2 * SSLv3/TLSv1 client-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
25 #include MBEDTLS_CONFIG_FILE
28 #if defined(MBEDTLS_SSL_CLI_C)
30 #if defined(MBEDTLS_PLATFORM_C)
31 #include "mbedtls/platform.h"
34 #define mbedtls_calloc calloc
35 #define mbedtls_free free
38 #include "mbedtls/debug.h"
39 #include "mbedtls/ssl.h"
40 #include "mbedtls/ssl_internal.h"
46 #if defined(MBEDTLS_HAVE_TIME)
47 #include "mbedtls/platform_time.h"
50 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
51 #include "mbedtls/platform_util.h"
54 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
55 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
59 unsigned char *p = buf;
60 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
65 if( ssl->hostname == NULL )
68 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
71 hostname_len = strlen( ssl->hostname );
73 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
75 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
80 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
82 * In order to provide any of the server names, clients MAY include an
83 * extension of type "server_name" in the (extended) client hello. The
84 * "extension_data" field of this extension SHALL contain
85 * "ServerNameList" where:
89 * select (name_type) {
90 * case host_name: HostName;
98 * opaque HostName<1..2^16-1>;
101 * ServerName server_name_list<1..2^16-1>
105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
106 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
108 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
109 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
111 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
112 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
114 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
115 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
116 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
118 memcpy( p, ssl->hostname, hostname_len );
120 *olen = hostname_len + 9;
122 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
124 #if defined(MBEDTLS_SSL_RENEGOTIATION)
125 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
129 unsigned char *p = buf;
130 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
134 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
135 * initial ClientHello, in which case also adding the renegotiation
136 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
137 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
140 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
142 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
149 * Secure renegotiation
151 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
152 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
155 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
156 *p++ = ssl->verify_data_len & 0xFF;
158 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
160 *olen = 5 + ssl->verify_data_len;
162 #endif /* MBEDTLS_SSL_RENEGOTIATION */
165 * Only if we handle at least one key exchange that needs signatures.
167 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
168 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
169 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
173 unsigned char *p = buf;
174 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
175 size_t sig_alg_len = 0;
177 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
178 unsigned char *sig_alg_list = buf + 6;
183 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
188 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
190 #if defined(MBEDTLS_ECDSA_C)
193 #if defined(MBEDTLS_RSA_C)
198 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
205 * Prepare signature_algorithms extension (TLS 1.2)
209 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
211 #if defined(MBEDTLS_ECDSA_C)
212 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
213 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
215 #if defined(MBEDTLS_RSA_C)
216 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
217 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
223 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
227 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
228 * SignatureAlgorithm;
231 * HashAlgorithm hash;
232 * SignatureAlgorithm signature;
233 * } SignatureAndHashAlgorithm;
235 * SignatureAndHashAlgorithm
236 * supported_signature_algorithms<2..2^16-2>;
238 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
239 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
241 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
242 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
244 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
245 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
247 *olen = 6 + sig_alg_len;
249 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
250 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
252 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
253 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
254 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
258 unsigned char *p = buf;
259 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
260 unsigned char *elliptic_curve_list = p + 6;
261 size_t elliptic_curve_len = 0;
262 const mbedtls_ecp_curve_info *info;
263 #if defined(MBEDTLS_ECP_C)
264 const mbedtls_ecp_group_id *grp_id;
271 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
273 #if defined(MBEDTLS_ECP_C)
274 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
276 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
279 #if defined(MBEDTLS_ECP_C)
280 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
288 elliptic_curve_len += 2;
291 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
297 elliptic_curve_len = 0;
299 #if defined(MBEDTLS_ECP_C)
300 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
302 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
305 #if defined(MBEDTLS_ECP_C)
306 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
308 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
309 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
312 if( elliptic_curve_len == 0 )
315 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
316 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
318 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
319 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
321 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
322 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
324 *olen = 6 + elliptic_curve_len;
327 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
331 unsigned char *p = buf;
332 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
336 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
338 if( end < p || (size_t)( end - p ) < 6 )
340 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
344 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
345 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
351 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
355 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
356 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
358 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
359 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
364 unsigned char *p = buf;
365 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
370 /* Skip costly extension if we can't use EC J-PAKE anyway */
371 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
374 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
382 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
386 * We may need to send ClientHello multiple times for Hello verification.
387 * We don't want to compute fresh values every time (both for performance
388 * and consistency reasons), so cache the extension content.
390 if( ssl->handshake->ecjpake_cache == NULL ||
391 ssl->handshake->ecjpake_cache_len == 0 )
393 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
395 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
396 p + 2, end - p - 2, &kkpp_len,
397 ssl->conf->f_rng, ssl->conf->p_rng );
400 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
404 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
405 if( ssl->handshake->ecjpake_cache == NULL )
407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
411 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
412 ssl->handshake->ecjpake_cache_len = kkpp_len;
416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
418 kkpp_len = ssl->handshake->ecjpake_cache_len;
420 if( (size_t)( end - p - 2 ) < kkpp_len )
422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
426 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
429 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
430 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
432 *olen = kkpp_len + 4;
434 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
436 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
437 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
441 unsigned char *p = buf;
442 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
446 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
450 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
452 if( end < p || (size_t)( end - p ) < 5 )
454 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
458 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
459 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
464 *p++ = ssl->conf->mfl_code;
468 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
470 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
471 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
472 unsigned char *buf, size_t *olen )
474 unsigned char *p = buf;
475 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
479 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
484 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
486 if( end < p || (size_t)( end - p ) < 4 )
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
492 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
493 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
500 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
502 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
503 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
504 unsigned char *buf, size_t *olen )
506 unsigned char *p = buf;
507 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
511 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
512 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
520 if( end < p || (size_t)( end - p ) < 4 )
522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
526 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
527 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
534 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
536 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
537 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
538 unsigned char *buf, size_t *olen )
540 unsigned char *p = buf;
541 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
545 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
546 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
551 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
554 if( end < p || (size_t)( end - p ) < 4 )
556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
560 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
561 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
568 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
570 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
571 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
572 unsigned char *buf, size_t *olen )
574 unsigned char *p = buf;
575 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
576 size_t tlen = ssl->session_negotiate->ticket_len;
580 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
585 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
587 if( end < p || (size_t)( end - p ) < 4 + tlen )
589 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
593 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
594 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
596 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
597 *p++ = (unsigned char)( ( tlen ) & 0xFF );
601 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
606 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
608 memcpy( p, ssl->session_negotiate->ticket, tlen );
612 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
614 #if defined(MBEDTLS_SSL_ALPN)
615 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
616 unsigned char *buf, size_t *olen )
618 unsigned char *p = buf;
619 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
625 if( ssl->conf->alpn_list == NULL )
630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
632 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
633 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
635 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
641 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
642 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
645 * opaque ProtocolName<1..2^8-1>;
648 * ProtocolName protocol_name_list<2..2^16-1>
649 * } ProtocolNameList;
652 /* Skip writing extension and list length for now */
655 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
657 *p = (unsigned char)( strlen( *cur ) & 0xFF );
658 memcpy( p + 1, *cur, *p );
664 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
665 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
666 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
668 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
669 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
670 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
672 #endif /* MBEDTLS_SSL_ALPN */
675 * Generate random bytes for ClientHello
677 static int ssl_generate_random( mbedtls_ssl_context *ssl )
680 unsigned char *p = ssl->handshake->randbytes;
681 #if defined(MBEDTLS_HAVE_TIME)
686 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
688 #if defined(MBEDTLS_SSL_PROTO_DTLS)
689 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
690 ssl->handshake->verify_cookie != NULL )
696 #if defined(MBEDTLS_HAVE_TIME)
697 t = mbedtls_time( NULL );
698 *p++ = (unsigned char)( t >> 24 );
699 *p++ = (unsigned char)( t >> 16 );
700 *p++ = (unsigned char)( t >> 8 );
701 *p++ = (unsigned char)( t );
703 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
705 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
709 #endif /* MBEDTLS_HAVE_TIME */
711 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
718 * \brief Validate cipher suite against config in SSL context.
720 * \param suite_info cipher suite to validate
721 * \param ssl SSL context
722 * \param min_minor_ver Minimal minor version to accept a cipher suite
723 * \param max_minor_ver Maximal minor version to accept a cipher suite
725 * \return 0 if valid, else 1
727 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
728 const mbedtls_ssl_context * ssl,
729 int min_minor_ver, int max_minor_ver )
732 if( suite_info == NULL )
735 if( suite_info->min_minor_ver > max_minor_ver ||
736 suite_info->max_minor_ver < min_minor_ver )
739 #if defined(MBEDTLS_SSL_PROTO_DTLS)
740 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
741 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
745 #if defined(MBEDTLS_ARC4_C)
746 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
747 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
751 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
752 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
753 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
760 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
763 size_t i, n, olen, ext_len = 0;
765 unsigned char *p, *q;
766 unsigned char offer_compress;
767 const int *ciphersuites;
768 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
769 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
770 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
774 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
776 if( ssl->conf->f_rng == NULL )
778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
779 return( MBEDTLS_ERR_SSL_NO_RNG );
782 #if defined(MBEDTLS_SSL_RENEGOTIATION)
783 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
786 ssl->major_ver = ssl->conf->min_major_ver;
787 ssl->minor_ver = ssl->conf->min_minor_ver;
790 if( ssl->conf->max_major_ver == 0 )
792 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
793 "consider using mbedtls_ssl_config_defaults()" ) );
794 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
798 * 0 . 0 handshake type
799 * 1 . 3 handshake length
800 * 4 . 5 highest version supported
801 * 6 . 9 current UNIX time
802 * 10 . 37 random bytes
807 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
808 ssl->conf->transport, p );
811 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
814 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
816 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
820 memcpy( p, ssl->handshake->randbytes, 32 );
821 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
825 * 38 . 38 session id length
826 * 39 . 39+n session id
827 * 39+n . 39+n DTLS only: cookie length (1 byte)
828 * 40+n . .. DTSL only: cookie
829 * .. . .. ciphersuitelist length (2 bytes)
830 * .. . .. ciphersuitelist
831 * .. . .. compression methods length (1 byte)
832 * .. . .. compression methods
833 * .. . .. extensions length (2 bytes)
836 n = ssl->session_negotiate->id_len;
838 if( n < 16 || n > 32 ||
839 #if defined(MBEDTLS_SSL_RENEGOTIATION)
840 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
842 ssl->handshake->resume == 0 )
847 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
849 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
850 * generate and include a Session ID in the TLS ClientHello."
852 #if defined(MBEDTLS_SSL_RENEGOTIATION)
853 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
856 if( ssl->session_negotiate->ticket != NULL &&
857 ssl->session_negotiate->ticket_len != 0 )
859 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
864 ssl->session_negotiate->id_len = n = 32;
867 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
869 *p++ = (unsigned char) n;
871 for( i = 0; i < n; i++ )
872 *p++ = ssl->session_negotiate->id[i];
874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
875 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
880 #if defined(MBEDTLS_SSL_PROTO_DTLS)
881 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
883 if( ssl->handshake->verify_cookie == NULL )
885 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
890 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
891 ssl->handshake->verify_cookie,
892 ssl->handshake->verify_cookie_len );
894 *p++ = ssl->handshake->verify_cookie_len;
895 memcpy( p, ssl->handshake->verify_cookie,
896 ssl->handshake->verify_cookie_len );
897 p += ssl->handshake->verify_cookie_len;
905 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
907 /* Skip writing ciphersuite length for now */
912 for( i = 0; ciphersuites[i] != 0; i++ )
914 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
916 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
917 ssl->conf->min_minor_ver,
918 ssl->conf->max_minor_ver ) != 0 )
921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
924 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
925 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
926 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
930 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
931 *p++ = (unsigned char)( ciphersuites[i] );
934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
937 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
939 #if defined(MBEDTLS_SSL_RENEGOTIATION)
940 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
943 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
944 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
945 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
949 /* Some versions of OpenSSL don't handle it correctly if not at end */
950 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
951 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
954 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
955 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
960 *q++ = (unsigned char)( n >> 7 );
961 *q++ = (unsigned char)( n << 1 );
963 #if defined(MBEDTLS_ZLIB_SUPPORT)
970 * We don't support compression with DTLS right now: if many records come
971 * in the same datagram, uncompressing one could overwrite the next one.
972 * We don't want to add complexity for handling that case unless there is
973 * an actual need for it.
975 #if defined(MBEDTLS_SSL_PROTO_DTLS)
976 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
982 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
983 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
984 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
987 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
988 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
992 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
993 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
994 MBEDTLS_SSL_COMPRESS_NULL ) );
997 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1000 // First write extensions, then the total length
1002 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1003 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1007 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1008 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1009 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1010 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1014 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1015 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1016 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1020 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1021 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1024 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1027 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1032 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1033 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1037 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1038 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1042 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1043 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1047 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1048 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1052 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1053 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1057 #if defined(MBEDTLS_SSL_ALPN)
1058 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1062 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1063 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1067 /* olen unused if all extensions are disabled */
1070 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1075 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1076 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1080 ssl->out_msglen = p - buf;
1081 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1082 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1086 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1087 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1088 mbedtls_ssl_send_flight_completed( ssl );
1091 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1093 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1097 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1098 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1099 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1104 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1111 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1112 const unsigned char *buf,
1115 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1116 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1118 /* Check verify-data in constant-time. The length OTOH is no secret */
1119 if( len != 1 + ssl->verify_data_len * 2 ||
1120 buf[0] != ssl->verify_data_len * 2 ||
1121 mbedtls_ssl_safer_memcmp( buf + 1,
1122 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1123 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1124 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1127 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1128 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1129 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1133 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1135 if( len != 1 || buf[0] != 0x00 )
1137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
1138 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1139 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1140 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1143 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1149 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1150 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1151 const unsigned char *buf,
1155 * server should use the extension only if we did,
1156 * and if so the server's value should match ours (and len is always 1)
1158 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1160 buf[0] != ssl->conf->mfl_code )
1162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
1163 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1164 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1165 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1170 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1172 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1173 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1174 const unsigned char *buf,
1177 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
1181 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1182 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1188 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1192 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1194 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1195 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1196 const unsigned char *buf,
1199 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1200 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
1204 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1205 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1206 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1211 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1215 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1217 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1218 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1219 const unsigned char *buf,
1222 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1223 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1226 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
1227 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1228 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1229 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1234 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1238 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1240 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1241 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1242 const unsigned char *buf,
1245 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1248 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
1249 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1250 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1251 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1256 ssl->handshake->new_session_ticket = 1;
1260 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1262 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1263 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1264 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1265 const unsigned char *buf,
1269 const unsigned char *p;
1271 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1273 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1274 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1275 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1276 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1281 while( list_size > 0 )
1283 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1284 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1286 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1287 ssl->handshake->ecdh_ctx.point_format = p[0];
1289 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1290 ssl->handshake->ecjpake_ctx.point_format = p[0];
1292 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1301 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1302 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1303 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1305 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1306 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1308 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1309 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1310 const unsigned char *buf,
1315 if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
1316 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1318 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1322 /* If we got here, we no longer need our cached extension */
1323 mbedtls_free( ssl->handshake->ecjpake_cache );
1324 ssl->handshake->ecjpake_cache = NULL;
1325 ssl->handshake->ecjpake_cache_len = 0;
1327 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1331 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1332 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1338 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1340 #if defined(MBEDTLS_SSL_ALPN)
1341 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1342 const unsigned char *buf, size_t len )
1344 size_t list_len, name_len;
1347 /* If we didn't send it, the server shouldn't send it */
1348 if( ssl->conf->alpn_list == NULL )
1350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1352 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1353 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1357 * opaque ProtocolName<1..2^8-1>;
1360 * ProtocolName protocol_name_list<2..2^16-1>
1361 * } ProtocolNameList;
1363 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1366 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1369 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1370 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1371 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1374 list_len = ( buf[0] << 8 ) | buf[1];
1375 if( list_len != len - 2 )
1377 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1378 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1379 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1383 if( name_len != list_len - 1 )
1385 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1386 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1387 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1390 /* Check that the server chosen protocol was in our list and save it */
1391 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1393 if( name_len == strlen( *p ) &&
1394 memcmp( buf + 3, *p, name_len ) == 0 )
1396 ssl->alpn_chosen = *p;
1401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1402 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1403 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1404 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1406 #endif /* MBEDTLS_SSL_ALPN */
1409 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1411 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1412 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1414 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1415 int major_ver, minor_ver;
1416 unsigned char cookie_len;
1418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1422 * ProtocolVersion server_version;
1423 * opaque cookie<0..2^8-1>;
1424 * } HelloVerifyRequest;
1426 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1427 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1431 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1432 * even is lower than our min version.
1434 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1435 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1436 major_ver > ssl->conf->max_major_ver ||
1437 minor_ver > ssl->conf->max_minor_ver )
1439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1441 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1442 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1444 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1448 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1450 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1452 MBEDTLS_SSL_DEBUG_MSG( 1,
1453 ( "cookie length does not match incoming message size" ) );
1454 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1455 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1459 mbedtls_free( ssl->handshake->verify_cookie );
1461 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1462 if( ssl->handshake->verify_cookie == NULL )
1464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1465 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1468 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1469 ssl->handshake->verify_cookie_len = cookie_len;
1471 /* Start over at ClientHello */
1472 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1473 mbedtls_ssl_reset_checksum( ssl );
1475 mbedtls_ssl_recv_flight_completed( ssl );
1477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1481 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1483 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1488 unsigned char *buf, *ext;
1490 #if defined(MBEDTLS_ZLIB_SUPPORT)
1493 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1494 int renegotiation_info_seen = 0;
1496 int handshake_failure = 0;
1497 const mbedtls_ssl_ciphersuite_t *suite_info;
1499 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1503 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
1505 /* No alert on a read error. */
1506 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1510 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1512 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1513 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1515 ssl->renego_records_seen++;
1517 if( ssl->conf->renego_max_records >= 0 &&
1518 ssl->renego_records_seen > ssl->conf->renego_max_records )
1520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1521 "but not honored by server" ) );
1522 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1527 ssl->keep_current_message = 1;
1528 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1530 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1533 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1534 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1535 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1538 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1539 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1541 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1543 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1544 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1545 return( ssl_parse_hello_verify_request( ssl ) );
1549 /* We made it through the verification process */
1550 mbedtls_free( ssl->handshake->verify_cookie );
1551 ssl->handshake->verify_cookie = NULL;
1552 ssl->handshake->verify_cookie_len = 0;
1555 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1557 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1558 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1560 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1561 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1562 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1563 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1567 * 0 . 1 server_version
1568 * 2 . 33 random (maybe including 4 bytes of Unix time)
1569 * 34 . 34 session_id length = n
1570 * 35 . 34+n session_id
1571 * 35+n . 36+n cipher_suite
1572 * 37+n . 37+n compression_method
1574 * 38+n . 39+n extensions length (optional)
1575 * 40+n . .. extensions
1577 buf += mbedtls_ssl_hs_hdr_len( ssl );
1579 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1580 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1581 ssl->conf->transport, buf + 0 );
1583 if( ssl->major_ver < ssl->conf->min_major_ver ||
1584 ssl->minor_ver < ssl->conf->min_minor_ver ||
1585 ssl->major_ver > ssl->conf->max_major_ver ||
1586 ssl->minor_ver > ssl->conf->max_minor_ver )
1588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1589 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1590 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1591 ssl->major_ver, ssl->minor_ver,
1592 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1594 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1595 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1597 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1600 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1601 ( (uint32_t) buf[2] << 24 ) |
1602 ( (uint32_t) buf[3] << 16 ) |
1603 ( (uint32_t) buf[4] << 8 ) |
1604 ( (uint32_t) buf[5] ) ) );
1606 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1610 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1614 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1615 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1616 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1617 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1620 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1622 ext_len = ( ( buf[38 + n] << 8 )
1623 | ( buf[39 + n] ) );
1625 if( ( ext_len > 0 && ext_len < 4 ) ||
1626 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1629 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1630 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1631 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1634 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1641 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1642 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1643 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1646 /* ciphersuite (used later) */
1647 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1650 * Read and check compression
1654 #if defined(MBEDTLS_ZLIB_SUPPORT)
1655 /* See comments in ssl_write_client_hello() */
1656 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1657 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1663 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1664 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1665 #else /* MBEDTLS_ZLIB_SUPPORT */
1666 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1667 #endif/* MBEDTLS_ZLIB_SUPPORT */
1669 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1670 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1671 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1672 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1676 * Initialize update checksum functions
1678 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1680 if( ssl->transform_negotiate->ciphersuite_info == NULL )
1682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1683 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1684 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1685 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1688 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
1690 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1691 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1694 * Check if the session can be resumed
1696 if( ssl->handshake->resume == 0 || n == 0 ||
1697 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1698 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1700 ssl->session_negotiate->ciphersuite != i ||
1701 ssl->session_negotiate->compression != comp ||
1702 ssl->session_negotiate->id_len != n ||
1703 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1706 ssl->handshake->resume = 0;
1707 #if defined(MBEDTLS_HAVE_TIME)
1708 ssl->session_negotiate->start = mbedtls_time( NULL );
1710 ssl->session_negotiate->ciphersuite = i;
1711 ssl->session_negotiate->compression = comp;
1712 ssl->session_negotiate->id_len = n;
1713 memcpy( ssl->session_negotiate->id, buf + 35, n );
1717 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1719 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1721 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1722 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1723 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1729 ssl->handshake->resume ? "a" : "no" ) );
1731 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1732 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1735 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1740 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1744 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1748 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1749 ssl->session_negotiate->ciphersuite )
1755 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1756 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
1758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1759 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1760 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1761 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1766 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
1767 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1768 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1770 ssl->handshake->ecrs_enabled = 1;
1774 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1775 #if defined(MBEDTLS_ZLIB_SUPPORT)
1776 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1781 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1782 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1783 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1785 ssl->session_negotiate->compression = comp;
1789 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1793 unsigned int ext_id = ( ( ext[0] << 8 )
1795 unsigned int ext_size = ( ( ext[2] << 8 )
1798 if( ext_size + 4 > ext_len )
1800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1801 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1802 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1803 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1808 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1809 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1810 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1811 renegotiation_info_seen = 1;
1814 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1820 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1821 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1822 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1824 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1825 ext + 4, ext_size ) ) != 0 )
1831 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1833 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1834 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1837 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1838 ext + 4, ext_size ) ) != 0 )
1844 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1846 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1847 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1848 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
1850 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
1851 ext + 4, ext_size ) ) != 0 )
1857 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1859 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1860 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1861 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
1863 if( ( ret = ssl_parse_extended_ms_ext( ssl,
1864 ext + 4, ext_size ) ) != 0 )
1870 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1872 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1873 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
1876 if( ( ret = ssl_parse_session_ticket_ext( ssl,
1877 ext + 4, ext_size ) ) != 0 )
1883 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1885 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1886 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1887 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
1890 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
1891 ext + 4, ext_size ) ) != 0 )
1897 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1898 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1900 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1901 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1902 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
1904 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
1905 ext + 4, ext_size ) ) != 0 )
1911 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1913 #if defined(MBEDTLS_SSL_ALPN)
1914 case MBEDTLS_TLS_EXT_ALPN:
1915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1917 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
1921 #endif /* MBEDTLS_SSL_ALPN */
1924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1928 ext_len -= 4 + ext_size;
1929 ext += 4 + ext_size;
1931 if( ext_len > 0 && ext_len < 4 )
1933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1934 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1939 * Renegotiation security checks
1941 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1942 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1945 handshake_failure = 1;
1947 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1948 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1949 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1950 renegotiation_info_seen == 0 )
1952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1953 handshake_failure = 1;
1955 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1956 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1957 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1960 handshake_failure = 1;
1962 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1963 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1964 renegotiation_info_seen == 1 )
1966 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1967 handshake_failure = 1;
1969 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1971 if( handshake_failure == 1 )
1973 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1974 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1975 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1978 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1983 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
1984 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1985 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
1986 unsigned char *end )
1988 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1991 * Ephemeral DH parameters:
1994 * opaque dh_p<1..2^16-1>;
1995 * opaque dh_g<1..2^16-1>;
1996 * opaque dh_Ys<1..2^16-1>;
1999 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
2001 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2005 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
2007 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2008 ssl->handshake->dhm_ctx.len * 8,
2009 ssl->conf->dhm_min_bitlen ) );
2010 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2013 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2014 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2015 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2019 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2020 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2022 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2023 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2024 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2025 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2026 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
2027 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
2028 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2030 const mbedtls_ecp_curve_info *curve_info;
2031 mbedtls_ecp_group_id grp_id;
2032 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2033 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2035 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2038 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
2039 if( curve_info == NULL )
2041 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2042 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2045 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2047 #if defined(MBEDTLS_ECP_C)
2048 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
2050 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2051 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2055 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2056 MBEDTLS_DEBUG_ECDH_QP );
2060 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2061 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2062 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2063 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2064 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ||
2065 MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
2067 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2068 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2069 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2070 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
2071 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2073 unsigned char *end )
2075 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2078 * Ephemeral ECDH parameters:
2081 * ECParameters curve_params;
2083 * } ServerECDHParams;
2085 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2086 (const unsigned char **) p, end ) ) != 0 )
2088 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2089 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2090 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2091 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2096 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2099 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2104 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2105 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2106 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2107 MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED*/
2109 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2110 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2112 unsigned char *end )
2117 if( ssl->conf->f_psk == NULL &&
2118 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
2119 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
2121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
2122 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
2126 * Receive client pre-shared key identity name
2130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2134 n = ( (*p)[0] << 8 ) | (*p)[1];
2142 if( n < 1 || n > 65535 || *p + n > end )
2144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
2148 if( ssl->conf->f_psk != NULL )
2150 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
2151 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
2155 /* Identity is not a big secret since clients send it in the clear,
2156 * but treat it carefully anyway, just in case */
2157 if( n != ssl->conf->psk_identity_len ||
2158 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
2160 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
2164 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
2166 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
2167 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
2168 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2169 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ) ) != 0 )
2174 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
2181 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2183 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2184 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2186 * Generate a pre-master secret and encrypt it with the server's RSA key
2188 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2189 size_t offset, size_t *olen,
2193 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2194 unsigned char *p = ssl->handshake->premaster + pms_offset;
2196 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
2198 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2199 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2203 * Generate (part of) the pre-master as
2205 * ProtocolVersion client_version;
2206 * opaque random[46];
2207 * } PreMasterSecret;
2209 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2210 ssl->conf->transport, p );
2212 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2214 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2218 ssl->handshake->pmslen = 48;
2220 if( ssl->session_negotiate->peer_cert == NULL )
2222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2223 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2227 * Now write it out, encrypted
2229 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2233 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2236 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
2237 p, ssl->handshake->pmslen,
2238 ssl->out_msg + offset + len_bytes, olen,
2239 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2240 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2242 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2246 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2247 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2248 if( len_bytes == 2 )
2250 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2251 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2258 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2259 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2261 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2262 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2263 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2264 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2265 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2268 mbedtls_md_type_t *md_alg,
2269 mbedtls_pk_type_t *pk_alg )
2272 *md_alg = MBEDTLS_MD_NONE;
2273 *pk_alg = MBEDTLS_PK_NONE;
2275 /* Only in TLS 1.2 */
2276 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2281 if( (*p) + 2 > end )
2282 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2285 * Get hash algorithm
2287 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
2289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
2290 "HashAlgorithm %d", *(p)[0] ) );
2291 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2295 * Get signature algorithm
2297 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
2299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
2300 "SignatureAlgorithm %d", (*p)[1] ) );
2301 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2305 * Check if the hash is acceptable
2307 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2311 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2314 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2315 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
2320 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2321 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2322 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2323 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2325 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2326 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2327 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2330 const mbedtls_ecp_keypair *peer_key;
2332 if( ssl->session_negotiate->peer_cert == NULL )
2334 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2335 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2338 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
2339 MBEDTLS_PK_ECKEY ) )
2341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2342 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2345 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2347 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2348 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2350 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2354 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2357 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2362 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2363 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2365 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2368 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2369 ssl->transform_negotiate->ciphersuite_info;
2370 unsigned char *p = NULL, *end = NULL;
2372 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2374 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2375 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2377 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2385 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2386 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2387 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2388 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2390 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2392 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2393 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2394 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2404 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2405 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2407 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2408 if( ssl->handshake->ecrs_enabled &&
2409 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2411 goto start_processing;
2415 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2417 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2421 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2424 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2425 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2426 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2430 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2431 * doesn't use a psk_identity_hint
2433 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2435 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2436 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2438 /* Current message is probably either
2439 * CertificateRequest or ServerHelloDone */
2440 ssl->keep_current_message = 1;
2444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2445 "not be skipped" ) );
2446 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2447 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2449 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2452 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2453 if( ssl->handshake->ecrs_enabled )
2454 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2458 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2459 end = ssl->in_msg + ssl->in_hslen;
2460 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2462 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2463 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2464 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2465 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2466 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2468 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2471 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2472 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2473 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2476 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2478 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2479 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2480 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2481 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2482 ; /* nothing more to do */
2484 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2485 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2486 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2487 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2488 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2489 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2491 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2493 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2494 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2495 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2500 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2501 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2502 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2503 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2504 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2505 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
2506 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2507 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2508 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
2509 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
2511 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2514 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2515 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2516 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2520 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2521 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2522 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2523 MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
2524 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2525 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2527 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2531 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2532 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2533 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2534 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2538 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2540 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2541 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2544 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2545 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2547 size_t sig_len, hashlen;
2548 unsigned char hash[64];
2549 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2550 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2551 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2552 size_t params_len = p - params;
2553 void *rs_ctx = NULL;
2556 * Handle the digitally-signed structure
2558 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2559 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2561 if( ssl_parse_signature_algorithm( ssl, &p, end,
2562 &md_alg, &pk_alg ) != 0 )
2564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2565 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2566 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2567 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2570 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2573 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2574 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2575 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2579 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2580 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2581 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2582 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2584 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2586 /* Default hash for ECDSA is SHA-1 */
2587 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2588 md_alg = MBEDTLS_MD_SHA1;
2593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2594 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2597 // Anonymous cipher suite without sign, ecdh param only
2598 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
2599 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
2610 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2612 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2613 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2615 sig_len = ( p[0] << 8 ) | p[1];
2618 if( p != end - sig_len )
2620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2621 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2623 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2626 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2629 * Compute the hash that has been signed
2631 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2632 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2633 if( md_alg == MBEDTLS_MD_NONE )
2636 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2642 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2643 MBEDTLS_SSL_PROTO_TLS1_1 */
2644 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2645 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2646 if( md_alg != MBEDTLS_MD_NONE )
2648 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2655 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2656 MBEDTLS_SSL_PROTO_TLS1_2 */
2658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2659 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2662 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2664 if( ssl->session_negotiate->peer_cert == NULL )
2666 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2667 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2668 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2669 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2675 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
2677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2678 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2679 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2680 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2683 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2684 if( ssl->handshake->ecrs_enabled )
2685 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2688 if( ( ret = mbedtls_pk_verify_restartable(
2689 &ssl->session_negotiate->peer_cert->pk,
2690 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
2692 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2693 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2695 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2696 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2697 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2698 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2699 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2700 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2705 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2710 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2715 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
2716 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2718 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2719 ssl->transform_negotiate->ciphersuite_info;
2721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2723 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2724 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2725 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2726 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2727 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
2728 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
2730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2736 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2738 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2739 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2744 size_t cert_type_len = 0, dn_len = 0;
2745 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2746 ssl->transform_negotiate->ciphersuite_info;
2748 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2750 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2751 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2752 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2753 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2754 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
2755 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
2757 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2762 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2768 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2770 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2771 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2772 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2773 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2777 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
2779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2780 ssl->client_auth ? "a" : "no" ) );
2782 if( ssl->client_auth == 0 )
2784 /* Current message is probably the ServerHelloDone */
2785 ssl->keep_current_message = 1;
2791 * ClientCertificateType certificate_types<1..2^8-1>;
2792 * SignatureAndHashAlgorithm
2793 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
2794 * DistinguishedName certificate_authorities<0..2^16-1>;
2795 * } CertificateRequest;
2797 * Since we only support a single certificate on clients, let's just
2798 * ignore all the information that's supposed to help us pick a
2801 * We could check that our certificate matches the request, and bail out
2802 * if it doesn't, but it's simpler to just send the certificate anyway,
2803 * and give the server the opportunity to decide if it should terminate
2804 * the connection when it doesn't like our certificate.
2806 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
2807 * point we only have one hash available (see comments in
2808 * write_certificate_verify), so let's just use what we have.
2810 * However, we still minimally parse the message to check it is at least
2811 * superficially sane.
2815 /* certificate_types */
2816 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
2818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2819 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2820 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2821 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2823 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
2827 * In the subsequent code there are two paths that read from buf:
2828 * * the length of the signature algorithms field (if minor version of
2830 * * distinguished name length otherwise.
2831 * Both reach at most the index:
2832 * ...hdr_len + 2 + n,
2833 * therefore the buffer length at this point must be greater than that
2834 * regardless of the actual code path.
2836 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
2838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2840 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2841 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2844 /* supported_signature_algorithms */
2845 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2846 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2848 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2849 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2850 #if defined(MBEDTLS_DEBUG_C)
2851 unsigned char* sig_alg;
2856 * The furthest access in buf is in the loop few lines below:
2859 * sig_alg = buf + ...hdr_len + 3 + n,
2860 * max(i) = sig_alg_len - 1.
2861 * Therefore the furthest access is:
2862 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
2864 * buf[...hdr_len + 3 + n + sig_alg_len],
2865 * which is one less than we need the buf to be.
2867 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
2869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2870 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2871 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2872 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2875 #if defined(MBEDTLS_DEBUG_C)
2876 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
2877 for( i = 0; i < sig_alg_len; i += 2 )
2879 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
2880 ",%d", sig_alg[i], sig_alg[i + 1] ) );
2884 n += 2 + sig_alg_len;
2886 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2888 /* certificate_authorities */
2889 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
2890 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
2893 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
2895 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2896 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2897 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2898 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
2902 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
2906 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2908 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
2912 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
2914 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2916 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2920 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2923 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2926 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
2927 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
2929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
2930 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2931 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2932 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
2937 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2938 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2939 mbedtls_ssl_recv_flight_completed( ssl );
2942 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
2947 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
2951 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2952 ssl->transform_negotiate->ciphersuite_info;
2954 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
2956 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
2957 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
2960 * DHM key exchange -- send G^X mod P
2962 n = ssl->handshake->dhm_ctx.len;
2964 ssl->out_msg[4] = (unsigned char)( n >> 8 );
2965 ssl->out_msg[5] = (unsigned char)( n );
2968 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
2969 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
2970 &ssl->out_msg[i], n,
2971 ssl->conf->f_rng, ssl->conf->p_rng );
2974 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
2978 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
2979 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
2981 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
2982 ssl->handshake->premaster,
2983 MBEDTLS_PREMASTER_SIZE,
2984 &ssl->handshake->pmslen,
2985 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2987 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
2991 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
2994 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2995 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2996 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2997 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2998 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
2999 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED)
3000 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3001 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3002 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3003 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ||
3004 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON)
3007 * ECDH key exchange -- send client public value
3011 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3012 if( ssl->handshake->ecrs_enabled )
3014 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3015 goto ecdh_calc_secret;
3017 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3021 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3023 &ssl->out_msg[i], 1000,
3024 ssl->conf->f_rng, ssl->conf->p_rng );
3027 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3028 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3029 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3030 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3035 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3036 MBEDTLS_DEBUG_ECDH_Q );
3038 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3039 if( ssl->handshake->ecrs_enabled )
3041 ssl->handshake->ecrs_n = n;
3042 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3046 if( ssl->handshake->ecrs_enabled )
3047 n = ssl->handshake->ecrs_n;
3049 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3050 &ssl->handshake->pmslen,
3051 ssl->handshake->premaster,
3052 MBEDTLS_MPI_MAX_SIZE,
3053 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3055 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3056 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3057 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3058 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3063 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3064 MBEDTLS_DEBUG_ECDH_Z );
3067 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3068 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3069 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3070 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
3071 MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */
3072 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3073 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3076 * opaque psk_identity<0..2^16-1>;
3078 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
3080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
3081 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3085 n = ssl->conf->psk_identity_len;
3087 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3090 "SSL buffer too short" ) );
3091 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3094 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3095 ssl->out_msg[i++] = (unsigned char)( n );
3097 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
3098 i += ssl->conf->psk_identity_len;
3100 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3101 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3107 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3108 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3110 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3115 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3116 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3119 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3121 n = ssl->handshake->dhm_ctx.len;
3123 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3126 " or SSL buffer too short" ) );
3127 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3130 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3131 ssl->out_msg[i++] = (unsigned char)( n );
3133 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3134 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3135 &ssl->out_msg[i], n,
3136 ssl->conf->f_rng, ssl->conf->p_rng );
3139 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3144 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3145 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3146 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3149 * ClientECDiffieHellmanPublic public;
3151 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
3152 &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
3153 ssl->conf->f_rng, ssl->conf->p_rng );
3156 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3160 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3161 MBEDTLS_DEBUG_ECDH_Q );
3164 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3167 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3170 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3171 ciphersuite_info->key_exchange ) ) != 0 )
3173 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3178 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3179 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3180 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3183 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
3187 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3188 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3189 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3193 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3194 ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
3195 ssl->conf->f_rng, ssl->conf->p_rng );
3198 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3202 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3203 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3204 ssl->conf->f_rng, ssl->conf->p_rng );
3207 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3212 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3214 ((void) ciphersuite_info);
3215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3216 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3219 ssl->out_msglen = i + n;
3220 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3221 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3225 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3236 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3237 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3238 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3239 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3240 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3241 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3242 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3244 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3245 ssl->transform_negotiate->ciphersuite_info;
3248 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3250 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3252 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3256 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3257 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3258 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3259 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3260 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
3261 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
3263 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3268 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3269 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3272 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3274 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3275 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3276 ssl->transform_negotiate->ciphersuite_info;
3277 size_t n = 0, offset = 0;
3278 unsigned char hash[48];
3279 unsigned char *hash_start = hash;
3280 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3281 unsigned int hashlen;
3282 void *rs_ctx = NULL;
3284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3286 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3287 if( ssl->handshake->ecrs_enabled &&
3288 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3294 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3296 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3300 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3301 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3302 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3303 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3304 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
3305 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON )
3307 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3312 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3314 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3319 if( mbedtls_ssl_own_key( ssl ) == NULL )
3321 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3322 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3326 * Make a signature of the handshake digests
3328 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3329 if( ssl->handshake->ecrs_enabled )
3330 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3335 ssl->handshake->calc_verify( ssl, hash );
3337 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3338 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3339 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3342 * digitally-signed struct {
3343 * opaque md5_hash[16];
3344 * opaque sha_hash[20];
3348 * MD5(handshake_messages);
3351 * SHA(handshake_messages);
3354 md_alg = MBEDTLS_MD_NONE;
3357 * For ECDSA, default hash is SHA-1 only
3359 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3363 md_alg = MBEDTLS_MD_SHA1;
3367 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3368 MBEDTLS_SSL_PROTO_TLS1_1 */
3369 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3370 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3373 * digitally-signed struct {
3374 * opaque handshake_messages[handshake_messages_length];
3377 * Taking shortcut here. We assume that the server always allows the
3378 * PRF Hash function and has sent it in the allowed signature
3379 * algorithms list received in the Certificate Request message.
3381 * Until we encounter a server that does not, we will take this
3384 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3385 * in order to satisfy 'weird' needs from the server side.
3387 if( ssl->transform_negotiate->ciphersuite_info->mac ==
3390 md_alg = MBEDTLS_MD_SHA384;
3391 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3395 md_alg = MBEDTLS_MD_SHA256;
3396 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3398 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3400 /* Info from md_alg will be used instead */
3405 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3408 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3411 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3412 if( ssl->handshake->ecrs_enabled )
3413 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3416 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3417 md_alg, hash_start, hashlen,
3418 ssl->out_msg + 6 + offset, &n,
3419 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
3421 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3422 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3423 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3424 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3429 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3430 ssl->out_msg[5 + offset] = (unsigned char)( n );
3432 ssl->out_msglen = 6 + n + offset;
3433 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3434 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3438 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3440 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3448 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3449 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3450 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3451 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3452 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3453 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3455 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3456 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3461 unsigned char *ticket;
3462 const unsigned char *msg;
3464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3466 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3468 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3472 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3475 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3476 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3477 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3482 * uint32 ticket_lifetime_hint;
3483 * opaque ticket<0..2^16-1>;
3484 * } NewSessionTicket;
3486 * 0 . 3 ticket_lifetime_hint
3487 * 4 . 5 ticket_len (n)
3488 * 6 . 5+n ticket content
3490 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3491 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3493 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3494 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3495 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3496 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3499 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3501 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3502 ( msg[2] << 8 ) | ( msg[3] );
3504 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3506 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3509 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3510 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3511 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3516 /* We're not waiting for a NewSessionTicket message any more */
3517 ssl->handshake->new_session_ticket = 0;
3518 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3521 * Zero-length ticket means the server changed his mind and doesn't want
3522 * to send a ticket after all, so just forget it
3524 if( ticket_len == 0 )
3527 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3528 ssl->session_negotiate->ticket_len );
3529 mbedtls_free( ssl->session_negotiate->ticket );
3530 ssl->session_negotiate->ticket = NULL;
3531 ssl->session_negotiate->ticket_len = 0;
3533 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3535 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3536 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3537 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3538 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3541 memcpy( ticket, msg + 6, ticket_len );
3543 ssl->session_negotiate->ticket = ticket;
3544 ssl->session_negotiate->ticket_len = ticket_len;
3545 ssl->session_negotiate->ticket_lifetime = lifetime;
3548 * RFC 5077 section 3.4:
3549 * "If the client receives a session ticket from the server, then it
3550 * discards any Session ID that was sent in the ServerHello."
3552 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3553 ssl->session_negotiate->id_len = 0;
3555 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3559 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3562 * SSL handshake -- client side -- single step
3564 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3568 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3569 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3571 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3573 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3576 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3577 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3578 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3580 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3583 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3585 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3586 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3587 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3588 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3589 ssl->handshake->new_session_ticket != 0 )
3591 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3595 switch( ssl->state )
3597 case MBEDTLS_SSL_HELLO_REQUEST:
3598 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3604 case MBEDTLS_SSL_CLIENT_HELLO:
3605 ret = ssl_write_client_hello( ssl );
3611 * ( ServerKeyExchange )
3612 * ( CertificateRequest )
3615 case MBEDTLS_SSL_SERVER_HELLO:
3616 ret = ssl_parse_server_hello( ssl );
3619 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3620 ret = mbedtls_ssl_parse_certificate( ssl );
3623 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3624 ret = ssl_parse_server_key_exchange( ssl );
3627 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3628 ret = ssl_parse_certificate_request( ssl );
3631 case MBEDTLS_SSL_SERVER_HELLO_DONE:
3632 ret = ssl_parse_server_hello_done( ssl );
3636 * ==> ( Certificate/Alert )
3638 * ( CertificateVerify )
3642 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
3643 ret = mbedtls_ssl_write_certificate( ssl );
3646 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
3647 ret = ssl_write_client_key_exchange( ssl );
3650 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
3651 ret = ssl_write_certificate_verify( ssl );
3654 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
3655 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
3658 case MBEDTLS_SSL_CLIENT_FINISHED:
3659 ret = mbedtls_ssl_write_finished( ssl );
3663 * <== ( NewSessionTicket )
3667 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3668 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
3669 ret = ssl_parse_new_session_ticket( ssl );
3673 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
3674 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
3677 case MBEDTLS_SSL_SERVER_FINISHED:
3678 ret = mbedtls_ssl_parse_finished( ssl );
3681 case MBEDTLS_SSL_FLUSH_BUFFERS:
3682 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3683 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3686 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
3687 mbedtls_ssl_handshake_wrapup( ssl );
3691 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3692 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3697 #endif /* MBEDTLS_SSL_CLI_C */