2 * SSLv3/TLSv1 client-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
25 #include MBEDTLS_CONFIG_FILE
28 #if defined(MBEDTLS_SSL_CLI_C)
30 #if defined(MBEDTLS_PLATFORM_C)
31 #include "mbedtls/platform.h"
34 #define mbedtls_calloc calloc
35 #define mbedtls_free free
38 #include "mbedtls/debug.h"
39 #include "mbedtls/ssl.h"
40 #include "mbedtls/ssl_internal.h"
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 #include "mbedtls/psa_util.h"
44 #endif /* MBEDTLS_USE_PSA_CRYPTO */
50 #if defined(MBEDTLS_HAVE_TIME)
51 #include "mbedtls/platform_time.h"
54 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
55 #include "mbedtls/platform_util.h"
58 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
59 static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
61 if( conf->psk_identity == NULL ||
62 conf->psk_identity_len == 0 )
67 if( conf->psk != NULL && conf->psk_len != 0 )
70 #if defined(MBEDTLS_USE_PSA_CRYPTO)
71 if( conf->psk_opaque != 0 )
73 #endif /* MBEDTLS_USE_PSA_CRYPTO */
78 #if defined(MBEDTLS_USE_PSA_CRYPTO)
79 static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
81 if( conf->psk_identity == NULL ||
82 conf->psk_identity_len == 0 )
87 if( conf->psk != NULL && conf->psk_len != 0 )
92 #endif /* MBEDTLS_USE_PSA_CRYPTO */
94 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
96 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
97 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
101 unsigned char *p = buf;
102 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
107 if( ssl->hostname == NULL )
110 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
113 hostname_len = strlen( ssl->hostname );
115 if( end < p || (size_t)( end - p ) < hostname_len + 9 )
117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
122 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
124 * In order to provide any of the server names, clients MAY include an
125 * extension of type "server_name" in the (extended) client hello. The
126 * "extension_data" field of this extension SHALL contain
127 * "ServerNameList" where:
130 * NameType name_type;
131 * select (name_type) {
132 * case host_name: HostName;
137 * host_name(0), (255)
140 * opaque HostName<1..2^16-1>;
143 * ServerName server_name_list<1..2^16-1>
147 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
150 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
151 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
153 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
154 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
156 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
157 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
158 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
160 memcpy( p, ssl->hostname, hostname_len );
162 *olen = hostname_len + 9;
164 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
166 #if defined(MBEDTLS_SSL_RENEGOTIATION)
167 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
171 unsigned char *p = buf;
172 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
176 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
177 * initial ClientHello, in which case also adding the renegotiation
178 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
179 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
182 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
184 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
191 * Secure renegotiation
193 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
197 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
198 *p++ = ssl->verify_data_len & 0xFF;
200 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
202 *olen = 5 + ssl->verify_data_len;
204 #endif /* MBEDTLS_SSL_RENEGOTIATION */
207 * Only if we handle at least one key exchange that needs signatures.
209 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
210 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
211 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
215 unsigned char *p = buf;
216 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
217 size_t sig_alg_len = 0;
219 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
220 unsigned char *sig_alg_list = buf + 6;
225 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
228 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
230 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
232 #if defined(MBEDTLS_ECDSA_C)
235 #if defined(MBEDTLS_RSA_C)
240 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
247 * Prepare signature_algorithms extension (TLS 1.2)
251 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
253 #if defined(MBEDTLS_ECDSA_C)
254 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
255 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
257 #if defined(MBEDTLS_RSA_C)
258 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
259 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
265 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
269 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
270 * SignatureAlgorithm;
273 * HashAlgorithm hash;
274 * SignatureAlgorithm signature;
275 * } SignatureAndHashAlgorithm;
277 * SignatureAndHashAlgorithm
278 * supported_signature_algorithms<2..2^16-2>;
280 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
283 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
284 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
286 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
287 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
289 *olen = 6 + sig_alg_len;
291 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
292 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
294 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
295 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
296 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
300 unsigned char *p = buf;
301 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
302 unsigned char *elliptic_curve_list = p + 6;
303 size_t elliptic_curve_len = 0;
304 const mbedtls_ecp_curve_info *info;
305 #if defined(MBEDTLS_ECP_C)
306 const mbedtls_ecp_group_id *grp_id;
313 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
315 #if defined(MBEDTLS_ECP_C)
316 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
318 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
321 #if defined(MBEDTLS_ECP_C)
322 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
330 elliptic_curve_len += 2;
333 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
339 elliptic_curve_len = 0;
341 #if defined(MBEDTLS_ECP_C)
342 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
344 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
347 #if defined(MBEDTLS_ECP_C)
348 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
350 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
351 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
354 if( elliptic_curve_len == 0 )
357 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
358 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
360 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
361 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
363 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
364 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
366 *olen = 6 + elliptic_curve_len;
369 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
373 unsigned char *p = buf;
374 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
380 if( end < p || (size_t)( end - p ) < 6 )
382 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
386 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
387 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
393 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
397 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
398 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
400 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
401 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
406 unsigned char *p = buf;
407 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
412 /* Skip costly extension if we can't use EC J-PAKE anyway */
413 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
416 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
424 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
425 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
428 * We may need to send ClientHello multiple times for Hello verification.
429 * We don't want to compute fresh values every time (both for performance
430 * and consistency reasons), so cache the extension content.
432 if( ssl->handshake->ecjpake_cache == NULL ||
433 ssl->handshake->ecjpake_cache_len == 0 )
435 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
437 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
438 p + 2, end - p - 2, &kkpp_len,
439 ssl->conf->f_rng, ssl->conf->p_rng );
442 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
446 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
447 if( ssl->handshake->ecjpake_cache == NULL )
449 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
453 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
454 ssl->handshake->ecjpake_cache_len = kkpp_len;
458 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
460 kkpp_len = ssl->handshake->ecjpake_cache_len;
462 if( (size_t)( end - p - 2 ) < kkpp_len )
464 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
468 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
471 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
472 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
474 *olen = kkpp_len + 4;
476 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
478 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
479 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
483 unsigned char *p = buf;
485 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
488 * Quoting draft-ietf-tls-dtls-connection-id-05
489 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
492 * opaque cid<0..2^8-1>;
497 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
498 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
502 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
504 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
505 * which is at most 255, so the increment cannot overflow. */
506 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
512 /* Add extension ID + size */
513 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
514 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
515 ext_len = (size_t) ssl->own_cid_len + 1;
516 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
517 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
519 *p++ = (uint8_t) ssl->own_cid_len;
520 memcpy( p, ssl->own_cid, ssl->own_cid_len );
522 *olen = ssl->own_cid_len + 5;
524 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
526 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
527 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
531 unsigned char *p = buf;
532 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
536 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
540 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
542 if( end < p || (size_t)( end - p ) < 5 )
544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
548 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
549 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
554 *p++ = ssl->conf->mfl_code;
558 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
560 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
561 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
562 unsigned char *buf, size_t *olen )
564 unsigned char *p = buf;
565 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
569 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
574 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
576 if( end < p || (size_t)( end - p ) < 4 )
578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
582 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
583 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
590 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
592 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
593 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
594 unsigned char *buf, size_t *olen )
596 unsigned char *p = buf;
597 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
601 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
602 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
607 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
610 if( end < p || (size_t)( end - p ) < 4 )
612 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
616 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
617 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
624 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
626 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
627 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
628 unsigned char *buf, size_t *olen )
630 unsigned char *p = buf;
631 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
635 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
636 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
641 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
644 if( end < p || (size_t)( end - p ) < 4 )
646 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
650 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
651 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
658 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
660 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
661 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
662 unsigned char *buf, size_t *olen )
664 unsigned char *p = buf;
665 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
666 size_t tlen = ssl->session_negotiate->ticket_len;
670 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
677 if( end < p || (size_t)( end - p ) < 4 + tlen )
679 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
683 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
684 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
686 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
687 *p++ = (unsigned char)( ( tlen ) & 0xFF );
691 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
696 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
698 memcpy( p, ssl->session_negotiate->ticket, tlen );
702 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
704 #if defined(MBEDTLS_SSL_ALPN)
705 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
706 unsigned char *buf, size_t *olen )
708 unsigned char *p = buf;
709 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
715 if( ssl->conf->alpn_list == NULL )
720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
722 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
723 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
725 if( end < p || (size_t)( end - p ) < 6 + alpnlen )
727 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
731 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
732 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
735 * opaque ProtocolName<1..2^8-1>;
738 * ProtocolName protocol_name_list<2..2^16-1>
739 * } ProtocolNameList;
742 /* Skip writing extension and list length for now */
745 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
747 *p = (unsigned char)( strlen( *cur ) & 0xFF );
748 memcpy( p + 1, *cur, *p );
754 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
755 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
756 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
758 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
759 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
760 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
762 #endif /* MBEDTLS_SSL_ALPN */
765 * Generate random bytes for ClientHello
767 static int ssl_generate_random( mbedtls_ssl_context *ssl )
770 unsigned char *p = ssl->handshake->randbytes;
771 #if defined(MBEDTLS_HAVE_TIME)
776 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
778 #if defined(MBEDTLS_SSL_PROTO_DTLS)
779 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
780 ssl->handshake->verify_cookie != NULL )
786 #if defined(MBEDTLS_HAVE_TIME)
787 t = mbedtls_time( NULL );
788 *p++ = (unsigned char)( t >> 24 );
789 *p++ = (unsigned char)( t >> 16 );
790 *p++ = (unsigned char)( t >> 8 );
791 *p++ = (unsigned char)( t );
793 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
795 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
799 #endif /* MBEDTLS_HAVE_TIME */
801 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
808 * \brief Validate cipher suite against config in SSL context.
810 * \param suite_info cipher suite to validate
811 * \param ssl SSL context
812 * \param min_minor_ver Minimal minor version to accept a cipher suite
813 * \param max_minor_ver Maximal minor version to accept a cipher suite
815 * \return 0 if valid, else 1
817 static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
818 const mbedtls_ssl_context * ssl,
819 int min_minor_ver, int max_minor_ver )
822 if( suite_info == NULL )
825 if( suite_info->min_minor_ver > max_minor_ver ||
826 suite_info->max_minor_ver < min_minor_ver )
829 #if defined(MBEDTLS_SSL_PROTO_DTLS)
830 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
831 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
835 #if defined(MBEDTLS_ARC4_C)
836 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
837 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
841 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
842 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
843 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
847 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
848 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
849 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
850 ssl_conf_has_static_psk( ssl->conf ) == 0 )
854 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
859 static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
862 size_t i, n, olen, ext_len = 0;
864 unsigned char *p, *q;
865 unsigned char offer_compress;
866 const int *ciphersuites;
867 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
868 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
869 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
873 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
875 if( ssl->conf->f_rng == NULL )
877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
878 return( MBEDTLS_ERR_SSL_NO_RNG );
881 #if defined(MBEDTLS_SSL_RENEGOTIATION)
882 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
885 ssl->major_ver = ssl->conf->min_major_ver;
886 ssl->minor_ver = ssl->conf->min_minor_ver;
889 if( ssl->conf->max_major_ver == 0 )
891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
892 "consider using mbedtls_ssl_config_defaults()" ) );
893 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
897 * 0 . 0 handshake type
898 * 1 . 3 handshake length
899 * 4 . 5 highest version supported
900 * 6 . 9 current UNIX time
901 * 10 . 37 random bytes
906 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
907 ssl->conf->transport, p );
910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
913 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
915 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
919 memcpy( p, ssl->handshake->randbytes, 32 );
920 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
924 * 38 . 38 session id length
925 * 39 . 39+n session id
926 * 39+n . 39+n DTLS only: cookie length (1 byte)
927 * 40+n . .. DTSL only: cookie
928 * .. . .. ciphersuitelist length (2 bytes)
929 * .. . .. ciphersuitelist
930 * .. . .. compression methods length (1 byte)
931 * .. . .. compression methods
932 * .. . .. extensions length (2 bytes)
935 n = ssl->session_negotiate->id_len;
937 if( n < 16 || n > 32 ||
938 #if defined(MBEDTLS_SSL_RENEGOTIATION)
939 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
941 ssl->handshake->resume == 0 )
946 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
948 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
949 * generate and include a Session ID in the TLS ClientHello."
951 #if defined(MBEDTLS_SSL_RENEGOTIATION)
952 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
955 if( ssl->session_negotiate->ticket != NULL &&
956 ssl->session_negotiate->ticket_len != 0 )
958 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
963 ssl->session_negotiate->id_len = n = 32;
966 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
968 *p++ = (unsigned char) n;
970 for( i = 0; i < n; i++ )
971 *p++ = ssl->session_negotiate->id[i];
973 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
974 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
979 #if defined(MBEDTLS_SSL_PROTO_DTLS)
980 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
982 if( ssl->handshake->verify_cookie == NULL )
984 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
989 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
990 ssl->handshake->verify_cookie,
991 ssl->handshake->verify_cookie_len );
993 *p++ = ssl->handshake->verify_cookie_len;
994 memcpy( p, ssl->handshake->verify_cookie,
995 ssl->handshake->verify_cookie_len );
996 p += ssl->handshake->verify_cookie_len;
1004 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1006 /* Skip writing ciphersuite length for now */
1011 for( i = 0; ciphersuites[i] != 0; i++ )
1013 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
1015 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
1016 ssl->conf->min_minor_ver,
1017 ssl->conf->max_minor_ver ) != 0 )
1020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
1021 ciphersuites[i] ) );
1023 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1024 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1025 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1029 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1030 *p++ = (unsigned char)( ciphersuites[i] );
1033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
1036 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1038 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1039 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1042 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
1043 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1044 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
1048 /* Some versions of OpenSSL don't handle it correctly if not at end */
1049 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1050 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1052 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1053 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1054 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1059 *q++ = (unsigned char)( n >> 7 );
1060 *q++ = (unsigned char)( n << 1 );
1062 #if defined(MBEDTLS_ZLIB_SUPPORT)
1069 * We don't support compression with DTLS right now: if many records come
1070 * in the same datagram, uncompressing one could overwrite the next one.
1071 * We don't want to add complexity for handling that case unless there is
1072 * an actual need for it.
1074 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1075 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1079 if( offer_compress )
1081 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1082 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1083 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
1086 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1087 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1091 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1092 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1093 MBEDTLS_SSL_COMPRESS_NULL ) );
1096 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1099 // First write extensions, then the total length
1101 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1102 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
1106 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1107 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1108 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1109 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
1113 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1114 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1115 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
1119 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1120 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1123 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
1126 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
1131 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1132 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
1136 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1137 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
1139 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1141 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1142 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
1146 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1147 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
1151 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1152 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
1156 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1157 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
1161 #if defined(MBEDTLS_SSL_ALPN)
1162 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
1166 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1167 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
1171 /* olen unused if all extensions are disabled */
1174 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1179 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1180 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1184 ssl->out_msglen = p - buf;
1185 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1186 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1190 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1191 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1192 mbedtls_ssl_send_flight_completed( ssl );
1195 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1197 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1201 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1202 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1203 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1205 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1208 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1215 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1216 const unsigned char *buf,
1219 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1220 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1222 /* Check verify-data in constant-time. The length OTOH is no secret */
1223 if( len != 1 + ssl->verify_data_len * 2 ||
1224 buf[0] != ssl->verify_data_len * 2 ||
1225 mbedtls_ssl_safer_memcmp( buf + 1,
1226 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1227 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
1228 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1231 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1232 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1233 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1237 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1239 if( len != 1 || buf[0] != 0x00 )
1241 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
1242 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1243 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1244 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1247 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1253 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1254 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1255 const unsigned char *buf,
1259 * server should use the extension only if we did,
1260 * and if so the server's value should match ours (and len is always 1)
1262 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1264 buf[0] != ssl->conf->mfl_code )
1266 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
1267 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1268 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1269 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1274 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1276 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1277 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1278 const unsigned char *buf,
1281 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1284 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
1285 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1286 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1287 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1292 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1296 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1298 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1299 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
1300 const unsigned char *buf,
1303 size_t peer_cid_len;
1305 if( /* CID extension only makes sense in DTLS */
1306 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1307 /* The server must only send the CID extension if we have offered it. */
1308 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
1311 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1312 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1313 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1319 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1320 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1321 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1324 peer_cid_len = *buf++;
1327 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
1329 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1330 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1331 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1335 if( len != peer_cid_len )
1337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
1338 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1339 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1340 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1343 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
1344 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1345 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
1347 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
1348 MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
1352 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1354 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1355 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1356 const unsigned char *buf,
1359 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1360 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
1364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1365 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1366 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1371 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1375 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1377 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1378 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1379 const unsigned char *buf,
1382 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1383 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
1387 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1388 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1389 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1394 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1398 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1400 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1401 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1402 const unsigned char *buf,
1405 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1408 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
1409 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1410 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1411 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1416 ssl->handshake->new_session_ticket = 1;
1420 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1422 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1423 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1424 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1425 const unsigned char *buf,
1429 const unsigned char *p;
1431 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1434 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1435 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1436 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1441 while( list_size > 0 )
1443 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1444 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
1446 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1447 ssl->handshake->ecdh_ctx.point_format = p[0];
1449 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1450 ssl->handshake->ecjpake_ctx.point_format = p[0];
1452 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1461 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1462 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1463 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1465 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1466 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1468 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1469 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1470 const unsigned char *buf,
1475 if( ssl->handshake->ciphersuite_info->key_exchange !=
1476 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
1478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1482 /* If we got here, we no longer need our cached extension */
1483 mbedtls_free( ssl->handshake->ecjpake_cache );
1484 ssl->handshake->ecjpake_cache = NULL;
1485 ssl->handshake->ecjpake_cache_len = 0;
1487 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1490 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1492 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1498 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1500 #if defined(MBEDTLS_SSL_ALPN)
1501 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1502 const unsigned char *buf, size_t len )
1504 size_t list_len, name_len;
1507 /* If we didn't send it, the server shouldn't send it */
1508 if( ssl->conf->alpn_list == NULL )
1510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1511 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1512 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1513 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1517 * opaque ProtocolName<1..2^8-1>;
1520 * ProtocolName protocol_name_list<2..2^16-1>
1521 * } ProtocolNameList;
1523 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1526 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1529 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1530 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1531 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1534 list_len = ( buf[0] << 8 ) | buf[1];
1535 if( list_len != len - 2 )
1537 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1538 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1539 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1543 if( name_len != list_len - 1 )
1545 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1546 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1547 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1550 /* Check that the server chosen protocol was in our list and save it */
1551 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1553 if( name_len == strlen( *p ) &&
1554 memcmp( buf + 3, *p, name_len ) == 0 )
1556 ssl->alpn_chosen = *p;
1561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1562 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1563 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1564 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1566 #endif /* MBEDTLS_SSL_ALPN */
1569 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1571 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1572 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1574 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1575 int major_ver, minor_ver;
1576 unsigned char cookie_len;
1578 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1582 * ProtocolVersion server_version;
1583 * opaque cookie<0..2^8-1>;
1584 * } HelloVerifyRequest;
1586 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1587 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1591 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1592 * even is lower than our min version.
1594 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1595 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1596 major_ver > ssl->conf->max_major_ver ||
1597 minor_ver > ssl->conf->max_minor_ver )
1599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1601 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1602 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1604 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1608 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1610 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1612 MBEDTLS_SSL_DEBUG_MSG( 1,
1613 ( "cookie length does not match incoming message size" ) );
1614 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1615 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1616 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1619 mbedtls_free( ssl->handshake->verify_cookie );
1621 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1622 if( ssl->handshake->verify_cookie == NULL )
1624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1625 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1628 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1629 ssl->handshake->verify_cookie_len = cookie_len;
1631 /* Start over at ClientHello */
1632 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1633 mbedtls_ssl_reset_checksum( ssl );
1635 mbedtls_ssl_recv_flight_completed( ssl );
1637 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1641 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1643 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1648 unsigned char *buf, *ext;
1650 #if defined(MBEDTLS_ZLIB_SUPPORT)
1653 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1654 int renegotiation_info_seen = 0;
1656 int handshake_failure = 0;
1657 const mbedtls_ssl_ciphersuite_t *suite_info;
1659 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1661 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
1663 /* No alert on a read error. */
1664 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1670 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1672 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1673 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1675 ssl->renego_records_seen++;
1677 if( ssl->conf->renego_max_records >= 0 &&
1678 ssl->renego_records_seen > ssl->conf->renego_max_records )
1680 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
1681 "but not honored by server" ) );
1682 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
1687 ssl->keep_current_message = 1;
1688 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
1690 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1693 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1694 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1695 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1698 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1699 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1701 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
1703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1704 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1705 return( ssl_parse_hello_verify_request( ssl ) );
1709 /* We made it through the verification process */
1710 mbedtls_free( ssl->handshake->verify_cookie );
1711 ssl->handshake->verify_cookie = NULL;
1712 ssl->handshake->verify_cookie_len = 0;
1715 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1717 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1718 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
1720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1722 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1723 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1727 * 0 . 1 server_version
1728 * 2 . 33 random (maybe including 4 bytes of Unix time)
1729 * 34 . 34 session_id length = n
1730 * 35 . 34+n session_id
1731 * 35+n . 36+n cipher_suite
1732 * 37+n . 37+n compression_method
1734 * 38+n . 39+n extensions length (optional)
1735 * 40+n . .. extensions
1737 buf += mbedtls_ssl_hs_hdr_len( ssl );
1739 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1740 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1741 ssl->conf->transport, buf + 0 );
1743 if( ssl->major_ver < ssl->conf->min_major_ver ||
1744 ssl->minor_ver < ssl->conf->min_minor_ver ||
1745 ssl->major_ver > ssl->conf->max_major_ver ||
1746 ssl->minor_ver > ssl->conf->max_minor_ver )
1748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
1749 " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1750 ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
1751 ssl->major_ver, ssl->minor_ver,
1752 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
1754 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1755 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1757 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1761 ( (uint32_t) buf[2] << 24 ) |
1762 ( (uint32_t) buf[3] << 16 ) |
1763 ( (uint32_t) buf[4] << 8 ) |
1764 ( (uint32_t) buf[5] ) ) );
1766 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1770 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1775 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1776 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1777 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1780 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1782 ext_len = ( ( buf[38 + n] << 8 )
1783 | ( buf[39 + n] ) );
1785 if( ( ext_len > 0 && ext_len < 4 ) ||
1786 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1788 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1789 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1790 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1791 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1794 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1801 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1802 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1803 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1806 /* ciphersuite (used later) */
1807 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1810 * Read and check compression
1814 #if defined(MBEDTLS_ZLIB_SUPPORT)
1815 /* See comments in ssl_write_client_hello() */
1816 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1817 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1823 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1824 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1825 #else /* MBEDTLS_ZLIB_SUPPORT */
1826 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1827 #endif/* MBEDTLS_ZLIB_SUPPORT */
1829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
1830 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1831 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1832 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1836 * Initialize update checksum functions
1838 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
1839 if( ssl->handshake->ciphersuite_info == NULL )
1841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
1842 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1843 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1844 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1847 mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
1849 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1850 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1853 * Check if the session can be resumed
1855 if( ssl->handshake->resume == 0 || n == 0 ||
1856 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1857 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1859 ssl->session_negotiate->ciphersuite != i ||
1860 ssl->session_negotiate->compression != comp ||
1861 ssl->session_negotiate->id_len != n ||
1862 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1865 ssl->handshake->resume = 0;
1866 #if defined(MBEDTLS_HAVE_TIME)
1867 ssl->session_negotiate->start = mbedtls_time( NULL );
1869 ssl->session_negotiate->ciphersuite = i;
1870 ssl->session_negotiate->compression = comp;
1871 ssl->session_negotiate->id_len = n;
1872 memcpy( ssl->session_negotiate->id, buf + 35, n );
1876 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1878 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1880 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1881 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1882 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
1887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1888 ssl->handshake->resume ? "a" : "no" ) );
1890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1891 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
1894 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1899 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1902 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1903 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1904 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1907 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1908 ssl->session_negotiate->ciphersuite )
1914 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
1915 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
1917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1918 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1919 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1920 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1923 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1925 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
1926 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
1927 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1929 ssl->handshake->ecrs_enabled = 1;
1933 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1934 #if defined(MBEDTLS_ZLIB_SUPPORT)
1935 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
1939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1940 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1941 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
1942 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1944 ssl->session_negotiate->compression = comp;
1948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
1952 unsigned int ext_id = ( ( ext[0] << 8 )
1954 unsigned int ext_size = ( ( ext[2] << 8 )
1957 if( ext_size + 4 > ext_len )
1959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1960 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1961 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1962 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
1967 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1968 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1969 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1970 renegotiation_info_seen = 1;
1973 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
1979 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1980 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1981 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
1983 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
1984 ext + 4, ext_size ) ) != 0 )
1990 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1992 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1993 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1994 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
1996 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
1997 ext + 4, ext_size ) ) != 0 )
2003 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2005 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2006 case MBEDTLS_TLS_EXT_CID:
2007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
2009 if( ( ret = ssl_parse_cid_ext( ssl,
2017 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2019 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2020 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
2023 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2024 ext + 4, ext_size ) ) != 0 )
2030 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2032 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2033 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2034 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
2036 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2037 ext + 4, ext_size ) ) != 0 )
2043 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2045 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2046 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2047 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
2049 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2050 ext + 4, ext_size ) ) != 0 )
2056 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2058 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2059 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2060 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
2063 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2064 ext + 4, ext_size ) ) != 0 )
2070 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2071 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2073 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2074 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2077 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2078 ext + 4, ext_size ) ) != 0 )
2084 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2086 #if defined(MBEDTLS_SSL_ALPN)
2087 case MBEDTLS_TLS_EXT_ALPN:
2088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2090 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2094 #endif /* MBEDTLS_SSL_ALPN */
2097 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
2101 ext_len -= 4 + ext_size;
2102 ext += 4 + ext_size;
2104 if( ext_len > 0 && ext_len < 4 )
2106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2107 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2112 * Renegotiation security checks
2114 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2115 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2117 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
2118 handshake_failure = 1;
2120 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2121 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2122 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2123 renegotiation_info_seen == 0 )
2125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
2126 handshake_failure = 1;
2128 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2129 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2130 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2133 handshake_failure = 1;
2135 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2136 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2137 renegotiation_info_seen == 1 )
2139 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
2140 handshake_failure = 1;
2142 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2144 if( handshake_failure == 1 )
2146 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2147 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2148 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
2151 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2156 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2157 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2158 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
2159 unsigned char *end )
2161 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2164 * Ephemeral DH parameters:
2167 * opaque dh_p<1..2^16-1>;
2168 * opaque dh_g<1..2^16-1>;
2169 * opaque dh_Ys<1..2^16-1>;
2172 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
2174 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2178 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
2180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
2181 ssl->handshake->dhm_ctx.len * 8,
2182 ssl->conf->dhm_min_bitlen ) );
2183 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2186 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2187 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2188 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2192 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2193 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2195 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2196 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2197 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2198 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2199 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2200 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2202 const mbedtls_ecp_curve_info *curve_info;
2203 mbedtls_ecp_group_id grp_id;
2204 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2205 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2207 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2210 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
2211 if( curve_info == NULL )
2213 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2214 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2217 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2219 #if defined(MBEDTLS_ECP_C)
2220 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
2222 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2223 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2227 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
2228 MBEDTLS_DEBUG_ECDH_QP );
2232 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2233 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2234 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2235 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2236 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2238 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2239 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2240 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2241 static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl,
2243 unsigned char *end )
2246 uint8_t ecpoint_len;
2247 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2254 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2256 /* First byte is curve_type; only named_curve is handled */
2257 if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
2258 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2260 /* Next two bytes are the namedcurve value */
2265 /* Convert EC group to PSA key type. */
2266 if( ( handshake->ecdh_psa_curve =
2267 mbedtls_psa_parse_tls_ecc_group( tls_id ) ) == 0 )
2269 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2273 * Put peer's ECDH public key in the format understood by PSA.
2276 ecpoint_len = *(*p)++;
2277 if( (size_t)( end - *p ) < ecpoint_len )
2278 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2280 if( mbedtls_psa_tls_ecpoint_to_psa_ec( handshake->ecdh_psa_curve,
2282 handshake->ecdh_psa_peerkey,
2283 sizeof( handshake->ecdh_psa_peerkey ),
2284 &handshake->ecdh_psa_peerkey_len ) != 0 )
2286 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
2292 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
2293 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2294 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2296 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2297 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2298 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2299 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2301 unsigned char *end )
2303 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2306 * Ephemeral ECDH parameters:
2309 * ECParameters curve_params;
2311 * } ServerECDHParams;
2313 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
2314 (const unsigned char **) p, end ) ) != 0 )
2316 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2317 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2318 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2319 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2324 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2326 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
2327 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2332 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2333 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2334 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2336 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2337 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2339 unsigned char *end )
2341 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2348 * opaque psk_identity_hint<0..2^16-1>;
2350 if( end - (*p) < 2 )
2352 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2353 "(psk_identity_hint length)" ) );
2354 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2356 len = (*p)[0] << 8 | (*p)[1];
2359 if( end - (*p) < (int) len )
2361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
2362 "(psk_identity_hint length)" ) );
2363 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2367 * Note: we currently ignore the PKS identity hint, as we only allow one
2368 * PSK to be provisionned on the client. This could be changed later if
2369 * someone needs that feature.
2376 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2378 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2379 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2381 * Generate a pre-master secret and encrypt it with the server's RSA key
2383 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2384 size_t offset, size_t *olen,
2388 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2389 unsigned char *p = ssl->handshake->premaster + pms_offset;
2390 mbedtls_pk_context * peer_pk;
2392 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
2394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2395 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2399 * Generate (part of) the pre-master as
2401 * ProtocolVersion client_version;
2402 * opaque random[46];
2403 * } PreMasterSecret;
2405 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
2406 ssl->conf->transport, p );
2408 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2410 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2414 ssl->handshake->pmslen = 48;
2416 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2417 peer_pk = &ssl->handshake->peer_pubkey;
2418 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2419 if( ssl->session_negotiate->peer_cert == NULL )
2421 /* Should never happen */
2422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2425 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2426 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2429 * Now write it out, encrypted
2431 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) )
2433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2434 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2437 if( ( ret = mbedtls_pk_encrypt( peer_pk,
2438 p, ssl->handshake->pmslen,
2439 ssl->out_msg + offset + len_bytes, olen,
2440 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2441 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2443 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2447 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2448 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2449 if( len_bytes == 2 )
2451 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2452 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2457 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2458 /* We don't need the peer's public key anymore. Free it. */
2459 mbedtls_pk_free( peer_pk );
2460 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2463 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2464 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2466 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2467 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2468 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2469 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2470 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2473 mbedtls_md_type_t *md_alg,
2474 mbedtls_pk_type_t *pk_alg )
2477 *md_alg = MBEDTLS_MD_NONE;
2478 *pk_alg = MBEDTLS_PK_NONE;
2480 /* Only in TLS 1.2 */
2481 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
2486 if( (*p) + 2 > end )
2487 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2490 * Get hash algorithm
2492 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
2494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
2495 "HashAlgorithm %d", *(p)[0] ) );
2496 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2500 * Get signature algorithm
2502 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
2504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
2505 "SignatureAlgorithm %d", (*p)[1] ) );
2506 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2510 * Check if the hash is acceptable
2512 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
2516 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
2525 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2526 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2527 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2528 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2530 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2531 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2532 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2535 const mbedtls_ecp_keypair *peer_key;
2536 mbedtls_pk_context * peer_pk;
2538 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2539 peer_pk = &ssl->handshake->peer_pubkey;
2540 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2541 if( ssl->session_negotiate->peer_cert == NULL )
2543 /* Should never happen */
2544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2545 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2547 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2548 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2550 if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) )
2552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2553 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2556 peer_key = mbedtls_pk_ec( *peer_pk );
2558 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2559 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2561 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2565 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2568 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
2571 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2572 /* We don't need the peer's public key anymore. Free it,
2573 * so that more RAM is available for upcoming expensive
2574 * operations like ECDHE. */
2575 mbedtls_pk_free( peer_pk );
2576 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2580 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2581 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2583 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2586 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2587 ssl->handshake->ciphersuite_info;
2588 unsigned char *p = NULL, *end = NULL;
2590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2592 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2593 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2603 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2604 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2605 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2606 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2608 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2610 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2611 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2612 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2616 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2622 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2623 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2625 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2626 if( ssl->handshake->ecrs_enabled &&
2627 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2629 goto start_processing;
2633 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2635 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2639 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2642 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2643 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2644 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2648 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2649 * doesn't use a psk_identity_hint
2651 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
2653 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2654 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2656 /* Current message is probably either
2657 * CertificateRequest or ServerHelloDone */
2658 ssl->keep_current_message = 1;
2662 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
2663 "not be skipped" ) );
2664 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2665 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2667 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2670 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2671 if( ssl->handshake->ecrs_enabled )
2672 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2676 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2677 end = ssl->in_msg + ssl->in_hslen;
2678 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2680 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2681 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2682 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2683 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2684 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2686 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2689 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2690 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2691 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2694 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2696 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2697 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2698 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2699 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2700 ; /* nothing more to do */
2702 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2703 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2704 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2705 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2706 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2709 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2713 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2714 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2718 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2719 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2720 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2721 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2722 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
2723 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2724 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2726 if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
2728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2729 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2730 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2731 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2735 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
2736 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2737 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2738 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2739 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2740 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2741 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2742 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2743 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2745 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2748 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2749 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2750 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2754 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2755 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2756 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2757 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2758 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2760 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2766 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2767 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2771 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2773 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2774 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2777 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2778 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2780 size_t sig_len, hashlen;
2781 unsigned char hash[64];
2782 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
2783 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
2784 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2785 size_t params_len = p - params;
2786 void *rs_ctx = NULL;
2788 mbedtls_pk_context * peer_pk;
2791 * Handle the digitally-signed structure
2793 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2794 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2796 if( ssl_parse_signature_algorithm( ssl, &p, end,
2797 &md_alg, &pk_alg ) != 0 )
2799 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2800 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2801 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2802 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2805 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2808 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2809 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
2810 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2814 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2815 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2816 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2817 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
2819 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2821 /* Default hash for ECDSA is SHA-1 */
2822 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2823 md_alg = MBEDTLS_MD_SHA1;
2828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2829 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2840 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2841 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2843 sig_len = ( p[0] << 8 ) | p[1];
2846 if( p != end - sig_len )
2848 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2849 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2850 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2851 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
2854 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2857 * Compute the hash that has been signed
2859 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2860 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2861 if( md_alg == MBEDTLS_MD_NONE )
2864 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
2870 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2871 MBEDTLS_SSL_PROTO_TLS1_1 */
2872 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2873 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2874 if( md_alg != MBEDTLS_MD_NONE )
2876 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
2883 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2884 MBEDTLS_SSL_PROTO_TLS1_2 */
2886 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2887 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2890 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2892 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2893 peer_pk = &ssl->handshake->peer_pubkey;
2894 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2895 if( ssl->session_negotiate->peer_cert == NULL )
2897 /* Should never happen */
2898 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2899 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2901 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2902 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2907 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
2909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2910 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2911 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2912 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2915 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2916 if( ssl->handshake->ecrs_enabled )
2917 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2920 if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
2921 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
2923 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2924 if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
2926 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2927 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2928 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2929 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2930 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2931 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2936 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2937 /* We don't need the peer's public key anymore. Free it,
2938 * so that more RAM is available for upcoming expensive
2939 * operations like ECDHE. */
2940 mbedtls_pk_free( peer_pk );
2941 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2943 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2948 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2953 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
2954 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2956 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2957 ssl->handshake->ciphersuite_info;
2959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2961 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2963 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2968 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2969 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2971 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2972 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2977 size_t cert_type_len = 0, dn_len = 0;
2978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2979 ssl->handshake->ciphersuite_info;
2981 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2983 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2985 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2990 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2992 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2996 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2998 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2999 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3000 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3001 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3005 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
3007 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
3008 ssl->client_auth ? "a" : "no" ) );
3010 if( ssl->client_auth == 0 )
3012 /* Current message is probably the ServerHelloDone */
3013 ssl->keep_current_message = 1;
3019 * ClientCertificateType certificate_types<1..2^8-1>;
3020 * SignatureAndHashAlgorithm
3021 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3022 * DistinguishedName certificate_authorities<0..2^16-1>;
3023 * } CertificateRequest;
3025 * Since we only support a single certificate on clients, let's just
3026 * ignore all the information that's supposed to help us pick a
3029 * We could check that our certificate matches the request, and bail out
3030 * if it doesn't, but it's simpler to just send the certificate anyway,
3031 * and give the server the opportunity to decide if it should terminate
3032 * the connection when it doesn't like our certificate.
3034 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3035 * point we only have one hash available (see comments in
3036 * write_certificate_verify), so let's just use what we have.
3038 * However, we still minimally parse the message to check it is at least
3039 * superficially sane.
3043 /* certificate_types */
3044 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3047 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3048 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3049 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3051 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
3055 * In the subsequent code there are two paths that read from buf:
3056 * * the length of the signature algorithms field (if minor version of
3058 * * distinguished name length otherwise.
3059 * Both reach at most the index:
3060 * ...hdr_len + 2 + n,
3061 * therefore the buffer length at this point must be greater than that
3062 * regardless of the actual code path.
3064 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
3066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3067 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3068 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3069 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3072 /* supported_signature_algorithms */
3073 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3074 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3076 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3077 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3078 #if defined(MBEDTLS_DEBUG_C)
3079 unsigned char* sig_alg;
3084 * The furthest access in buf is in the loop few lines below:
3087 * sig_alg = buf + ...hdr_len + 3 + n,
3088 * max(i) = sig_alg_len - 1.
3089 * Therefore the furthest access is:
3090 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3092 * buf[...hdr_len + 3 + n + sig_alg_len],
3093 * which is one less than we need the buf to be.
3095 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
3097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3098 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3099 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3100 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3103 #if defined(MBEDTLS_DEBUG_C)
3104 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
3105 for( i = 0; i < sig_alg_len; i += 2 )
3107 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
3108 ",%d", sig_alg[i], sig_alg[i + 1] ) );
3112 n += 2 + sig_alg_len;
3114 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3116 /* certificate_authorities */
3117 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3118 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3121 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3124 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3125 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3126 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
3130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3134 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3136 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3140 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3142 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3144 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3148 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3150 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3151 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3154 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3155 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
3157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3158 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3159 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3160 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
3165 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3166 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3167 mbedtls_ssl_recv_flight_completed( ssl );
3170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3175 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3181 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3182 ssl->handshake->ciphersuite_info;
3184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3186 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3187 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3190 * DHM key exchange -- send G^X mod P
3192 content_len = ssl->handshake->dhm_ctx.len;
3194 ssl->out_msg[4] = (unsigned char)( content_len >> 8 );
3195 ssl->out_msg[5] = (unsigned char)( content_len );
3198 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3199 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3200 &ssl->out_msg[header_len], content_len,
3201 ssl->conf->f_rng, ssl->conf->p_rng );
3204 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3208 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3209 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3211 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3212 ssl->handshake->premaster,
3213 MBEDTLS_PREMASTER_SIZE,
3214 &ssl->handshake->pmslen,
3215 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3221 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3224 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3225 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3226 ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3227 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) )
3228 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3229 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3231 psa_status_t status;
3232 psa_key_policy_t policy;
3234 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3236 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3237 size_t own_pubkey_len;
3238 unsigned char *own_pubkey_ecpoint;
3239 size_t own_pubkey_ecpoint_len;
3241 psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
3245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
3248 * Generate EC private key for ECDHE exchange.
3251 /* Allocate a new key slot for the private key. */
3253 status = psa_allocate_key( &handshake->ecdh_psa_privkey );
3254 if( status != PSA_SUCCESS )
3255 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3257 /* The master secret is obtained from the shared ECDH secret by
3258 * applying the TLS 1.2 PRF with a specific salt and label. While
3259 * the PSA Crypto API encourages combining key agreement schemes
3260 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3261 * yet support the provisioning of salt + label to the KDF.
3262 * For the time being, we therefore need to split the computation
3263 * of the ECDH secret and the application of the TLS 1.2 PRF. */
3264 policy = psa_key_policy_init();
3265 psa_key_policy_set_usage( &policy,
3266 PSA_KEY_USAGE_DERIVE,
3267 PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
3268 status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
3269 if( status != PSA_SUCCESS )
3270 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3272 /* Generate ECDH private key. */
3273 status = psa_generate_key( handshake->ecdh_psa_privkey,
3274 PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
3275 MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
3277 if( status != PSA_SUCCESS )
3278 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3280 /* Export the public part of the ECDH private key from PSA
3281 * and convert it to ECPoint format used in ClientKeyExchange. */
3282 status = psa_export_public_key( handshake->ecdh_psa_privkey,
3283 own_pubkey, sizeof( own_pubkey ),
3285 if( status != PSA_SUCCESS )
3286 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3288 if( mbedtls_psa_tls_psa_ec_to_ecpoint( own_pubkey,
3290 &own_pubkey_ecpoint,
3291 &own_pubkey_ecpoint_len ) != 0 )
3293 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3296 /* Copy ECPoint structure to outgoing message buffer. */
3297 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
3298 memcpy( ssl->out_msg + header_len + 1,
3299 own_pubkey_ecpoint, own_pubkey_ecpoint_len );
3300 content_len = own_pubkey_ecpoint_len + 1;
3302 /* Compute ECDH shared secret. */
3303 status = psa_key_agreement( &generator,
3304 handshake->ecdh_psa_privkey,
3305 handshake->ecdh_psa_peerkey,
3306 handshake->ecdh_psa_peerkey_len,
3307 PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
3308 if( status != PSA_SUCCESS )
3309 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3311 /* The ECDH secret is the premaster secret used for key derivation. */
3313 ssl->handshake->pmslen =
3314 MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
3316 status = psa_generator_read( &generator,
3317 ssl->handshake->premaster,
3318 ssl->handshake->pmslen );
3319 if( status != PSA_SUCCESS )
3321 psa_generator_abort( &generator );
3322 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3325 status = psa_generator_abort( &generator );
3326 if( status != PSA_SUCCESS )
3327 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3329 status = psa_destroy_key( handshake->ecdh_psa_privkey );
3330 if( status != PSA_SUCCESS )
3331 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3332 handshake->ecdh_psa_privkey = 0;
3335 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
3336 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3337 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
3338 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3339 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3340 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3341 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3342 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3344 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3345 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3348 * ECDH key exchange -- send client public value
3352 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3353 if( ssl->handshake->ecrs_enabled )
3355 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3356 goto ecdh_calc_secret;
3358 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3362 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3364 &ssl->out_msg[header_len], 1000,
3365 ssl->conf->f_rng, ssl->conf->p_rng );
3368 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3369 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3370 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3371 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3376 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3377 MBEDTLS_DEBUG_ECDH_Q );
3379 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3380 if( ssl->handshake->ecrs_enabled )
3382 ssl->handshake->ecrs_n = content_len;
3383 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3387 if( ssl->handshake->ecrs_enabled )
3388 content_len = ssl->handshake->ecrs_n;
3390 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3391 &ssl->handshake->pmslen,
3392 ssl->handshake->premaster,
3393 MBEDTLS_MPI_MAX_SIZE,
3394 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3396 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3397 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3398 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3399 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3404 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3405 MBEDTLS_DEBUG_ECDH_Z );
3408 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3409 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3410 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3411 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3412 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3413 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3416 * opaque psk_identity<0..2^16-1>;
3418 if( ssl_conf_has_static_psk( ssl->conf ) == 0 )
3420 /* We don't offer PSK suites if we don't have a PSK,
3421 * and we check that the server's choice is among the
3422 * ciphersuites we offered, so this should never happen. */
3423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3427 content_len = ssl->conf->psk_identity_len;
3429 if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
3431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
3432 "SSL buffer too short" ) );
3433 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3436 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3437 ssl->out_msg[header_len++] = (unsigned char)( content_len );
3439 memcpy( ssl->out_msg + header_len,
3440 ssl->conf->psk_identity,
3441 ssl->conf->psk_identity_len );
3442 header_len += ssl->conf->psk_identity_len;
3444 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3445 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3451 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3452 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3454 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3455 /* Opaque PSKs are currently only supported for PSK-only suites. */
3456 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3457 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3458 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3460 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3461 &content_len, 2 ) ) != 0 )
3466 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3467 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3469 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3470 /* Opaque PSKs are currently only supported for PSK-only suites. */
3471 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3472 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3473 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3476 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3478 content_len = ssl->handshake->dhm_ctx.len;
3480 if( header_len + 2 + content_len >
3481 MBEDTLS_SSL_OUT_CONTENT_LEN )
3483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
3484 " or SSL buffer too short" ) );
3485 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3488 ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
3489 ssl->out_msg[header_len++] = (unsigned char)( content_len );
3491 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
3492 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3493 &ssl->out_msg[header_len], content_len,
3494 ssl->conf->f_rng, ssl->conf->p_rng );
3497 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3502 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3503 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3504 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3506 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3507 /* Opaque PSKs are currently only supported for PSK-only suites. */
3508 if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3509 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3510 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3513 * ClientECDiffieHellmanPublic public;
3515 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
3517 &ssl->out_msg[header_len],
3518 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3519 ssl->conf->f_rng, ssl->conf->p_rng );
3522 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3526 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3527 MBEDTLS_DEBUG_ECDH_Q );
3530 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3533 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3536 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3537 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3538 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
3539 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
3540 ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
3542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
3545 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
3546 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3547 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3548 ciphersuite_info->key_exchange ) ) != 0 )
3550 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3555 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3556 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3557 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3560 if( ( ret = ssl_write_encrypted_pms( ssl, header_len,
3561 &content_len, 0 ) ) != 0 )
3565 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3566 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3567 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3571 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3572 ssl->out_msg + header_len,
3573 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3575 ssl->conf->f_rng, ssl->conf->p_rng );
3578 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3582 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3583 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3584 ssl->conf->f_rng, ssl->conf->p_rng );
3587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3592 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3594 ((void) ciphersuite_info);
3595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3596 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3599 ssl->out_msglen = header_len + content_len;
3600 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3601 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3605 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3607 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3611 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3616 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
3617 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3619 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3620 ssl->handshake->ciphersuite_info;
3623 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3625 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3627 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3631 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3633 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3638 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3639 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3641 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3642 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3644 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3645 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3646 ssl->handshake->ciphersuite_info;
3647 size_t n = 0, offset = 0;
3648 unsigned char hash[48];
3649 unsigned char *hash_start = hash;
3650 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3651 unsigned int hashlen;
3652 void *rs_ctx = NULL;
3654 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3656 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3657 if( ssl->handshake->ecrs_enabled &&
3658 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3664 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3666 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3670 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
3672 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3677 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3679 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3684 if( mbedtls_ssl_own_key( ssl ) == NULL )
3686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3687 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3691 * Make a signature of the handshake digests
3693 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3694 if( ssl->handshake->ecrs_enabled )
3695 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3700 ssl->handshake->calc_verify( ssl, hash );
3702 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3703 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3704 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
3707 * digitally-signed struct {
3708 * opaque md5_hash[16];
3709 * opaque sha_hash[20];
3713 * MD5(handshake_messages);
3716 * SHA(handshake_messages);
3719 md_alg = MBEDTLS_MD_NONE;
3722 * For ECDSA, default hash is SHA-1 only
3724 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
3728 md_alg = MBEDTLS_MD_SHA1;
3732 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3733 MBEDTLS_SSL_PROTO_TLS1_1 */
3734 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3735 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3738 * digitally-signed struct {
3739 * opaque handshake_messages[handshake_messages_length];
3742 * Taking shortcut here. We assume that the server always allows the
3743 * PRF Hash function and has sent it in the allowed signature
3744 * algorithms list received in the Certificate Request message.
3746 * Until we encounter a server that does not, we will take this
3749 * Reason: Otherwise we should have running hashes for SHA512 and SHA224
3750 * in order to satisfy 'weird' needs from the server side.
3752 if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
3754 md_alg = MBEDTLS_MD_SHA384;
3755 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3759 md_alg = MBEDTLS_MD_SHA256;
3760 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3762 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
3764 /* Info from md_alg will be used instead */
3769 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3771 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3772 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3775 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3776 if( ssl->handshake->ecrs_enabled )
3777 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3780 if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
3781 md_alg, hash_start, hashlen,
3782 ssl->out_msg + 6 + offset, &n,
3783 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
3785 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3786 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3787 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
3788 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3793 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3794 ssl->out_msg[5 + offset] = (unsigned char)( n );
3796 ssl->out_msglen = 6 + n + offset;
3797 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3798 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3802 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3804 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3812 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3814 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3815 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3820 unsigned char *ticket;
3821 const unsigned char *msg;
3823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3825 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3827 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3831 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3833 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3834 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3835 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
3836 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3841 * uint32 ticket_lifetime_hint;
3842 * opaque ticket<0..2^16-1>;
3843 * } NewSessionTicket;
3845 * 0 . 3 ticket_lifetime_hint
3846 * 4 . 5 ticket_len (n)
3847 * 6 . 5+n ticket content
3849 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3850 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3853 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3854 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3855 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3858 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3860 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3861 ( msg[2] << 8 ) | ( msg[3] );
3863 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3865 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3867 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3868 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3869 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
3870 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
3873 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3875 /* We're not waiting for a NewSessionTicket message any more */
3876 ssl->handshake->new_session_ticket = 0;
3877 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3880 * Zero-length ticket means the server changed his mind and doesn't want
3881 * to send a ticket after all, so just forget it
3883 if( ticket_len == 0 )
3886 if( ssl->session != NULL && ssl->session->ticket != NULL )
3888 mbedtls_platform_zeroize( ssl->session->ticket,
3889 ssl->session->ticket_len );
3890 mbedtls_free( ssl->session->ticket );
3891 ssl->session->ticket = NULL;
3892 ssl->session->ticket_len = 0;
3895 mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
3896 ssl->session_negotiate->ticket_len );
3897 mbedtls_free( ssl->session_negotiate->ticket );
3898 ssl->session_negotiate->ticket = NULL;
3899 ssl->session_negotiate->ticket_len = 0;
3901 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3904 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3905 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
3906 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3909 memcpy( ticket, msg + 6, ticket_len );
3911 ssl->session_negotiate->ticket = ticket;
3912 ssl->session_negotiate->ticket_len = ticket_len;
3913 ssl->session_negotiate->ticket_lifetime = lifetime;
3916 * RFC 5077 section 3.4:
3917 * "If the client receives a session ticket from the server, then it
3918 * discards any Session ID that was sent in the ServerHello."
3920 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3921 ssl->session_negotiate->id_len = 0;
3923 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3927 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3930 * SSL handshake -- client side -- single step
3932 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
3936 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3937 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3939 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3941 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3944 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3945 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3946 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3948 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3951 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3953 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3954 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3955 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3956 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3957 ssl->handshake->new_session_ticket != 0 )
3959 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
3963 switch( ssl->state )
3965 case MBEDTLS_SSL_HELLO_REQUEST:
3966 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3972 case MBEDTLS_SSL_CLIENT_HELLO:
3973 ret = ssl_write_client_hello( ssl );
3979 * ( ServerKeyExchange )
3980 * ( CertificateRequest )
3983 case MBEDTLS_SSL_SERVER_HELLO:
3984 ret = ssl_parse_server_hello( ssl );
3987 case MBEDTLS_SSL_SERVER_CERTIFICATE:
3988 ret = mbedtls_ssl_parse_certificate( ssl );
3991 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
3992 ret = ssl_parse_server_key_exchange( ssl );
3995 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
3996 ret = ssl_parse_certificate_request( ssl );
3999 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4000 ret = ssl_parse_server_hello_done( ssl );
4004 * ==> ( Certificate/Alert )
4006 * ( CertificateVerify )
4010 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4011 ret = mbedtls_ssl_write_certificate( ssl );
4014 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4015 ret = ssl_write_client_key_exchange( ssl );
4018 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4019 ret = ssl_write_certificate_verify( ssl );
4022 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4023 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4026 case MBEDTLS_SSL_CLIENT_FINISHED:
4027 ret = mbedtls_ssl_write_finished( ssl );
4031 * <== ( NewSessionTicket )
4035 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4036 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
4037 ret = ssl_parse_new_session_ticket( ssl );
4041 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4042 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4045 case MBEDTLS_SSL_SERVER_FINISHED:
4046 ret = mbedtls_ssl_parse_finished( ssl );
4049 case MBEDTLS_SSL_FLUSH_BUFFERS:
4050 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4051 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4054 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4055 mbedtls_ssl_handshake_wrapup( ssl );
4059 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4060 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4065 #endif /* MBEDTLS_SSL_CLI_C */