2405 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
2406 p += 2;
2407
2408#if defined(MBEDTLS_SSL_RENEGOTIATION)
2409 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2410 *p++ = 0x00;
2411 *p++ = (ssl->verify_data_len * 2 + 1) & 0xFF;
2412 *p++ = ssl->verify_data_len * 2 & 0xFF;
2413
2414 memcpy(p, ssl->peer_verify_data, ssl->verify_data_len);
2415 p += ssl->verify_data_len;
2416 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
2417 p += ssl->verify_data_len;
2418 } else
2419#endif /* MBEDTLS_SSL_RENEGOTIATION */
2420 {
2421 *p++ = 0x00;
2422 *p++ = 0x01;
2423 *p++ = 0x00;
2424 }
2425
2426 *olen = p - buf;
2427}
2428
2429#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2430static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
2431 unsigned char *buf,
2432 size_t *olen)
2433{
2434 unsigned char *p = buf;
2435
2436 if (ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
2437 *olen = 0;
2438 return;
2439 }
2440
2441 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, max_fragment_length extension"));
2442
2443 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
2444 p += 2;
2445
2446 *p++ = 0x00;
2447 *p++ = 1;
2448
2449 *p++ = ssl->session_negotiate->mfl_code;
2450
2451 *olen = 5;
2452}
2453#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2454
2455#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2456 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2457static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
2458 unsigned char *buf,
2459 size_t *olen)
2460{
2461 unsigned char *p = buf;
2462 ((void) ssl);
2463
2464 if ((ssl->handshake->cli_exts &
2465 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT) == 0) {
2466 *olen = 0;
2467 return;
2468 }
2469
2470 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, supported_point_formats extension"));
2471
2472 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
2473 p += 2;
2474
2475 *p++ = 0x00;
2476 *p++ = 2;
2477
2478 *p++ = 1;
2479 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2480
2481 *olen = 6;
2482}
2483#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2484
2485#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2486static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
2487 unsigned char *buf,
2488 size_t *olen)
2489{
2490 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2491 unsigned char *p = buf;
2492 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2493 size_t kkpp_len;
2494
2495 *olen = 0;
2496
2497 /* Skip costly computation if not needed */
2498 if (ssl->handshake->ciphersuite_info->key_exchange !=
2499 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
2500 return;
2501 }
2502
2503 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, ecjpake kkpp extension"));
2504
2505 if (end - p < 4) {
2506 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2507 return;
2508 }
2509
2510 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
2511 p += 2;
2512
2513 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
2514 p + 2, end - p - 2, &kkpp_len,
2515 ssl->conf->f_rng, ssl->conf->p_rng);
2516 if (ret != 0) {
2517 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
2518 return;
2519 }
2520
2521 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
2522 p += 2;
2523
2524 *olen = kkpp_len + 4;
2525}
2526#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2527
2528#if defined(MBEDTLS_SSL_ALPN)
2529static void ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2530 unsigned char *buf, size_t *olen)
2531{
2532 if (ssl->alpn_chosen == NULL) {
2533 *olen = 0;
2534 return;
2535 }
2536
2537 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding alpn extension"));
2538
2539 /*
2540 * 0 . 1 ext identifier
2541 * 2 . 3 ext length
2542 * 4 . 5 protocol list length
2543 * 6 . 6 protocol name length
2544 * 7 . 7+n protocol name
2545 */
2546 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, buf, 0);
2547
2548 *olen = 7 + strlen(ssl->alpn_chosen);
2549
2550 MBEDTLS_PUT_UINT16_BE(*olen - 4, buf, 2);
2551
2552 MBEDTLS_PUT_UINT16_BE(*olen - 6, buf, 4);
2553
2554 buf[6] = MBEDTLS_BYTE_0(*olen - 7);
2555
2556 memcpy(buf + 7, ssl->alpn_chosen, *olen - 7);
2557}
2558#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2559
2560#if defined(MBEDTLS_SSL_DTLS_SRTP) && defined(MBEDTLS_SSL_PROTO_DTLS)
2561static void ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
2562 unsigned char *buf,
2563 size_t *olen)
2564{
2565 size_t mki_len = 0, ext_len = 0;
2566 uint16_t profile_value = 0;
2567 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2568
2569 *olen = 0;
2570
2571 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
2572 (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET)) {
2573 return;
2574 }
2575
2576 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, adding use_srtp extension"));
2577
2578 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
2579 mki_len = ssl->dtls_srtp_info.mki_len;
2580 }
2581
2582 /* The extension total size is 9 bytes :
2583 * - 2 bytes for the extension tag
2584 * - 2 bytes for the total size
2585 * - 2 bytes for the protection profile length
2586 * - 2 bytes for the protection profile
2587 * - 1 byte for the mki length
2588 * + the actual mki length
2589 * Check we have enough room in the output buffer */
2590 if ((size_t) (end - buf) < mki_len + 9) {
2591 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small"));
2592 return;
2593 }
2594
2595 /* extension */
2596 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0);
2597 /*
2598 * total length 5 and mki value: only one profile(2 bytes)
2599 * and length(2 bytes) and srtp_mki )
2600 */
2601 ext_len = 5 + mki_len;
2602 MBEDTLS_PUT_UINT16_BE(ext_len, buf, 2);
2603
2604 /* protection profile length: 2 */
2605 buf[4] = 0x00;
2606 buf[5] = 0x02;
2607 profile_value = mbedtls_ssl_check_srtp_profile_value(
2608 ssl->dtls_srtp_info.chosen_dtls_srtp_profile);
2609 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
2610 MBEDTLS_PUT_UINT16_BE(profile_value, buf, 6);
2611 } else {
2612 MBEDTLS_SSL_DEBUG_MSG(1, ("use_srtp extension invalid profile"));
2613 return;
2614 }
2615
2616 buf[8] = mki_len & 0xFF;
2617 memcpy(&buf[9], ssl->dtls_srtp_info.mki_value, mki_len);
2618
2619 *olen = 9 + mki_len;
2620}
2621#endif /* MBEDTLS_SSL_DTLS_SRTP */
2622
2623#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2624MBEDTLS_CHECK_RETURN_CRITICAL
2625static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
2626{
2627 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2628 unsigned char *p = ssl->out_msg + 4;
2629 unsigned char *cookie_len_byte;
2630
2631 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello verify request"));
2632
2633 /*
2634 * struct {
2635 * ProtocolVersion server_version;
2636 * opaque cookie<0..2^8-1>;
2637 * } HelloVerifyRequest;
2638 */
2639
2640 /* The RFC is not clear on this point, but sending the actual negotiated
2641 * version looks like the most interoperable thing to do. */
2642 mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
2643 ssl->conf->transport, p);
2644 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
2645 p += 2;
2646
2647 /* If we get here, f_cookie_check is not null */
2648 if (ssl->conf->f_cookie_write == NULL) {
2649 MBEDTLS_SSL_DEBUG_MSG(1, ("inconsistent cookie callbacks"));
2650 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2651 }
2652
2653 /* Skip length byte until we know the length */
2654 cookie_len_byte = p++;
2655
2656 if ((ret = ssl->conf->f_cookie_write(ssl->conf->p_cookie,
2657 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2658 ssl->cli_id, ssl->cli_id_len)) != 0) {
2659 MBEDTLS_SSL_DEBUG_RET(1, "f_cookie_write", ret);
2660 return ret;
2661 }
2662
2663 *cookie_len_byte = (unsigned char) (p - (cookie_len_byte + 1));
2664
2665 MBEDTLS_SSL_DEBUG_BUF(3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte);
2666
2667 ssl->out_msglen = p - ssl->out_msg;
2668 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2669 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2670
2671 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2672
2673 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
2674 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
2675 return ret;
2676 }
2677
2678#if defined(MBEDTLS_SSL_PROTO_DTLS)
2679 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2680 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
2681 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
2682 return ret;
2683 }
2684#endif /* MBEDTLS_SSL_PROTO_DTLS */
2685
2686 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello verify request"));
2687
2688 return 0;
2689}
2690#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2691
2692static void ssl_handle_id_based_session_resumption(mbedtls_ssl_context *ssl)
2693{
2694 int ret;
2695 mbedtls_ssl_session session_tmp;
2696 mbedtls_ssl_session * const session = ssl->session_negotiate;
2697
2698 /* Resume is 0 by default, see ssl_handshake_init().
2699 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
2700 if (ssl->handshake->resume == 1) {
2701 return;
2702 }
2703 if (session->id_len == 0) {
2704 return;
2705 }
2706 if (ssl->conf->f_get_cache == NULL) {
2707 return;
2708 }
2709#if defined(MBEDTLS_SSL_RENEGOTIATION)
2710 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
2711 return;
2712 }
2713#endif
2714
2715 mbedtls_ssl_session_init(&session_tmp);
2716
2717 session_tmp.id_len = session->id_len;
2718 memcpy(session_tmp.id, session->id, session->id_len);
2719
2720 ret = ssl->conf->f_get_cache(ssl->conf->p_cache,
2721 &session_tmp);
2722 if (ret != 0) {
2723 goto exit;
2724 }
2725
2726 if (session->ciphersuite != session_tmp.ciphersuite ||
2727 session->compression != session_tmp.compression) {
2728 /* Mismatch between cached and negotiated session */
2729 goto exit;
2730 }
2731
2732 /* Move semantics */
2733 mbedtls_ssl_session_free(session);
2734 *session = session_tmp;
2735 memset(&session_tmp, 0, sizeof(session_tmp));
2736
2737 MBEDTLS_SSL_DEBUG_MSG(3, ("session successfully restored from cache"));
2738 ssl->handshake->resume = 1;
2739
2740exit:
2741
2742 mbedtls_ssl_session_free(&session_tmp);
2743}
2744
2745MBEDTLS_CHECK_RETURN_CRITICAL
2746static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
2747{
2748#if defined(MBEDTLS_HAVE_TIME)
2749 mbedtls_time_t t;
2750#endif
2751 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2752 size_t olen, ext_len = 0, n;
2753 unsigned char *buf, *p;
2754
2755 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello"));
2756
2757#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2758 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2759 ssl->handshake->verify_cookie_len != 0) {
2760 MBEDTLS_SSL_DEBUG_MSG(2, ("client hello was not authenticated"));
2761 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2762
2763 return ssl_write_hello_verify_request(ssl);
2764 }
2765#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2766
2767 if (ssl->conf->f_rng == NULL) {
2768 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
2769 return MBEDTLS_ERR_SSL_NO_RNG;
2770 }
2771
2772 /*
2773 * 0 . 0 handshake type
2774 * 1 . 3 handshake length
2775 * 4 . 5 protocol version
2776 * 6 . 9 UNIX time()
2777 * 10 . 37 random bytes
2778 */
2779 buf = ssl->out_msg;
2780 p = buf + 4;
2781
2782 mbedtls_ssl_write_version(ssl->major_ver, ssl->minor_ver,
2783 ssl->conf->transport, p);
2784 p += 2;
2785
2786 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen version: [%d:%d]",
2787 buf[4], buf[5]));
2788
2789#if defined(MBEDTLS_HAVE_TIME)
2790 t = mbedtls_time(NULL);
2791 MBEDTLS_PUT_UINT32_BE(t, p, 0);
2792 p += 4;
2793
2794 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2795 (long long) t));
2796#else
2797 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
2798 return ret;
2799 }
2800
2801 p += 4;
2802#endif /* MBEDTLS_HAVE_TIME */
2803
2804 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) {
2805 return ret;
2806 }
2807
2808 p += 28;
2809
2810 memcpy(ssl->handshake->randbytes + 32, buf + 6, 32);
2811
2812 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 6, 32);
2813
2814 ssl_handle_id_based_session_resumption(ssl);
2815
2816 if (ssl->handshake->resume == 0) {
2817 /*
2818 * New session, create a new session id,
2819 * unless we're about to issue a session ticket
2820 */
2821 ssl->state++;
2822
2823#if defined(MBEDTLS_HAVE_TIME)
2824 ssl->session_negotiate->start = mbedtls_time(NULL);
2825#endif
2826
2827#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2828 if (ssl->handshake->new_session_ticket != 0) {
2829 ssl->session_negotiate->id_len = n = 0;
2830 memset(ssl->session_negotiate->id, 0, 32);
2831 } else
2832#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2833 {
2834 ssl->session_negotiate->id_len = n = 32;
2835 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
2836 n)) != 0) {
2837 return ret;
2838 }
2839 }
2840 } else {
2841 /*
2842 * Resuming a session
2843 */
2844 n = ssl->session_negotiate->id_len;
2845 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2846
2847 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2848 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2849 return ret;
2850 }
2851 }
2852
2853 /*
2854 * 38 . 38 session id length
2855 * 39 . 38+n session id
2856 * 39+n . 40+n chosen ciphersuite
2857 * 41+n . 41+n chosen compression alg.
2858 * 42+n . 43+n extensions length
2859 * 44+n . 43+n+m extensions
2860 */
2861 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2862 memcpy(p, ssl->session_negotiate->id, ssl->session_negotiate->id_len);
2863 p += ssl->session_negotiate->id_len;
2864
2865 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2866 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 39, n);
2867 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2868 ssl->handshake->resume ? "a" : "no"));
2869
2870 MBEDTLS_PUT_UINT16_BE(ssl->session_negotiate->ciphersuite, p, 0);
2871 p += 2;
2872 *p++ = MBEDTLS_BYTE_0(ssl->session_negotiate->compression);
2873
2874 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %s",
2875 mbedtls_ssl_get_ciphersuite_name(ssl->session_negotiate->ciphersuite)));
2876 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: 0x%02X",
2877 (unsigned int) ssl->session_negotiate->compression));
2878
2879 /* Do not write the extensions if the protocol is SSLv3 */
2880#if defined(MBEDTLS_SSL_PROTO_SSL3)
2881 if ((ssl->major_ver != 3) || (ssl->minor_ver != 0)) {
2882#endif
2883
2884 /*
2885 * First write extensions, then the total length
2886 */
2887 ssl_write_renegotiation_ext(ssl, p + 2 + ext_len, &olen);
2888 ext_len += olen;
2889
2890#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2891 ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len, &olen);
2892 ext_len += olen;
2893#endif
2894
2895#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2896 ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len, &olen);
2897 ext_len += olen;
2898#endif
2899
2900#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2901 ssl_write_cid_ext(ssl, p + 2 + ext_len, &olen);
2902 ext_len += olen;
2903#endif
2904
2905#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2906 ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len, &olen);
2907 ext_len += olen;
2908#endif
2909
2910#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2911 ssl_write_extended_ms_ext(ssl, p + 2 + ext_len, &olen);
2912 ext_len += olen;
2913#endif
2914
2915#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2916 ssl_write_session_ticket_ext(ssl, p + 2 + ext_len, &olen);
2917 ext_len += olen;
2918#endif
2919
2920#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2921 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2922 if (mbedtls_ssl_ciphersuite_uses_ec(
2923 mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite))) {
2924 ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len, &olen);
2925 ext_len += olen;
2926 }
2927#endif
2928
2929#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2930 ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len, &olen);
2931 ext_len += olen;
2932#endif
2933
2934#if defined(MBEDTLS_SSL_ALPN)
2935 ssl_write_alpn_ext(ssl, p + 2 + ext_len, &olen);
2936 ext_len += olen;
2937#endif
2938
2939#if defined(MBEDTLS_SSL_DTLS_SRTP)
2940 ssl_write_use_srtp_ext(ssl, p + 2 + ext_len, &olen);
2941 ext_len += olen;
2942#endif
2943
2944 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2945 ext_len));
2946
2947 if (ext_len > 0) {
2948 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
2949 p += 2 + ext_len;
2950 }
2951
2952#if defined(MBEDTLS_SSL_PROTO_SSL3)
2953}
2954#endif
2955
2956 ssl->out_msglen = p - buf;
2957 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2958 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2959
2960 ret = mbedtls_ssl_write_handshake_msg(ssl);
2961
2962 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
2963
2964 return ret;
2965}
2966
2967#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2968MBEDTLS_CHECK_RETURN_CRITICAL
2969static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2970{
2971 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2972 ssl->handshake->ciphersuite_info;
2973
2974 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
2975
2976 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
2977 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
2978 ssl->state++;
2979 return 0;
2980 }
2981
2982 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2983 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2984}
2985#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2986MBEDTLS_CHECK_RETURN_CRITICAL
2987static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
2988{
2989 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2990 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2991 ssl->handshake->ciphersuite_info;
2992 uint16_t dn_size, total_dn_size; /* excluding length bytes */
2993 size_t ct_len, sa_len; /* including length bytes */
2994 unsigned char *buf, *p;
2995 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2996 const mbedtls_x509_crt *crt;
2997 int authmode;
2998
2999 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
3000
3001 ssl->state++;
3002
3003#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3004 if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
3005 authmode = ssl->handshake->sni_authmode;
3006 } else
3007#endif
3008 authmode = ssl->conf->authmode;
3009
3010 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info) ||
3011 authmode == MBEDTLS_SSL_VERIFY_NONE) {
3012 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
3013 return 0;
3014 }
3015
3016 /*
3017 * 0 . 0 handshake type
3018 * 1 . 3 handshake length
3019 * 4 . 4 cert type count
3020 * 5 .. m-1 cert types
3021 * m .. m+1 sig alg length (TLS 1.2 only)
3022 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
3023 * n .. n+1 length of all DNs
3024 * n+2 .. n+3 length of DN 1
3025 * n+4 .. ... Distinguished Name #1
3026 * ... .. ... length of DN 2, etc.
3027 */
3028 buf = ssl->out_msg;
3029 p = buf + 4;
3030
3031 /*
3032 * Supported certificate types
3033 *
3034 * ClientCertificateType certificate_types<1..2^8-1>;
3035 * enum { (255) } ClientCertificateType;
3036 */
3037 ct_len = 0;
3038
3039#if defined(MBEDTLS_RSA_C)
3040 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
3041#endif
3042#if defined(MBEDTLS_ECDSA_C)
3043 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
3044#endif
3045
3046 p[0] = (unsigned char) ct_len++;
3047 p += ct_len;
3048
3049 sa_len = 0;
3050#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3051 /*
3052 * Add signature_algorithms for verify (TLS 1.2)
3053 *
3054 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
3055 *
3056 * struct {
3057 * HashAlgorithm hash;
3058 * SignatureAlgorithm signature;
3059 * } SignatureAndHashAlgorithm;
3060 *
3061 * enum { (255) } HashAlgorithm;
3062 * enum { (255) } SignatureAlgorithm;
3063 */
3064 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3065 const int *cur;
3066
3067 /*
3068 * Supported signature algorithms
3069 */
3070 for (cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++) {
3071 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*cur);
3072
3073 if (MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md(ssl, hash)) {
3074 continue;
3075 }
3076
3077#if defined(MBEDTLS_RSA_C)
3078 p[2 + sa_len++] = hash;
3079 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
3080#endif
3081#if defined(MBEDTLS_ECDSA_C)
3082 p[2 + sa_len++] = hash;
3083 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
3084#endif
3085 }
3086
3087 MBEDTLS_PUT_UINT16_BE(sa_len, p, 0);
3088 sa_len += 2;
3089 p += sa_len;
3090 }
3091#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3092
3093 /*
3094 * DistinguishedName certificate_authorities<0..2^16-1>;
3095 * opaque DistinguishedName<1..2^16-1>;
3096 */
3097 p += 2;
3098
3099 total_dn_size = 0;
3100
3101 if (ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED) {
3102 /* NOTE: If trusted certificates are provisioned
3103 * via a CA callback (configured through
3104 * `mbedtls_ssl_conf_ca_cb()`, then the
3105 * CertificateRequest is currently left empty. */
3106
3107#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3108 if (ssl->handshake->sni_ca_chain != NULL) {
3109 crt = ssl->handshake->sni_ca_chain;
3110 } else
3111#endif
3112 crt = ssl->conf->ca_chain;
3113
3114 while (crt != NULL && crt->version != 0) {
3115 /* It follows from RFC 5280 A.1 that this length
3116 * can be represented in at most 11 bits. */
3117 dn_size = (uint16_t) crt->subject_raw.len;
3118
3119 if (end < p || (size_t) (end - p) < 2 + (size_t) dn_size) {
3120 MBEDTLS_SSL_DEBUG_MSG(1, ("skipping CAs: buffer too short"));
3121 break;
3122 }
3123
3124 MBEDTLS_PUT_UINT16_BE(dn_size, p, 0);
3125 p += 2;
3126 memcpy(p, crt->subject_raw.p, dn_size);
3127 p += dn_size;
3128
3129 MBEDTLS_SSL_DEBUG_BUF(3, "requested DN", p - dn_size, dn_size);
3130
3131 total_dn_size += 2 + dn_size;
3132 crt = crt->next;
3133 }
3134 }
3135
3136 ssl->out_msglen = p - buf;
3137 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3138 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
3139 MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
3140
3141 ret = mbedtls_ssl_write_handshake_msg(ssl);
3142
3143 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
3144
3145 return ret;
3146}
3147#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3148
3149#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3150 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3151MBEDTLS_CHECK_RETURN_CRITICAL
3152static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
3153{
3154 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3155 mbedtls_pk_context *own_key = mbedtls_ssl_own_key(ssl);
3156
3157 /* Check if the key is a transparent ECDH key.
3158 * This also ensures that it is safe to call mbedtls_pk_ec(). */
3159 if (mbedtls_pk_get_type(own_key) != MBEDTLS_PK_ECKEY &&
3160 mbedtls_pk_get_type(own_key) != MBEDTLS_PK_ECKEY_DH) {
3161 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
3162 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
3163 }
3164
3165 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
3166 mbedtls_pk_ec(*own_key),
3167 MBEDTLS_ECDH_OURS)) != 0) {
3168 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
3169 return ret;
3170 }
3171
3172 return 0;
3173}
3174#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
3175 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3176
3177#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3178 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3179MBEDTLS_CHECK_RETURN_CRITICAL
3180static int ssl_resume_server_key_exchange(mbedtls_ssl_context *ssl,
3181 size_t *signature_len)
3182{
3183 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3184 * signature length which will be added in ssl_write_server_key_exchange
3185 * after the call to ssl_prepare_server_key_exchange.
3186 * ssl_write_server_key_exchange also takes care of incrementing
3187 * ssl->out_msglen. */
3188 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
3189 size_t sig_max_len = (ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
3190 - sig_start);
3191 int ret = ssl->conf->f_async_resume(ssl,
3192 sig_start, signature_len, sig_max_len);
3193 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3194 ssl->handshake->async_in_progress = 0;
3195 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3196 }
3197 MBEDTLS_SSL_DEBUG_RET(2, "ssl_resume_server_key_exchange", ret);
3198 return ret;
3199}
3200#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3201 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3202
3203/* Prepare the ServerKeyExchange message, up to and including
3204 * calculating the signature if any, but excluding formatting the
3205 * signature and sending the message. */
3206MBEDTLS_CHECK_RETURN_CRITICAL
3207static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
3208 size_t *signature_len)
3209{
3210 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3211 ssl->handshake->ciphersuite_info;
3212
3213#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
3214#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3215 unsigned char *dig_signed = NULL;
3216#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3217#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
3218
3219 (void) ciphersuite_info; /* unused in some configurations */
3220#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3221 (void) signature_len;
3222#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3223
3224 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
3225
3226 /*
3227 *
3228 * Part 1: Provide key exchange parameters for chosen ciphersuite.
3229 *
3230 */
3231
3232 /*
3233 * - ECJPAKE key exchanges
3234 */
3235#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3236 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3237 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3238 size_t len = 0;
3239
3240 ret = mbedtls_ecjpake_write_round_two(
3241 &ssl->handshake->ecjpake_ctx,
3242 ssl->out_msg + ssl->out_msglen,
3243 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
3244 ssl->conf->f_rng, ssl->conf->p_rng);
3245 if (ret != 0) {
3246 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3247 return ret;
3248 }
3249
3250 ssl->out_msglen += len;
3251 }
3252#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3253
3254 /*
3255 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
3256 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
3257 * we use empty support identity hints here.
3258 **/
3259#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
3260 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3261 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3262 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3263 ssl->out_msg[ssl->out_msglen++] = 0x00;
3264 ssl->out_msg[ssl->out_msglen++] = 0x00;
3265 }
3266#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
3267 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3268
3269 /*
3270 * - DHE key exchanges
3271 */
3272#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
3273 if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
3274 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3275 size_t len = 0;
3276
3277 if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
3278 MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
3279 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3280 }
3281
3282 /*
3283 * Ephemeral DH parameters:
3284 *
3285 * struct {
3286 * opaque dh_p<1..2^16-1>;
3287 * opaque dh_g<1..2^16-1>;
3288 * opaque dh_Ys<1..2^16-1>;
3289 * } ServerDHParams;
3290 */
3291 if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
3292 &ssl->conf->dhm_P,
3293 &ssl->conf->dhm_G)) != 0) {
3294 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
3295 return ret;
3296 }
3297
3298 if ((ret = mbedtls_dhm_make_params(
3299 &ssl->handshake->dhm_ctx,
3300 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3301 ssl->out_msg + ssl->out_msglen, &len,
3302 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3303 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
3304 return ret;
3305 }
3306
3307#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3308 dig_signed = ssl->out_msg + ssl->out_msglen;
3309#endif
3310
3311 ssl->out_msglen += len;
3312
3313 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
3314 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
3315 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
3316 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
3317 }
3318#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
3319
3320 /*
3321 * - ECDHE key exchanges
3322 */
3323#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
3324 if (mbedtls_ssl_ciphersuite_uses_ecdhe(ciphersuite_info)) {
3325 /*
3326 * Ephemeral ECDH parameters:
3327 *
3328 * struct {
3329 * ECParameters curve_params;
3330 * ECPoint public;
3331 * } ServerECDHParams;
3332 */
3333 const mbedtls_ecp_curve_info **curve = NULL;
3334 const mbedtls_ecp_group_id *gid;
3335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3336 size_t len = 0;
3337
3338 /* Match our preference list against the offered curves */
3339 for (gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++) {
3340 for (curve = ssl->handshake->curves; *curve != NULL; curve++) {
3341 if ((*curve)->grp_id == *gid) {
3342 goto curve_matching_done;
3343 }
3344 }
3345 }
3346
3347curve_matching_done:
3348 if (curve == NULL || *curve == NULL) {
3349 MBEDTLS_SSL_DEBUG_MSG(1, ("no matching curve for ECDHE"));
3350 return MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN;
3351 }
3352
3353 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s", (*curve)->name));
3354
3355 if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
3356 (*curve)->grp_id)) != 0) {
3357 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
3358 return ret;
3359 }
3360
3361 if ((ret = mbedtls_ecdh_make_params(
3362 &ssl->handshake->ecdh_ctx, &len,
3363 ssl->out_msg + ssl->out_msglen,
3364 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3365 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3366 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
3367 return ret;
3368 }
3369
3370#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3371 dig_signed = ssl->out_msg + ssl->out_msglen;
3372#endif
3373
3374 ssl->out_msglen += len;
3375
3376 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3377 MBEDTLS_DEBUG_ECDH_Q);
3378 }
3379#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3380
3381 /*
3382 *
3383 * Part 2: For key exchanges involving the server signing the
3384 * exchange parameters, compute and add the signature here.
3385 *
3386 */
3387#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3388 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3389 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3390 size_t hashlen = 0;
3391#if defined(MBEDTLS_USE_PSA_CRYPTO)
3392 unsigned char hash[PSA_HASH_MAX_SIZE];
3393#else
3394 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3395#endif
3396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3397
3398 /*
3399 * 2.1: Choose hash algorithm:
3400 * A: For TLS 1.2, obey signature-hash-algorithm extension
3401 * to choose appropriate hash.
3402 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3403 * (RFC 4492, Sec. 5.4)
3404 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3405 */
3406
3407 mbedtls_md_type_t md_alg;
3408
3409#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3410 mbedtls_pk_type_t sig_alg =
3411 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3412 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3413 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3414 * (RFC 5246, Sec. 7.4.1.4.1). */
3415 if (sig_alg == MBEDTLS_PK_NONE ||
3416 (md_alg = mbedtls_ssl_sig_hash_set_find(&ssl->handshake->hash_algs,
3417 sig_alg)) == MBEDTLS_MD_NONE) {
3418 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3419 /* (... because we choose a cipher suite
3420 * only if there is a matching hash.) */
3421 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3422 }
3423 } else
3424#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3425#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3426 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3427 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3428 /* B: Default hash SHA1 */
3429 md_alg = MBEDTLS_MD_SHA1;
3430 } else
3431#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3432 MBEDTLS_SSL_PROTO_TLS1_1 */
3433 {
3434 /* C: MD5 + SHA1 */
3435 md_alg = MBEDTLS_MD_NONE;
3436 }
3437
3438 MBEDTLS_SSL_DEBUG_MSG(3, ("pick hash algorithm %u for signing", (unsigned) md_alg));
3439
3440 /*
3441 * 2.2: Compute the hash to be signed
3442 */
3443#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3444 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3445 if (md_alg == MBEDTLS_MD_NONE) {
3446 hashlen = 36;
3447 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash,
3448 dig_signed,
3449 dig_signed_len);
3450 if (ret != 0) {
3451 return ret;
3452 }
3453 } else
3454#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3455 MBEDTLS_SSL_PROTO_TLS1_1 */
3456#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3457 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3458 if (md_alg != MBEDTLS_MD_NONE) {
3459 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3460 dig_signed,
3461 dig_signed_len,
3462 md_alg);
3463 if (ret != 0) {
3464 return ret;
3465 }
3466 } else
3467#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3468 MBEDTLS_SSL_PROTO_TLS1_2 */
3469 {
3470 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3471 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3472 }
3473
3474 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3475
3476 /*
3477 * 2.3: Compute and add the signature
3478 */
3479#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3480 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3481 /*
3482 * For TLS 1.2, we need to specify signature and hash algorithm
3483 * explicitly through a prefix to the signature.
3484 *
3485 * struct {
3486 * HashAlgorithm hash;
3487 * SignatureAlgorithm signature;
3488 * } SignatureAndHashAlgorithm;
3489 *
3490 * struct {
3491 * SignatureAndHashAlgorithm algorithm;
3492 * opaque signature<0..2^16-1>;
3493 * } DigitallySigned;
3494 *
3495 */
3496
3497 ssl->out_msg[ssl->out_msglen++] =
3498 mbedtls_ssl_hash_from_md_alg(md_alg);
3499 ssl->out_msg[ssl->out_msglen++] =
3500 mbedtls_ssl_sig_from_pk_alg(sig_alg);
3501 }
3502#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3503
3504#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3505 if (ssl->conf->f_async_sign_start != NULL) {
3506 ret = ssl->conf->f_async_sign_start(ssl,
3507 mbedtls_ssl_own_cert(ssl),
3508 md_alg, hash, hashlen);
3509 switch (ret) {
3510 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3511 /* act as if f_async_sign was null */
3512 break;
3513 case 0:
3514 ssl->handshake->async_in_progress = 1;
3515 return ssl_resume_server_key_exchange(ssl, signature_len);
3516 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3517 ssl->handshake->async_in_progress = 1;
3518 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3519 default:
3520 MBEDTLS_SSL_DEBUG_RET(1, "f_async_sign_start", ret);
3521 return ret;
3522 }
3523 }
3524#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3525
3526 if (mbedtls_ssl_own_key(ssl) == NULL) {
3527 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key"));
3528 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3529 }
3530
3531 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3532 * signature length which will be added in ssl_write_server_key_exchange
3533 * after the call to ssl_prepare_server_key_exchange.
3534 * ssl_write_server_key_exchange also takes care of incrementing
3535 * ssl->out_msglen. */
3536 if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
3537 md_alg, hash, hashlen,
3538 ssl->out_msg + ssl->out_msglen + 2,
3539 signature_len,
3540 ssl->conf->f_rng,
3541 ssl->conf->p_rng)) != 0) {
3542 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
3543 return ret;
3544 }
3545 }
3546#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3547
3548 return 0;
3549}
3550
3551/* Prepare the ServerKeyExchange message and send it. For ciphersuites
3552 * that do not include a ServerKeyExchange message, do nothing. Either
3553 * way, if successful, move on to the next step in the SSL state
3554 * machine. */
3555MBEDTLS_CHECK_RETURN_CRITICAL
3556static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
3557{
3558 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3559 size_t signature_len = 0;
3560#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3561 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3562 ssl->handshake->ciphersuite_info;
3563#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3564
3565 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange"));
3566
3567#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3568 /* Extract static ECDH parameters and abort if ServerKeyExchange
3569 * is not needed. */
3570 if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) {
3571 /* For suites involving ECDH, extract DH parameters
3572 * from certificate at this point. */
3573#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3574 if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) {
3575 ret = ssl_get_ecdh_params_from_cert(ssl);
3576 if (ret != 0) {
3577 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3578 return ret;
3579 }
3580 }
3581#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3582
3583 /* Key exchanges not involving ephemeral keys don't use
3584 * ServerKeyExchange, so end here. */
3585 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
3586 ssl->state++;
3587 return 0;
3588 }
3589#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3590
3591#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3592 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3593 /* If we have already prepared the message and there is an ongoing
3594 * signature operation, resume signing. */
3595 if (ssl->handshake->async_in_progress != 0) {
3596 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming signature operation"));
3597 ret = ssl_resume_server_key_exchange(ssl, &signature_len);
3598 } else
3599#endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3600 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3601 {
3602 /* ServerKeyExchange is needed. Prepare the message. */
3603 ret = ssl_prepare_server_key_exchange(ssl, &signature_len);
3604 }
3605
3606 if (ret != 0) {
3607 /* If we're starting to write a new message, set ssl->out_msglen
3608 * to 0. But if we're resuming after an asynchronous message,
3609 * out_msglen is the amount of data written so far and mst be
3610 * preserved. */
3611 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3612 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange (pending)"));
3613 } else {
3614 ssl->out_msglen = 0;
3615 }
3616 return ret;
3617 }
3618
3619 /* If there is a signature, write its length.
3620 * ssl_prepare_server_key_exchange already wrote the signature
3621 * itself at its proper place in the output buffer. */
3622#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3623 if (signature_len != 0) {
3624 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1(signature_len);
3625 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0(signature_len);
3626
3627 MBEDTLS_SSL_DEBUG_BUF(3, "my signature",
3628 ssl->out_msg + ssl->out_msglen,
3629 signature_len);
3630
3631 /* Skip over the already-written signature */
3632 ssl->out_msglen += signature_len;
3633 }
3634#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3635
3636 /* Add header and send. */
3637 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3638 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3639
3640 ssl->state++;
3641
3642 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3643 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3644 return ret;
3645 }
3646
3647 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server key exchange"));
3648 return 0;
3649}
3650
3651MBEDTLS_CHECK_RETURN_CRITICAL
3652static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
3653{
3654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3655
3656 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server hello done"));
3657
3658 ssl->out_msglen = 4;
3659 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3660 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3661
3662 ssl->state++;
3663
3664#if defined(MBEDTLS_SSL_PROTO_DTLS)
3665 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3666 mbedtls_ssl_send_flight_completed(ssl);
3667 }
3668#endif
3669
3670 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3671 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3672 return ret;
3673 }
3674
3675#if defined(MBEDTLS_SSL_PROTO_DTLS)
3676 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3677 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3678 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
3679 return ret;
3680 }
3681#endif /* MBEDTLS_SSL_PROTO_DTLS */
3682
3683 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello done"));
3684
3685 return 0;
3686}
3687
3688#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3689 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3690MBEDTLS_CHECK_RETURN_CRITICAL
3691static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
3692 const unsigned char *end)
3693{
3694 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3695 size_t n;
3696
3697 /*
3698 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3699 */
3700 if (*p + 2 > end) {
3701 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3702 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3703 }
3704
3705 n = ((*p)[0] << 8) | (*p)[1];
3706 *p += 2;
3707
3708 if (*p + n > end) {
3709 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3710 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3711 }
3712
3713 if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
3714 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
3715 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP;
3716 }
3717
3718 *p += n;
3719
3720 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
3721
3722 return ret;
3723}
3724#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3725 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3726
3727#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3728 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3729
3730#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3731MBEDTLS_CHECK_RETURN_CRITICAL
3732static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
3733 unsigned char *peer_pms,
3734 size_t *peer_pmslen,
3735 size_t peer_pmssize)
3736{
3737 int ret = ssl->conf->f_async_resume(ssl,
3738 peer_pms, peer_pmslen, peer_pmssize);
3739 if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3740 ssl->handshake->async_in_progress = 0;
3741 mbedtls_ssl_set_async_operation_data(ssl, NULL);
3742 }
3743 MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
3744 return ret;
3745}
3746#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3747
3748MBEDTLS_CHECK_RETURN_CRITICAL
3749static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
3750 const unsigned char *p,
3751 const unsigned char *end,
3752 unsigned char *peer_pms,
3753 size_t *peer_pmslen,
3754 size_t peer_pmssize)
3755{
3756 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3757
3758 mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
3759 if (own_cert == NULL) {
3760 MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
3761 return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
3762 }
3763 mbedtls_pk_context *public_key = &own_cert->pk;
3764 mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
3765 size_t len = mbedtls_pk_get_len(public_key);
3766
3767#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3768 /* If we have already started decoding the message and there is an ongoing
3769 * decryption operation, resume signing. */
3770 if (ssl->handshake->async_in_progress != 0) {
3771 MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
3772 return ssl_resume_decrypt_pms(ssl,
3773 peer_pms, peer_pmslen, peer_pmssize);
3774 }
3775#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3776
3777 /*
3778 * Prepare to decrypt the premaster using own private RSA key
3779 */
3780#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3781 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3782 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0) {
3783 if (p + 2 > end) {
3784 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3785 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3786 }
3787 if (*p++ != MBEDTLS_BYTE_1(len) ||
3788 *p++ != MBEDTLS_BYTE_0(len)) {
3789 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3790 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3791 }
3792 }
3793#endif
3794
3795 if (p + len != end) {
3796 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3797 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3798 }
3799
3800 /*
3801 * Decrypt the premaster secret
3802 */
3803#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3804 if (ssl->conf->f_async_decrypt_start != NULL) {
3805 ret = ssl->conf->f_async_decrypt_start(ssl,
3806 mbedtls_ssl_own_cert(ssl),
3807 p, len);
3808 switch (ret) {
3809 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3810 /* act as if f_async_decrypt_start was null */
3811 break;
3812 case 0:
3813 ssl->handshake->async_in_progress = 1;
3814 return ssl_resume_decrypt_pms(ssl,
3815 peer_pms,
3816 peer_pmslen,
3817 peer_pmssize);
3818 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3819 ssl->handshake->async_in_progress = 1;
3820 return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
3821 default:
3822 MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
3823 return ret;
3824 }
3825 }
3826#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3827
3828 if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
3829 MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
3830 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3831 }
3832
3833 ret = mbedtls_pk_decrypt(private_key, p, len,
3834 peer_pms, peer_pmslen, peer_pmssize,
3835 ssl->conf->f_rng, ssl->conf->p_rng);
3836 return ret;
3837}
3838
3839MBEDTLS_CHECK_RETURN_CRITICAL
3840static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
3841 const unsigned char *p,
3842 const unsigned char *end,
3843 size_t pms_offset)
3844{
3845 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3846 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3847 unsigned char ver[2];
3848 unsigned char fake_pms[48], peer_pms[48];
3849 unsigned char mask;
3850 size_t i, peer_pmslen;
3851 unsigned int diff;
3852
3853 /* In case of a failure in decryption, the decryption may write less than
3854 * 2 bytes of output, but we always read the first two bytes. It doesn't
3855 * matter in the end because diff will be nonzero in that case due to
3856 * ret being nonzero, and we only care whether diff is 0.
3857 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3858 * also makes memory analyzers happy (don't access uninitialized memory,
3859 * even if it's an unsigned char). */
3860 peer_pms[0] = peer_pms[1] = ~0;
3861 peer_pmslen = 0;
3862
3863 ret = ssl_decrypt_encrypted_pms(ssl, p, end,
3864 peer_pms,
3865 &peer_pmslen,
3866 sizeof(peer_pms));
3867
3868#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3869 if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
3870 return ret;
3871 }
3872#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3873
3874 mbedtls_ssl_write_version(ssl->handshake->max_major_ver,
3875 ssl->handshake->max_minor_ver,
3876 ssl->conf->transport, ver);
3877
3878 /* Avoid data-dependent branches while checking for invalid
3879 * padding, to protect against timing-based Bleichenbacher-type
3880 * attacks. */
3881 diff = (unsigned int) ret;
3882 diff |= peer_pmslen ^ 48;
3883 diff |= peer_pms[0] ^ ver[0];
3884 diff |= peer_pms[1] ^ ver[1];
3885
3886 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3887 mask = mbedtls_ct_uint_mask(diff);
3888
3889 /*
3890 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3891 * must not cause the connection to end immediately; instead, send a
3892 * bad_record_mac later in the handshake.
3893 * To protect against timing-based variants of the attack, we must
3894 * not have any branch that depends on whether the decryption was
3895 * successful. In particular, always generate the fake premaster secret,
3896 * regardless of whether it will ultimately influence the output or not.
3897 */
3898 ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
3899 if (ret != 0) {
3900 /* It's ok to abort on an RNG failure, since this does not reveal
3901 * anything about the RSA decryption. */
3902 return ret;
3903 }
3904
3905#if defined(MBEDTLS_SSL_DEBUG_ALL)
3906 if (diff != 0) {
3907 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3908 }
3909#endif
3910
3911 if (sizeof(ssl->handshake->premaster) < pms_offset ||
3912 sizeof(ssl->handshake->premaster) - pms_offset < 48) {
3913 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3914 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3915 }
3916 ssl->handshake->pmslen = 48;
3917
3918 /* Set pms to either the true or the fake PMS, without
3919 * data-dependent branches. */
3920 for (i = 0; i < ssl->handshake->pmslen; i++) {
3921 pms[i] = (mask & fake_pms[i]) | ((~mask) & peer_pms[i]);
3922 }
3923
3924 return 0;
3925}
3926#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3927 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3928
3929#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3930MBEDTLS_CHECK_RETURN_CRITICAL
3931static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
3932 const unsigned char *end)
3933{
3934 int ret = 0;
3935 uint16_t n;
3936
3937 if (ssl_conf_has_psk_or_cb(ssl->conf) == 0) {
3938 MBEDTLS_SSL_DEBUG_MSG(1, ("got no pre-shared key"));
3939 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
3940 }
3941
3942 /*
3943 * Receive client pre-shared key identity name
3944 */
3945 if (end - *p < 2) {
3946 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3947 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3948 }
3949
3950 n = ((*p)[0] << 8) | (*p)[1];
3951 *p += 2;
3952
3953 if (n == 0 || n > end - *p) {
3954 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
3955 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
3956 }
3957
3958 if (ssl->conf->f_psk != NULL) {
3959 if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, n) != 0) {
3960 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3961 }
3962 } else {
3963 /* Identity is not a big secret since clients send it in the clear,
3964 * but treat it carefully anyway, just in case */
3965 if (n != ssl->conf->psk_identity_len ||
3966 mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, n) != 0) {
3967 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3968 }
3969 }
3970
3971 if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) {
3972 MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, n);
3973 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3974 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY);
3975 return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3976 }
3977
3978 *p += n;
3979
3980 return 0;
3981}
3982#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3983
3984MBEDTLS_CHECK_RETURN_CRITICAL
3985static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
3986{
3987 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3988 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3989 unsigned char *p, *end;
3990
3991 ciphersuite_info = ssl->handshake->ciphersuite_info;
3992
3993 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
3994
3995#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3996 (defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3997 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
3998 if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3999 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
4000 (ssl->handshake->async_in_progress != 0)) {
4001 /* We've already read a record and there is an asynchronous
4002 * operation in progress to decrypt it. So skip reading the
4003 * record. */
4004 MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
4005 } else
4006#endif
4007 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
4008 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
4009 return ret;
4010 }
4011
4012 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
4013 end = ssl->in_msg + ssl->in_hslen;
4014
4015 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
4016 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
4017 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
4018 }
4019
4020 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE) {
4021 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
4022 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
4023 }
4024
4025#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
4026 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
4027 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
4028 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
4029 return ret;
4030 }
4031
4032 if (p != end) {
4033 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
4034 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
4035 }
4036
4037 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
4038 ssl->handshake->premaster,
4039 MBEDTLS_PREMASTER_SIZE,
4040 &ssl->handshake->pmslen,
4041 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
4042 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
4043 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS;
4044 }
4045
4046 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
4047 } else
4048#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
4049#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
4050 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
4051 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
4052 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
4053 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
4054 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
4055 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
4056 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
4057 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
4058 p, end - p)) != 0) {
4059 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4060 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP;
4061 }
4062
4063 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4064 MBEDTLS_DEBUG_ECDH_QP);
4065
4066 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
4067 &ssl->handshake->pmslen,
4068 ssl->handshake->premaster,
4069 MBEDTLS_MPI_MAX_SIZE,
4070 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
4071 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
4072 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS;
4073 }
4074
4075 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4076 MBEDTLS_DEBUG_ECDH_Z);
4077 } else
4078#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
4079 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
4080 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
4081 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
4082#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
4083 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
4084 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4085 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4086 return ret;
4087 }
4088
4089 if (p != end) {
4090 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
4091 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
4092 }
4093
4094#if defined(MBEDTLS_USE_PSA_CRYPTO)
4095 /* For opaque PSKs, we perform the PSK-to-MS derivation automatically
4096 * and skip the intermediate PMS. */
4097 if (ssl_use_opaque_psk(ssl) == 1) {
4098 MBEDTLS_SSL_DEBUG_MSG(1, ("skip PMS generation for opaque PSK"));
4099 } else
4100#endif /* MBEDTLS_USE_PSA_CRYPTO */
4101 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4102 ciphersuite_info->key_exchange)) != 0) {
4103 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4104 return ret;
4105 }
4106 } else
4107#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
4108#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
4109 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
4110#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4111 if (ssl->handshake->async_in_progress != 0) {
4112 /* There is an asynchronous operation in progress to
4113 * decrypt the encrypted premaster secret, so skip
4114 * directly to resuming this operation. */
4115 MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
4116 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
4117 * won't actually use it, but maintain p anyway for robustness. */
4118 p += ssl->conf->psk_identity_len + 2;
4119 } else
4120#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4121 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4122 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4123 return ret;
4124 }
4125
4126#if defined(MBEDTLS_USE_PSA_CRYPTO)
4127 /* Opaque PSKs are currently only supported for PSK-only. */
4128 if (ssl_use_opaque_psk(ssl) == 1) {
4129 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with RSA-PSK"));
4130 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4131 }
4132#endif
4133
4134 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
4135 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
4136 return ret;
4137 }
4138
4139 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4140 ciphersuite_info->key_exchange)) != 0) {
4141 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4142 return ret;
4143 }
4144 } else
4145#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
4146#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
4147 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
4148 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4149 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4150 return ret;
4151 }
4152 if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
4153 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
4154 return ret;
4155 }
4156
4157#if defined(MBEDTLS_USE_PSA_CRYPTO)
4158 /* Opaque PSKs are currently only supported for PSK-only. */
4159 if (ssl_use_opaque_psk(ssl) == 1) {
4160 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with DHE-PSK"));
4161 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4162 }
4163#endif
4164
4165 if (p != end) {
4166 MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
4167 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE;
4168 }
4169
4170 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4171 ciphersuite_info->key_exchange)) != 0) {
4172 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4173 return ret;
4174 }
4175 } else
4176#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
4177#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
4178 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
4179 if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
4180 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
4181 return ret;
4182 }
4183
4184 if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
4185 p, end - p)) != 0) {
4186 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
4187 return MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP;
4188 }
4189
4190#if defined(MBEDTLS_USE_PSA_CRYPTO)
4191 /* Opaque PSKs are currently only supported for PSK-only. */
4192 if (ssl_use_opaque_psk(ssl) == 1) {
4193 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with ECDHE-PSK"));
4194 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4195 }
4196#endif
4197
4198 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
4199 MBEDTLS_DEBUG_ECDH_QP);
4200
4201 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
4202 ciphersuite_info->key_exchange)) != 0) {
4203 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
4204 return ret;
4205 }
4206 } else
4207#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4208#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4209 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
4210 if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
4211 MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
4212 return ret;
4213 }
4214 } else
4215#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
4216#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4217 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
4218 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
4219 p, end - p);
4220 if (ret != 0) {
4221 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
4222 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
4223 }
4224
4225 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
4226 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4227 ssl->conf->f_rng, ssl->conf->p_rng);
4228 if (ret != 0) {
4229 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
4230 return ret;
4231 }
4232 } else
4233#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4234 {
4235 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4236 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4237 }
4238
4239 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4240 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4241 return ret;
4242 }
4243
4244 ssl->state++;
4245
4246 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
4247
4248 return 0;
4249}
4250
4251#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
4252MBEDTLS_CHECK_RETURN_CRITICAL
4253static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4254{
4255 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4256 ssl->handshake->ciphersuite_info;
4257
4258 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4259
4260 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4261 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4262 ssl->state++;
4263 return 0;
4264 }
4265
4266 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4267 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4268}
4269#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4270MBEDTLS_CHECK_RETURN_CRITICAL
4271static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
4272{
4273 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4274 size_t i, sig_len;
4275 unsigned char hash[48];
4276 unsigned char *hash_start = hash;
4277 size_t hashlen;
4278#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4279 mbedtls_pk_type_t pk_alg;
4280#endif
4281 mbedtls_md_type_t md_alg;
4282 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4283 ssl->handshake->ciphersuite_info;
4284 mbedtls_pk_context *peer_pk;
4285
4286 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
4287
4288 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4289 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4290 ssl->state++;
4291 return 0;
4292 }
4293
4294#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4295 if (ssl->session_negotiate->peer_cert == NULL) {
4296 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4297 ssl->state++;
4298 return 0;
4299 }
4300#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4301 if (ssl->session_negotiate->peer_cert_digest == NULL) {
4302 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
4303 ssl->state++;
4304 return 0;
4305 }
4306#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4307
4308 /* Read the message without adding it to the checksum */
4309 ret = mbedtls_ssl_read_record(ssl, 0 /* no checksum update */);
4310 if (0 != ret) {
4311 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_read_record"), ret);
4312 return ret;
4313 }
4314
4315 ssl->state++;
4316
4317 /* Process the message contents */
4318 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4319 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY) {
4320 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4321 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4322 }
4323
4324 i = mbedtls_ssl_hs_hdr_len(ssl);
4325
4326#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4327 peer_pk = &ssl->handshake->peer_pubkey;
4328#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4329 if (ssl->session_negotiate->peer_cert == NULL) {
4330 /* Should never happen */
4331 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4332 }
4333 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4334#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4335
4336 /*
4337 * struct {
4338 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4339 * opaque signature<0..2^16-1>;
4340 * } DigitallySigned;
4341 */
4342#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4343 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4344 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
4345 md_alg = MBEDTLS_MD_NONE;
4346 hashlen = 36;
4347
4348 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
4349 if (mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECDSA)) {
4350 hash_start += 16;
4351 hashlen -= 16;
4352 md_alg = MBEDTLS_MD_SHA1;
4353 }
4354 } else
4355#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
4356 MBEDTLS_SSL_PROTO_TLS1_1 */
4357#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4358 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
4359 if (i + 2 > ssl->in_hslen) {
4360 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4361 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4362 }
4363
4364 /*
4365 * Hash
4366 */
4367 md_alg = mbedtls_ssl_md_alg_from_hash(ssl->in_msg[i]);
4368
4369 if (md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md(ssl, ssl->in_msg[i])) {
4370 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4371 " for verify message"));
4372 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4373 }
4374
4375#if !defined(MBEDTLS_MD_SHA1)
4376 if (MBEDTLS_MD_SHA1 == md_alg) {
4377 hash_start += 16;
4378 }
4379#endif
4380
4381 /* Info from md_alg will be used instead */
4382 hashlen = 0;
4383
4384 i++;
4385
4386 /*
4387 * Signature
4388 */
4389 if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
4390 == MBEDTLS_PK_NONE) {
4391 MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
4392 " for verify message"));
4393 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4394 }
4395
4396 /*
4397 * Check the certificate's key type matches the signature alg
4398 */
4399 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
4400 MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
4401 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4402 }
4403
4404 i++;
4405 } else
4406#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4407 {
4408 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4409 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4410 }
4411
4412 if (i + 2 > ssl->in_hslen) {
4413 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4414 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4415 }
4416
4417 sig_len = (ssl->in_msg[i] << 8) | ssl->in_msg[i+1];
4418 i += 2;
4419
4420 if (i + sig_len != ssl->in_hslen) {
4421 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate verify message"));
4422 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
4423 }
4424
4425 /* Calculate hash and verify signature */
4426 {
4427 size_t dummy_hlen;
4428 ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
4429 }
4430
4431 if ((ret = mbedtls_pk_verify(peer_pk,
4432 md_alg, hash_start, hashlen,
4433 ssl->in_msg + i, sig_len)) != 0) {
4434 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
4435 return ret;
4436 }
4437
4438 mbedtls_ssl_update_handshake_status(ssl);
4439
4440 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
4441
4442 return ret;
4443}
4444#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4445
4446#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4447MBEDTLS_CHECK_RETURN_CRITICAL
4448static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
4449{
4450 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4451 size_t tlen;
4452 uint32_t lifetime;
4453
4454 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write new session ticket"));
4455
4456 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4457 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4458
4459 /*
4460 * struct {
4461 * uint32 ticket_lifetime_hint;
4462 * opaque ticket<0..2^16-1>;
4463 * } NewSessionTicket;
4464 *
4465 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4466 * 8 . 9 ticket_len (n)
4467 * 10 . 9+n ticket content
4468 */
4469
4470 if ((ret = ssl->conf->f_ticket_write(ssl->conf->p_ticket,
4471 ssl->session_negotiate,
4472 ssl->out_msg + 10,
4473 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4474 &tlen, &lifetime)) != 0) {
4475 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_ticket_write", ret);
4476 tlen = 0;
4477 }
4478
4479 MBEDTLS_PUT_UINT32_BE(lifetime, ssl->out_msg, 4);
4480 MBEDTLS_PUT_UINT16_BE(tlen, ssl->out_msg, 8);
4481 ssl->out_msglen = 10 + tlen;
4482
4483 /*
4484 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4485 * ChangeCipherSpec share the same state.
4486 */
4487 ssl->handshake->new_session_ticket = 0;
4488
4489 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4490 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4491 return ret;
4492 }
4493
4494 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write new session ticket"));
4495
4496 return 0;
4497}
4498#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4499
4500/*
4501 * SSL handshake -- server side -- single step
4502 */
4503int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
4504{
4505 int ret = 0;
4506
4507 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
4508 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4509 }
4510
4511 MBEDTLS_SSL_DEBUG_MSG(2, ("server state: %d", ssl->state));
4512
4513 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4514 return ret;
4515 }
4516
4517#if defined(MBEDTLS_SSL_PROTO_DTLS)
4518 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4519 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4520 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4521 return ret;
4522 }
4523 }
4524#endif /* MBEDTLS_SSL_PROTO_DTLS */
4525
4526 switch (ssl->state) {
4527 case MBEDTLS_SSL_HELLO_REQUEST:
4528 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4529 break;
4530
4531 /*
4532 * <== ClientHello
4533 */
4534 case MBEDTLS_SSL_CLIENT_HELLO:
4535 ret = ssl_parse_client_hello(ssl);
4536 break;
4537
4538#if defined(MBEDTLS_SSL_PROTO_DTLS)
4539 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4540 return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED;
4541#endif
4542
4543 /*
4544 * ==> ServerHello
4545 * Certificate
4546 * ( ServerKeyExchange )
4547 * ( CertificateRequest )
4548 * ServerHelloDone
4549 */
4550 case MBEDTLS_SSL_SERVER_HELLO:
4551 ret = ssl_write_server_hello(ssl);
4552 break;
4553
4554 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4555 ret = mbedtls_ssl_write_certificate(ssl);
4556 break;
4557
4558 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4559 ret = ssl_write_server_key_exchange(ssl);
4560 break;
4561
4562 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4563 ret = ssl_write_certificate_request(ssl);
4564 break;
4565
4566 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4567 ret = ssl_write_server_hello_done(ssl);
4568 break;
4569
4570 /*
4571 * <== ( Certificate/Alert )
4572 * ClientKeyExchange
4573 * ( CertificateVerify )
4574 * ChangeCipherSpec
4575 * Finished
4576 */
4577 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4578 ret = mbedtls_ssl_parse_certificate(ssl);
4579 break;
4580
4581 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4582 ret = ssl_parse_client_key_exchange(ssl);
4583 break;
4584
4585 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4586 ret = ssl_parse_certificate_verify(ssl);
4587 break;
4588
4589 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4590 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4591 break;
4592
4593 case MBEDTLS_SSL_CLIENT_FINISHED:
4594 ret = mbedtls_ssl_parse_finished(ssl);
4595 break;
4596
4597 /*
4598 * ==> ( NewSessionTicket )
4599 * ChangeCipherSpec
4600 * Finished
4601 */
4602 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4603#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4604 if (ssl->handshake->new_session_ticket != 0) {
4605 ret = ssl_write_new_session_ticket(ssl);
4606 } else
4607#endif
4608 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4609 break;
4610
4611 case MBEDTLS_SSL_SERVER_FINISHED:
4612 ret = mbedtls_ssl_write_finished(ssl);
4613 break;
4614
4615 case MBEDTLS_SSL_FLUSH_BUFFERS:
4616 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4617 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4618 break;
4619
4620 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4621 mbedtls_ssl_handshake_wrapup(ssl);
4622 break;
4623
4624 default:
4625 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4626 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4627 }
4628
4629 return ret;
4630}
4631#endif /* MBEDTLS_SSL_SRV_C */
4632