2 * SSLv3/TLSv1 server-side functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
25 #include MBEDTLS_CONFIG_FILE
28 #if defined(MBEDTLS_SSL_SRV_C)
30 #if defined(MBEDTLS_PLATFORM_C)
31 #include "mbedtls/platform.h"
34 #define mbedtls_calloc calloc
35 #define mbedtls_free free
38 #include "mbedtls/debug.h"
39 #include "mbedtls/ssl.h"
40 #include "mbedtls/ssl_internal.h"
41 #include "mbedtls/platform_util.h"
45 #if defined(MBEDTLS_ECP_C)
46 #include "mbedtls/ecp.h"
49 #if defined(MBEDTLS_HAVE_TIME)
50 #include "mbedtls/platform_time.h"
53 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
54 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
55 const unsigned char *info,
58 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
59 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
61 mbedtls_free( ssl->cli_id );
63 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
64 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
66 memcpy( ssl->cli_id, info, ilen );
67 ssl->cli_id_len = ilen;
72 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
73 mbedtls_ssl_cookie_write_t *f_cookie_write,
74 mbedtls_ssl_cookie_check_t *f_cookie_check,
77 conf->f_cookie_write = f_cookie_write;
78 conf->f_cookie_check = f_cookie_check;
79 conf->p_cookie = p_cookie;
81 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
83 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
84 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
85 const unsigned char *buf,
89 size_t servername_list_size, hostname_len;
90 const unsigned char *p;
92 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
96 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
97 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
98 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
99 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
101 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
102 if( servername_list_size + 2 != len )
104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
105 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
106 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
107 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
111 while( servername_list_size > 2 )
113 hostname_len = ( ( p[1] << 8 ) | p[2] );
114 if( hostname_len + 3 > servername_list_size )
116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
117 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
118 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
119 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
122 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
124 ret = ssl->conf->f_sni( ssl->conf->p_sni,
125 ssl, p + 3, hostname_len );
128 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
129 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
130 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
131 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
136 servername_list_size -= hostname_len + 3;
137 p += hostname_len + 3;
140 if( servername_list_size != 0 )
142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
143 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
144 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
145 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
150 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
152 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
153 static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
155 if( conf->f_psk != NULL )
158 if( conf->psk_identity_len == 0 || conf->psk_identity == NULL )
161 if( conf->psk != NULL && conf->psk_len != 0 )
164 #if defined(MBEDTLS_USE_PSA_CRYPTO)
165 if( conf->psk_opaque != 0 )
167 #endif /* MBEDTLS_USE_PSA_CRYPTO */
172 #if defined(MBEDTLS_USE_PSA_CRYPTO)
173 static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
175 if( ssl->conf->f_psk != NULL )
177 /* If we've used a callback to select the PSK,
178 * the static configuration is irrelevant. */
180 if( ssl->handshake->psk_opaque != 0 )
186 if( ssl->conf->psk_opaque != 0 )
191 #endif /* MBEDTLS_USE_PSA_CRYPTO */
192 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
194 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
195 const unsigned char *buf,
198 #if defined(MBEDTLS_SSL_RENEGOTIATION)
199 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
201 /* Check verify-data in constant-time. The length OTOH is no secret */
202 if( len != 1 + ssl->verify_data_len ||
203 buf[0] != ssl->verify_data_len ||
204 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
205 ssl->verify_data_len ) != 0 )
207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
208 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
209 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
210 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
214 #endif /* MBEDTLS_SSL_RENEGOTIATION */
216 if( len != 1 || buf[0] != 0x0 )
218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
220 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
224 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
230 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
231 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
234 * Status of the implementation of signature-algorithms extension:
236 * Currently, we are only considering the signature-algorithm extension
237 * to pick a ciphersuite which allows us to send the ServerKeyExchange
238 * message with a signature-hash combination that the user allows.
240 * We do *not* check whether all certificates in our certificate
241 * chain are signed with an allowed signature-hash pair.
242 * This needs to be done at a later stage.
245 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
246 const unsigned char *buf,
249 size_t sig_alg_list_size;
251 const unsigned char *p;
252 const unsigned char *end = buf + len;
254 mbedtls_md_type_t md_cur;
255 mbedtls_pk_type_t sig_cur;
258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
263 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
264 if( sig_alg_list_size + 2 != len ||
265 sig_alg_list_size % 2 != 0 )
267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
268 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
269 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
270 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
273 /* Currently we only guarantee signing the ServerKeyExchange message according
274 * to the constraints specified in this extension (see above), so it suffices
275 * to remember only one suitable hash for each possible signature algorithm.
277 * This will change when we also consider certificate signatures,
278 * in which case we will need to remember the whole signature-hash
279 * pair list from the extension.
282 for( p = buf + 2; p < end; p += 2 )
284 /* Silently ignore unknown signature or hash algorithms. */
286 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
288 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
289 " unknown sig alg encoding %d", p[1] ) );
293 /* Check if we support the hash the user proposes */
294 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
295 if( md_cur == MBEDTLS_MD_NONE )
297 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
298 " unknown hash alg encoding %d", p[0] ) );
302 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
304 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
305 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
306 " match sig %d and hash %d",
311 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
312 "hash alg %d not supported", md_cur ) );
318 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
319 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
321 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
322 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
323 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
324 const unsigned char *buf,
327 size_t list_size, our_size;
328 const unsigned char *p;
329 const mbedtls_ecp_curve_info *curve_info, **curves;
332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
333 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
334 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
335 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
337 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
338 if( list_size + 2 != len ||
341 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
342 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
343 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
344 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
347 /* Should never happen unless client duplicates the extension */
348 if( ssl->handshake->curves != NULL )
350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
351 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
352 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
353 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
356 /* Don't allow our peer to make us allocate too much memory,
357 * and leave room for a final 0 */
358 our_size = list_size / 2 + 1;
359 if( our_size > MBEDTLS_ECP_DP_MAX )
360 our_size = MBEDTLS_ECP_DP_MAX;
362 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
364 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
365 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
366 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
369 ssl->handshake->curves = curves;
372 while( list_size > 0 && our_size > 1 )
374 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
376 if( curve_info != NULL )
378 *curves++ = curve_info;
389 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
390 const unsigned char *buf,
394 const unsigned char *p;
396 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
398 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
400 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
401 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
406 while( list_size > 0 )
408 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
409 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
411 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
412 ssl->handshake->ecdh_ctx.point_format = p[0];
414 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
415 ssl->handshake->ecjpake_ctx.point_format = p[0];
417 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
427 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
428 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
430 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
431 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
432 const unsigned char *buf,
437 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
439 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
443 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
447 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
448 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
452 /* Only mark the extension as OK when we're sure it is */
453 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
457 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
459 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
460 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
461 const unsigned char *buf,
464 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
468 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
469 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
472 ssl->session_negotiate->mfl_code = buf[0];
476 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
478 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
479 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
480 const unsigned char *buf,
485 /* CID extension only makes sense in DTLS */
486 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
489 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
490 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
491 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
495 * Quoting draft-ietf-tls-dtls-connection-id-05
496 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
499 * opaque cid<0..2^8-1>;
505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
506 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
507 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
508 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
511 peer_cid_len = *buf++;
514 if( len != peer_cid_len )
516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
517 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
518 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
519 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
522 /* Ignore CID if the user has disabled its use. */
523 if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
525 /* Leave ssl->handshake->cid_in_use in its default
526 * value of MBEDTLS_SSL_CID_DISABLED. */
527 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) );
531 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
535 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
536 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
539 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
540 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
541 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
544 MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len );
548 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
550 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
551 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
552 const unsigned char *buf,
557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
558 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
559 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
560 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
565 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
566 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
570 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
572 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
573 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
574 const unsigned char *buf,
579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
580 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
587 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
588 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
590 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
595 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
597 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
598 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
599 const unsigned char *buf,
604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
605 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
606 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
607 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
612 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
613 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
615 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
620 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
622 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
623 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
628 mbedtls_ssl_session session;
630 mbedtls_ssl_session_init( &session );
632 if( ssl->conf->f_ticket_parse == NULL ||
633 ssl->conf->f_ticket_write == NULL )
638 /* Remember the client asked us to send a new ticket */
639 ssl->handshake->new_session_ticket = 1;
641 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
646 #if defined(MBEDTLS_SSL_RENEGOTIATION)
647 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
649 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
652 #endif /* MBEDTLS_SSL_RENEGOTIATION */
655 * Failures are ok: just ignore the ticket and proceed.
657 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
660 mbedtls_ssl_session_free( &session );
662 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
663 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
664 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
665 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
667 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
673 * Keep the session ID sent by the client, since we MUST send it back to
674 * inform them we're accepting the ticket (RFC 5077 section 3.4)
676 session.id_len = ssl->session_negotiate->id_len;
677 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
679 mbedtls_ssl_session_free( ssl->session_negotiate );
680 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
682 /* Zeroize instead of free as we copied the content */
683 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
685 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
687 ssl->handshake->resume = 1;
689 /* Don't send a new ticket after all, this one is OK */
690 ssl->handshake->new_session_ticket = 0;
694 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
696 #if defined(MBEDTLS_SSL_ALPN)
697 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
698 const unsigned char *buf, size_t len )
700 size_t list_len, cur_len, ours_len;
701 const unsigned char *theirs, *start, *end;
704 /* If ALPN not configured, just ignore the extension */
705 if( ssl->conf->alpn_list == NULL )
709 * opaque ProtocolName<1..2^8-1>;
712 * ProtocolName protocol_name_list<2..2^16-1>
713 * } ProtocolNameList;
716 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
719 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
720 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
721 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
724 list_len = ( buf[0] << 8 ) | buf[1];
725 if( list_len != len - 2 )
727 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
728 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
729 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
733 * Validate peer's list (lengths)
737 for( theirs = start; theirs != end; theirs += cur_len )
741 /* Current identifier must fit in list */
742 if( cur_len > (size_t)( end - theirs ) )
744 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
745 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
746 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
749 /* Empty strings MUST NOT be included */
752 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
753 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
754 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
759 * Use our order of preference
761 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
763 ours_len = strlen( *ours );
764 for( theirs = start; theirs != end; theirs += cur_len )
768 if( cur_len == ours_len &&
769 memcmp( theirs, *ours, cur_len ) == 0 )
771 ssl->alpn_chosen = *ours;
777 /* If we get there, no match was found */
778 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
779 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
780 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
782 #endif /* MBEDTLS_SSL_ALPN */
785 * Auxiliary functions for ServerHello parsing and related actions
788 #if defined(MBEDTLS_X509_CRT_PARSE_C)
790 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
792 #if defined(MBEDTLS_ECDSA_C)
793 static int ssl_check_key_curve( mbedtls_pk_context *pk,
794 const mbedtls_ecp_curve_info **curves )
796 const mbedtls_ecp_curve_info **crv = curves;
797 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
799 while( *crv != NULL )
801 if( (*crv)->grp_id == grp_id )
808 #endif /* MBEDTLS_ECDSA_C */
811 * Try picking a certificate for this ciphersuite,
812 * return 0 on success and -1 on failure.
814 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
815 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
817 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
818 mbedtls_pk_type_t pk_alg =
819 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
822 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
823 if( ssl->handshake->sni_key_cert != NULL )
824 list = ssl->handshake->sni_key_cert;
827 list = ssl->conf->key_cert;
829 if( pk_alg == MBEDTLS_PK_NONE )
832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
840 for( cur = list; cur != NULL; cur = cur->next )
842 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
845 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
852 * This avoids sending the client a cert it'll reject based on
853 * keyUsage or other extensions.
855 * It also allows the user to provision different certificates for
856 * different uses based on keyUsage, eg if they want to avoid signing
857 * and decrypting with the same RSA key.
859 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
860 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
862 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
863 "(extended) key usage extension" ) );
867 #if defined(MBEDTLS_ECDSA_C)
868 if( pk_alg == MBEDTLS_PK_ECDSA &&
869 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
871 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
877 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
878 * present them a SHA-higher cert rather than failing if it's the only
879 * one we got that satisfies the other conditions.
881 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
882 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
884 if( fallback == NULL )
887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
888 "sha-2 with pre-TLS 1.2 client" ) );
893 /* If we get there, we got a winner */
900 /* Do not update ssl->handshake->key_cert unless there is a match */
903 ssl->handshake->key_cert = cur;
904 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
905 ssl->handshake->key_cert->cert );
911 #endif /* MBEDTLS_X509_CRT_PARSE_C */
914 * Check if a given ciphersuite is suitable for use with our config/keys/etc
915 * Sets ciphersuite_info only if the suite matches.
917 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
918 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
920 const mbedtls_ssl_ciphersuite_t *suite_info;
922 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
923 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
924 mbedtls_pk_type_t sig_type;
927 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
928 if( suite_info == NULL )
930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
931 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
936 if( suite_info->min_minor_ver > ssl->minor_ver ||
937 suite_info->max_minor_ver < ssl->minor_ver )
939 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
943 #if defined(MBEDTLS_SSL_PROTO_DTLS)
944 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
945 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
949 #if defined(MBEDTLS_ARC4_C)
950 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
951 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
958 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
959 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
960 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
963 "not configured or ext missing" ) );
969 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
970 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
971 ( ssl->handshake->curves == NULL ||
972 ssl->handshake->curves[0] == NULL ) )
974 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
975 "no common elliptic curve" ) );
980 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
981 /* If the ciphersuite requires a pre-shared key and we don't
982 * have one, skip it now rather than failing later */
983 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
984 ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
993 /* If the ciphersuite requires signing, check whether
994 * a suitable hash algorithm is present. */
995 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
997 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
998 if( sig_type != MBEDTLS_PK_NONE &&
999 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
1001 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
1002 "for signature algorithm %d", sig_type ) );
1007 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1008 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1010 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1012 * Final check: if ciphersuite requires us to have a
1013 * certificate/key of a particular type:
1014 * - select the appropriate certificate if we have one, or
1015 * - try the next ciphersuite if we don't
1016 * This must be done last since we modify the key_cert list.
1018 if( ssl_pick_cert( ssl, suite_info ) != 0 )
1020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
1021 "no suitable certificate" ) );
1026 *ciphersuite_info = suite_info;
1030 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1031 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
1033 int ret, got_common_suite;
1036 unsigned int ciph_len, sess_len, chal_len;
1037 unsigned char *buf, *p;
1038 const int *ciphersuites;
1039 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1041 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
1043 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1044 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
1047 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1048 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1049 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1051 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1055 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
1057 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
1059 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
1060 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
1061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
1065 * SSLv2 Client Hello
1068 * 0 . 1 message length
1071 * 2 . 2 message type
1072 * 3 . 4 protocol version
1074 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
1075 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
1077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1078 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1081 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
1083 if( n < 17 || n > 512 )
1085 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1086 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1089 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
1090 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
1091 ? buf[4] : ssl->conf->max_minor_ver;
1093 if( ssl->minor_ver < ssl->conf->min_minor_ver )
1095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1096 " [%d:%d] < [%d:%d]",
1097 ssl->major_ver, ssl->minor_ver,
1098 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1100 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1101 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1102 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1105 ssl->handshake->max_major_ver = buf[3];
1106 ssl->handshake->max_minor_ver = buf[4];
1108 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
1110 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1114 ssl->handshake->update_checksum( ssl, buf + 2, n );
1117 n = ssl->in_left - 5;
1120 * 0 . 1 ciphersuitelist length
1121 * 2 . 3 session id length
1122 * 4 . 5 challenge length
1123 * 6 . .. ciphersuitelist
1124 * .. . .. session id
1127 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
1129 ciph_len = ( buf[0] << 8 ) | buf[1];
1130 sess_len = ( buf[2] << 8 ) | buf[3];
1131 chal_len = ( buf[4] << 8 ) | buf[5];
1133 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
1134 ciph_len, sess_len, chal_len ) );
1137 * Make sure each parameter length is valid
1139 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
1141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1142 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1148 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1151 if( chal_len < 8 || chal_len > 32 )
1153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1154 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1157 if( n != 6 + ciph_len + sess_len + chal_len )
1159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1160 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1163 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1164 buf + 6, ciph_len );
1165 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
1166 buf + 6 + ciph_len, sess_len );
1167 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
1168 buf + 6 + ciph_len + sess_len, chal_len );
1170 p = buf + 6 + ciph_len;
1171 ssl->session_negotiate->id_len = sess_len;
1172 memset( ssl->session_negotiate->id, 0,
1173 sizeof( ssl->session_negotiate->id ) );
1174 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
1177 memset( ssl->handshake->randbytes, 0, 64 );
1178 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
1181 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1183 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1185 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1187 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1188 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1189 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1192 "during renegotiation" ) );
1194 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1195 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1196 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1198 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1199 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1204 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1205 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
1208 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1209 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1211 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
1213 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1215 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1217 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1218 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1220 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1226 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1228 got_common_suite = 0;
1229 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1230 ciphersuite_info = NULL;
1231 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
1232 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1233 for( i = 0; ciphersuites[i] != 0; i++ )
1235 for( i = 0; ciphersuites[i] != 0; i++ )
1236 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
1240 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
1241 p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
1244 got_common_suite = 1;
1246 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1247 &ciphersuite_info ) ) != 0 )
1250 if( ciphersuite_info != NULL )
1251 goto have_ciphersuite_v2;
1254 if( got_common_suite )
1256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1257 "but none of them usable" ) );
1258 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
1262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1263 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
1266 have_ciphersuite_v2:
1267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1269 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1270 ssl->handshake->ciphersuite_info = ciphersuite_info;
1273 * SSLv2 Client Hello relevant renegotiation security checks
1275 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1276 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1279 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1280 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
1291 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
1293 /* This function doesn't alert on errors that happen early during
1294 ClientHello parsing because they might indicate that the client is
1295 not talking SSL/TLS at all and would not understand our alert. */
1296 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
1298 int ret, got_common_suite;
1300 size_t ciph_offset, comp_offset, ext_offset;
1301 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1302 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1303 size_t cookie_offset, cookie_len;
1305 unsigned char *buf, *p, *ext;
1306 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1307 int renegotiation_info_seen = 0;
1309 int handshake_failure = 0;
1310 const int *ciphersuites;
1311 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1314 /* If there is no signature-algorithm extension present,
1315 * we need to fall back to the default values for allowed
1316 * signature-hash pairs. */
1317 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1318 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1319 int sig_hash_alg_ext_present = 0;
1320 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1321 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1325 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1329 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1330 * otherwise read it ourselves manually in order to support SSLv2
1331 * ClientHello, which doesn't use the same record layer format.
1333 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1334 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1337 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
1339 /* No alert on a read error. */
1340 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1347 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
1348 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1349 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
1351 if( ( buf[0] & 0x80 ) != 0 )
1352 return( ssl_parse_client_hello_v2( ssl ) );
1355 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) );
1358 * SSLv3/TLS Client Hello
1361 * 0 . 0 message type
1362 * 1 . 2 protocol version
1363 * 3 . 11 DTLS: epoch + record sequence number
1364 * 3 . 4 message length
1366 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
1369 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
1371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1375 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
1376 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
1378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
1381 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
1383 /* According to RFC 5246 Appendix E.1, the version here is typically
1384 * "{03,00}, the lowest version number supported by the client, [or] the
1385 * value of ClientHello.client_version", so the only meaningful check here
1386 * is the major version shouldn't be less than 3 */
1387 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
1389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1390 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1393 /* For DTLS if this is the initial handshake, remember the client sequence
1394 * number to use it in our next message (RFC 6347 4.2.1) */
1395 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1396 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1397 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1398 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1402 /* Epoch should be 0 for initial handshakes */
1403 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
1405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1406 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1409 memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
1411 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1412 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
1414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1415 ssl->next_record_offset = 0;
1417 goto read_record_header;
1420 /* No MAC to check yet, so we can update right now */
1421 mbedtls_ssl_dtls_replay_update( ssl );
1424 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1426 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
1428 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1429 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1431 /* Set by mbedtls_ssl_read_record() */
1432 msg_len = ssl->in_hslen;
1437 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
1439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1443 if( ( ret = mbedtls_ssl_fetch_input( ssl,
1444 mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 )
1446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1450 /* Done reading this record, get ready for the next one */
1451 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1452 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1453 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl );
1461 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
1463 ssl->handshake->update_checksum( ssl, buf, msg_len );
1467 * 0 . 0 handshake type
1468 * 1 . 3 handshake length
1469 * 4 . 5 DTLS only: message seqence number
1470 * 6 . 8 DTLS only: fragment offset
1471 * 9 . 11 DTLS only: fragment length
1473 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
1475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1476 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1479 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
1481 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
1483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1484 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
1488 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
1490 /* We don't support fragmentation of ClientHello (yet?) */
1492 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
1494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1495 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1498 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1499 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1502 * Copy the client's handshake message_seq on initial handshakes,
1503 * check sequence number on renego.
1505 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1506 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1508 /* This couldn't be done in ssl_prepare_handshake_record() */
1509 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1512 if( cli_msg_seq != ssl->handshake->in_msg_seq )
1514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1515 "%d (expected %d)", cli_msg_seq,
1516 ssl->handshake->in_msg_seq ) );
1517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1520 ssl->handshake->in_msg_seq++;
1525 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1527 ssl->handshake->out_msg_seq = cli_msg_seq;
1528 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1532 * For now we don't support fragmentation, so make sure
1533 * fragment_offset == 0 and fragment_length == length
1535 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1536 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
1538 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1539 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1542 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1544 buf += mbedtls_ssl_hs_hdr_len( ssl );
1545 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
1548 * ClientHello layer:
1549 * 0 . 1 protocol version
1550 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1551 * 34 . 35 session id length (1 byte)
1552 * 35 . 34+x session id
1553 * 35+x . 35+x DTLS only: cookie length (1 byte)
1554 * 36+x . .. DTLS only: cookie
1555 * .. . .. ciphersuite list length (2 bytes)
1556 * .. . .. ciphersuite list
1557 * .. . .. compression alg. list length (1 byte)
1558 * .. . .. compression alg. list
1559 * .. . .. extensions length (2 bytes, optional)
1560 * .. . .. extensions (optional)
1564 * Minimal length (with everything empty and extensions omitted) is
1565 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1566 * read at least up to session id length without worrying.
1570 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1571 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1575 * Check and save the protocol version
1577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
1579 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1580 ssl->conf->transport, buf );
1582 ssl->handshake->max_major_ver = ssl->major_ver;
1583 ssl->handshake->max_minor_ver = ssl->minor_ver;
1585 if( ssl->major_ver < ssl->conf->min_major_ver ||
1586 ssl->minor_ver < ssl->conf->min_minor_ver )
1588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1589 " [%d:%d] < [%d:%d]",
1590 ssl->major_ver, ssl->minor_ver,
1591 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1593 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1594 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
1597 if( ssl->major_ver > ssl->conf->max_major_ver )
1599 ssl->major_ver = ssl->conf->max_major_ver;
1600 ssl->minor_ver = ssl->conf->max_minor_ver;
1602 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
1603 ssl->minor_ver = ssl->conf->max_minor_ver;
1606 * Save client random (inc. Unix time)
1608 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
1610 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
1613 * Check the session ID length and save session ID
1617 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
1618 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
1620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1621 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1622 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1623 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1626 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
1628 ssl->session_negotiate->id_len = sess_len;
1629 memset( ssl->session_negotiate->id, 0,
1630 sizeof( ssl->session_negotiate->id ) );
1631 memcpy( ssl->session_negotiate->id, buf + 35,
1632 ssl->session_negotiate->id_len );
1635 * Check the cookie length and content
1637 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1638 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1640 cookie_offset = 35 + sess_len;
1641 cookie_len = buf[cookie_offset];
1643 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
1645 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1646 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1647 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1648 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1651 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1652 buf + cookie_offset + 1, cookie_len );
1654 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1655 if( ssl->conf->f_cookie_check != NULL
1656 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1657 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1661 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
1662 buf + cookie_offset + 1, cookie_len,
1663 ssl->cli_id, ssl->cli_id_len ) != 0 )
1665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1666 ssl->handshake->verify_cookie_len = 1;
1670 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1671 ssl->handshake->verify_cookie_len = 0;
1675 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1677 /* We know we didn't send a cookie, so it should be empty */
1678 if( cookie_len != 0 )
1680 /* This may be an attacker's probe, so don't send an alert */
1681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1682 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1685 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1689 * Check the ciphersuitelist length (will be parsed later)
1691 ciph_offset = cookie_offset + 1 + cookie_len;
1694 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1695 ciph_offset = 35 + sess_len;
1697 ciph_len = ( buf[ciph_offset + 0] << 8 )
1698 | ( buf[ciph_offset + 1] );
1701 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1702 ( ciph_len % 2 ) != 0 )
1704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1705 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1706 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1707 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1710 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1711 buf + ciph_offset + 2, ciph_len );
1714 * Check the compression algorithms length and pick one
1716 comp_offset = ciph_offset + 2 + ciph_len;
1718 comp_len = buf[comp_offset];
1722 comp_len + comp_offset + 1 > msg_len )
1724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1725 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1726 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1727 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1730 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1731 buf + comp_offset + 1, comp_len );
1733 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1734 #if defined(MBEDTLS_ZLIB_SUPPORT)
1735 for( i = 0; i < comp_len; ++i )
1737 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
1739 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
1745 /* See comments in ssl_write_client_hello() */
1746 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1747 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1748 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1751 /* Do not parse the extensions if the protocol is SSLv3 */
1752 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1753 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
1757 * Check the extension length
1759 ext_offset = comp_offset + 1 + comp_len;
1760 if( msg_len > ext_offset )
1762 if( msg_len < ext_offset + 2 )
1764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1765 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1766 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1767 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1770 ext_len = ( buf[ext_offset + 0] << 8 )
1771 | ( buf[ext_offset + 1] );
1773 if( ( ext_len > 0 && ext_len < 4 ) ||
1774 msg_len != ext_offset + 2 + ext_len )
1776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1777 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1778 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1779 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1785 ext = buf + ext_offset + 2;
1786 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
1788 while( ext_len != 0 )
1790 unsigned int ext_id;
1791 unsigned int ext_size;
1792 if ( ext_len < 4 ) {
1793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1794 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1795 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1796 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1798 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
1799 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
1801 if( ext_size + 4 > ext_len )
1803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1804 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1805 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1806 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1810 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1811 case MBEDTLS_TLS_EXT_SERVERNAME:
1812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1813 if( ssl->conf->f_sni == NULL )
1816 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1820 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1822 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1823 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1824 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1825 renegotiation_info_seen = 1;
1828 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1833 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1834 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1835 case MBEDTLS_TLS_EXT_SIG_ALG:
1836 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1838 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1842 sig_hash_alg_ext_present = 1;
1844 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1845 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
1847 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1848 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1849 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1850 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1852 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1857 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1858 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1859 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1861 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1865 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1866 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1868 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1869 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1870 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1872 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
1876 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1878 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1879 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1880 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1882 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1886 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1888 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1889 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
1890 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
1892 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
1896 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1898 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1899 case MBEDTLS_TLS_EXT_CID:
1900 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
1902 ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size );
1906 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1908 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1909 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1912 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1916 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1918 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1919 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1920 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1922 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1926 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1928 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1929 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1932 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1936 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1938 #if defined(MBEDTLS_SSL_ALPN)
1939 case MBEDTLS_TLS_EXT_ALPN:
1940 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1942 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1946 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
1953 ext_len -= 4 + ext_size;
1954 ext += 4 + ext_size;
1956 if( ext_len > 0 && ext_len < 4 )
1958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1959 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1960 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1961 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1964 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1968 #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1969 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1971 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
1972 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) )
1974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
1976 if( ssl->minor_ver < ssl->conf->max_minor_ver )
1978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
1980 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1981 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
1983 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
1989 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */
1991 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1992 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1995 * Try to fall back to default hash SHA1 if the client
1996 * hasn't provided any preferred signature-hash combinations.
1998 if( sig_hash_alg_ext_present == 0 )
2000 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
2002 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
2003 md_default = MBEDTLS_MD_NONE;
2005 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
2008 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
2009 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
2012 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
2014 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
2016 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
2018 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
2019 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2020 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
2022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
2023 "during renegotiation" ) );
2024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2025 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2026 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
2029 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
2035 * Renegotiation security checks
2037 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2038 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
2040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
2041 handshake_failure = 1;
2043 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2044 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2045 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2046 renegotiation_info_seen == 0 )
2048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
2049 handshake_failure = 1;
2051 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2052 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2053 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
2055 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2056 handshake_failure = 1;
2058 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2059 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2060 renegotiation_info_seen == 1 )
2062 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
2063 handshake_failure = 1;
2065 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2067 if( handshake_failure == 1 )
2069 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2070 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
2075 * Search for a matching ciphersuite
2076 * (At the end because we need information from the EC-based extensions
2077 * and certificate from the SNI callback triggered by the SNI extension.)
2079 got_common_suite = 0;
2080 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
2081 ciphersuite_info = NULL;
2082 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
2083 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
2084 for( i = 0; ciphersuites[i] != 0; i++ )
2086 for( i = 0; ciphersuites[i] != 0; i++ )
2087 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
2090 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
2091 p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
2094 got_common_suite = 1;
2096 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
2097 &ciphersuite_info ) ) != 0 )
2100 if( ciphersuite_info != NULL )
2101 goto have_ciphersuite;
2104 if( got_common_suite )
2106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
2107 "but none of them usable" ) );
2108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2109 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2110 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
2114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
2115 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2116 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
2117 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
2121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
2123 ssl->session_negotiate->ciphersuite = ciphersuites[i];
2124 ssl->handshake->ciphersuite_info = ciphersuite_info;
2128 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2129 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2130 mbedtls_ssl_recv_flight_completed( ssl );
2133 /* Debugging-only output for testsuite */
2134 #if defined(MBEDTLS_DEBUG_C) && \
2135 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2136 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
2137 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2139 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
2140 if( sig_alg != MBEDTLS_PK_NONE )
2142 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
2144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
2145 mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
2149 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
2150 "%d - should not happen", sig_alg ) );
2155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
2160 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2161 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
2165 unsigned char *p = buf;
2167 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
2173 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
2175 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
2176 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
2183 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2185 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2186 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
2190 unsigned char *p = buf;
2192 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2196 /* Skip writing the extension if we don't want to use it or if
2197 * the client hasn't offered it. */
2198 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED )
2201 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
2202 * which is at most 255, so the increment cannot overflow. */
2203 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
2205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2209 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
2212 * Quoting draft-ietf-tls-dtls-connection-id-05
2213 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
2216 * opaque cid<0..2^8-1>;
2220 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
2221 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
2222 ext_len = (size_t) ssl->own_cid_len + 1;
2223 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2224 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2226 *p++ = (uint8_t) ssl->own_cid_len;
2227 memcpy( p, ssl->own_cid, ssl->own_cid_len );
2229 *olen = ssl->own_cid_len + 5;
2231 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2233 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2234 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
2238 unsigned char *p = buf;
2239 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2240 const mbedtls_cipher_info_t *cipher = NULL;
2242 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
2243 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2250 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2251 * from a client and then selects a stream or Authenticated Encryption
2252 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2253 * encrypt-then-MAC response extension back to the client."
2255 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
2256 ssl->session_negotiate->ciphersuite ) ) == NULL ||
2257 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
2258 cipher->mode != MBEDTLS_MODE_CBC )
2264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
2266 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
2267 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
2274 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2276 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2277 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
2281 unsigned char *p = buf;
2283 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
2284 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
2293 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
2294 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
2301 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2303 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2304 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
2308 unsigned char *p = buf;
2310 if( ssl->handshake->new_session_ticket == 0 )
2316 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
2318 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
2319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
2326 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2328 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
2332 unsigned char *p = buf;
2334 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
2340 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
2342 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
2343 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
2345 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2346 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
2349 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
2350 *p++ = ssl->verify_data_len * 2 & 0xFF;
2352 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
2353 p += ssl->verify_data_len;
2354 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
2355 p += ssl->verify_data_len;
2358 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2368 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2369 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
2373 unsigned char *p = buf;
2375 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
2381 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2383 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
2384 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
2389 *p++ = ssl->session_negotiate->mfl_code;
2393 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2395 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2396 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2397 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
2401 unsigned char *p = buf;
2404 if( ( ssl->handshake->cli_exts &
2405 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2411 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2413 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
2414 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
2420 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2424 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2426 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2427 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
2432 unsigned char *p = buf;
2433 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2438 /* Skip costly computation if not needed */
2439 if( ssl->handshake->ciphersuite_info->key_exchange !=
2440 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2443 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2447 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2451 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
2452 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
2454 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
2455 p + 2, end - p - 2, &kkpp_len,
2456 ssl->conf->f_rng, ssl->conf->p_rng );
2459 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
2463 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
2464 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
2466 *olen = kkpp_len + 4;
2468 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2470 #if defined(MBEDTLS_SSL_ALPN )
2471 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2472 unsigned char *buf, size_t *olen )
2474 if( ssl->alpn_chosen == NULL )
2480 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2483 * 0 . 1 ext identifier
2485 * 4 . 5 protocol list length
2486 * 6 . 6 protocol name length
2487 * 7 . 7+n protocol name
2489 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
2490 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
2492 *olen = 7 + strlen( ssl->alpn_chosen );
2494 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
2495 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
2497 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
2498 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
2500 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
2502 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2504 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2506 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2507 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
2510 unsigned char *p = ssl->out_msg + 4;
2511 unsigned char *cookie_len_byte;
2513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2517 * ProtocolVersion server_version;
2518 * opaque cookie<0..2^8-1>;
2519 * } HelloVerifyRequest;
2522 /* The RFC is not clear on this point, but sending the actual negotiated
2523 * version looks like the most interoperable thing to do. */
2524 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2525 ssl->conf->transport, p );
2526 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
2529 /* If we get here, f_cookie_check is not null */
2530 if( ssl->conf->f_cookie_write == NULL )
2532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2533 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2536 /* Skip length byte until we know the length */
2537 cookie_len_byte = p++;
2539 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
2540 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2541 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
2543 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
2547 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
2549 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
2551 ssl->out_msglen = p - ssl->out_msg;
2552 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2553 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2555 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2557 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
2559 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
2563 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2564 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2565 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2567 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2570 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2572 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2576 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2578 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
2580 #if defined(MBEDTLS_HAVE_TIME)
2584 size_t olen, ext_len = 0, n;
2585 unsigned char *buf, *p;
2587 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2589 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2590 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2591 ssl->handshake->verify_cookie_len != 0 )
2593 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2594 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2596 return( ssl_write_hello_verify_request( ssl ) );
2598 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2600 if( ssl->conf->f_rng == NULL )
2602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2603 return( MBEDTLS_ERR_SSL_NO_RNG );
2607 * 0 . 0 handshake type
2608 * 1 . 3 handshake length
2609 * 4 . 5 protocol version
2611 * 10 . 37 random bytes
2616 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2617 ssl->conf->transport, p );
2620 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2623 #if defined(MBEDTLS_HAVE_TIME)
2624 t = mbedtls_time( NULL );
2625 *p++ = (unsigned char)( t >> 24 );
2626 *p++ = (unsigned char)( t >> 16 );
2627 *p++ = (unsigned char)( t >> 8 );
2628 *p++ = (unsigned char)( t );
2630 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
2632 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
2636 #endif /* MBEDTLS_HAVE_TIME */
2638 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
2643 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
2645 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2648 * Resume is 0 by default, see ssl_handshake_init().
2649 * It may be already set to 1 by ssl_parse_session_ticket_ext().
2650 * If not, try looking up session ID in our cache.
2652 if( ssl->handshake->resume == 0 &&
2653 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2654 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
2656 ssl->session_negotiate->id_len != 0 &&
2657 ssl->conf->f_get_cache != NULL &&
2658 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
2660 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2661 ssl->handshake->resume = 1;
2664 if( ssl->handshake->resume == 0 )
2667 * New session, create a new session id,
2668 * unless we're about to issue a session ticket
2672 #if defined(MBEDTLS_HAVE_TIME)
2673 ssl->session_negotiate->start = mbedtls_time( NULL );
2676 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2677 if( ssl->handshake->new_session_ticket != 0 )
2679 ssl->session_negotiate->id_len = n = 0;
2680 memset( ssl->session_negotiate->id, 0, 32 );
2683 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2685 ssl->session_negotiate->id_len = n = 32;
2686 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
2694 * Resuming a session
2696 n = ssl->session_negotiate->id_len;
2697 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2699 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2707 * 38 . 38 session id length
2708 * 39 . 38+n session id
2709 * 39+n . 40+n chosen ciphersuite
2710 * 41+n . 41+n chosen compression alg.
2711 * 42+n . 43+n extensions length
2712 * 44+n . 43+n+m extensions
2714 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2715 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
2716 p += ssl->session_negotiate->id_len;
2718 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
2719 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2721 ssl->handshake->resume ? "a" : "no" ) );
2723 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
2724 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
2725 *p++ = (unsigned char)( ssl->session_negotiate->compression );
2727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2728 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
2729 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2730 ssl->session_negotiate->compression ) );
2732 /* Do not write the extensions if the protocol is SSLv3 */
2733 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2734 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
2739 * First write extensions, then the total length
2741 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2744 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2745 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2749 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2750 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
2754 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2755 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
2759 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2760 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2764 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2765 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2769 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2770 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2774 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2775 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2776 if ( mbedtls_ssl_ciphersuite_uses_ec(
2777 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
2779 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2784 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2785 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
2789 #if defined(MBEDTLS_SSL_ALPN)
2790 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
2798 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
2799 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
2803 #if defined(MBEDTLS_SSL_PROTO_SSL3)
2807 ssl->out_msglen = p - buf;
2808 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2809 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2811 ret = mbedtls_ssl_write_handshake_msg( ssl );
2813 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2818 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
2819 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2821 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2822 ssl->handshake->ciphersuite_info;
2824 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2826 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2828 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2833 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2834 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2836 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2837 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2839 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2840 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2841 ssl->handshake->ciphersuite_info;
2842 size_t dn_size, total_dn_size; /* excluding length bytes */
2843 size_t ct_len, sa_len; /* including length bytes */
2844 unsigned char *buf, *p;
2845 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2846 const mbedtls_x509_crt *crt;
2849 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2853 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2854 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2855 authmode = ssl->handshake->sni_authmode;
2858 authmode = ssl->conf->authmode;
2860 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
2861 authmode == MBEDTLS_SSL_VERIFY_NONE )
2863 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2868 * 0 . 0 handshake type
2869 * 1 . 3 handshake length
2870 * 4 . 4 cert type count
2871 * 5 .. m-1 cert types
2872 * m .. m+1 sig alg length (TLS 1.2 only)
2873 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2874 * n .. n+1 length of all DNs
2875 * n+2 .. n+3 length of DN 1
2876 * n+4 .. ... Distinguished Name #1
2877 * ... .. ... length of DN 2, etc.
2883 * Supported certificate types
2885 * ClientCertificateType certificate_types<1..2^8-1>;
2886 * enum { (255) } ClientCertificateType;
2890 #if defined(MBEDTLS_RSA_C)
2891 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2893 #if defined(MBEDTLS_ECDSA_C)
2894 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2897 p[0] = (unsigned char) ct_len++;
2901 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2903 * Add signature_algorithms for verify (TLS 1.2)
2905 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2908 * HashAlgorithm hash;
2909 * SignatureAlgorithm signature;
2910 * } SignatureAndHashAlgorithm;
2912 * enum { (255) } HashAlgorithm;
2913 * enum { (255) } SignatureAlgorithm;
2915 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2920 * Supported signature algorithms
2922 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
2924 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
2926 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
2929 #if defined(MBEDTLS_RSA_C)
2930 p[2 + sa_len++] = hash;
2931 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2933 #if defined(MBEDTLS_ECDSA_C)
2934 p[2 + sa_len++] = hash;
2935 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2939 p[0] = (unsigned char)( sa_len >> 8 );
2940 p[1] = (unsigned char)( sa_len );
2944 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2947 * DistinguishedName certificate_authorities<0..2^16-1>;
2948 * opaque DistinguishedName<1..2^16-1>;
2954 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
2956 /* NOTE: If trusted certificates are provisioned
2957 * via a CA callback (configured through
2958 * `mbedtls_ssl_conf_ca_cb()`, then the
2959 * CertificateRequest is currently left empty. */
2961 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2962 if( ssl->handshake->sni_ca_chain != NULL )
2963 crt = ssl->handshake->sni_ca_chain;
2966 crt = ssl->conf->ca_chain;
2968 while( crt != NULL && crt->version != 0 )
2970 dn_size = crt->subject_raw.len;
2973 (size_t)( end - p ) < dn_size ||
2974 (size_t)( end - p ) < 2 + dn_size )
2976 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2980 *p++ = (unsigned char)( dn_size >> 8 );
2981 *p++ = (unsigned char)( dn_size );
2982 memcpy( p, crt->subject_raw.p, dn_size );
2985 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
2987 total_dn_size += 2 + dn_size;
2992 ssl->out_msglen = p - buf;
2993 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2994 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2995 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
2996 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
2998 ret = mbedtls_ssl_write_handshake_msg( ssl );
3000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
3004 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3006 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3007 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3008 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
3012 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
3014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
3015 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
3018 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
3019 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
3020 MBEDTLS_ECDH_OURS ) ) != 0 )
3022 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
3028 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
3029 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3031 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
3032 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3033 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
3034 size_t *signature_len )
3036 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3037 * signature length which will be added in ssl_write_server_key_exchange
3038 * after the call to ssl_prepare_server_key_exchange.
3039 * ssl_write_server_key_exchange also takes care of incrementing
3040 * ssl->out_msglen. */
3041 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
3042 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
3044 int ret = ssl->conf->f_async_resume( ssl,
3045 sig_start, signature_len, sig_max_len );
3046 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3048 ssl->handshake->async_in_progress = 0;
3049 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3051 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
3054 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
3055 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3057 /* Prepare the ServerKeyExchange message, up to and including
3058 * calculating the signature if any, but excluding formatting the
3059 * signature and sending the message. */
3060 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
3061 size_t *signature_len )
3063 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3064 ssl->handshake->ciphersuite_info;
3066 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
3067 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3068 unsigned char *dig_signed = NULL;
3069 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3070 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
3072 (void) ciphersuite_info; /* unused in some configurations */
3073 #if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3074 (void) signature_len;
3075 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3077 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
3081 * Part 1: Provide key exchange parameters for chosen ciphersuite.
3086 * - ECJPAKE key exchanges
3088 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3089 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3094 ret = mbedtls_ecjpake_write_round_two(
3095 &ssl->handshake->ecjpake_ctx,
3096 ssl->out_msg + ssl->out_msglen,
3097 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
3098 ssl->conf->f_rng, ssl->conf->p_rng );
3101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3105 ssl->out_msglen += len;
3107 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3110 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
3111 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
3112 * we use empty support identity hints here.
3114 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
3115 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3116 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3117 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3119 ssl->out_msg[ssl->out_msglen++] = 0x00;
3120 ssl->out_msg[ssl->out_msglen++] = 0x00;
3122 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
3123 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3126 * - DHE key exchanges
3128 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
3129 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
3134 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
3136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
3137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3141 * Ephemeral DH parameters:
3144 * opaque dh_p<1..2^16-1>;
3145 * opaque dh_g<1..2^16-1>;
3146 * opaque dh_Ys<1..2^16-1>;
3149 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
3151 &ssl->conf->dhm_G ) ) != 0 )
3153 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
3157 if( ( ret = mbedtls_dhm_make_params(
3158 &ssl->handshake->dhm_ctx,
3159 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3160 ssl->out_msg + ssl->out_msglen, &len,
3161 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
3167 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3168 dig_signed = ssl->out_msg + ssl->out_msglen;
3171 ssl->out_msglen += len;
3173 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3174 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
3175 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
3176 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3178 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
3181 * - ECDHE key exchanges
3183 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
3184 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
3187 * Ephemeral ECDH parameters:
3190 * ECParameters curve_params;
3192 * } ServerECDHParams;
3194 const mbedtls_ecp_curve_info **curve = NULL;
3195 const mbedtls_ecp_group_id *gid;
3199 /* Match our preference list against the offered curves */
3200 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
3201 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
3202 if( (*curve)->grp_id == *gid )
3203 goto curve_matching_done;
3205 curve_matching_done:
3206 if( curve == NULL || *curve == NULL )
3208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
3209 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
3212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
3214 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
3215 (*curve)->grp_id ) ) != 0 )
3217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
3221 if( ( ret = mbedtls_ecdh_make_params(
3222 &ssl->handshake->ecdh_ctx, &len,
3223 ssl->out_msg + ssl->out_msglen,
3224 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3225 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
3231 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3232 dig_signed = ssl->out_msg + ssl->out_msglen;
3235 ssl->out_msglen += len;
3237 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3238 MBEDTLS_DEBUG_ECDH_Q );
3240 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
3244 * Part 2: For key exchanges involving the server signing the
3245 * exchange parameters, compute and add the signature here.
3248 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3249 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
3251 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3253 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3257 * 2.1: Choose hash algorithm:
3258 * A: For TLS 1.2, obey signature-hash-algorithm extension
3259 * to choose appropriate hash.
3260 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
3261 * (RFC 4492, Sec. 5.4)
3262 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
3265 mbedtls_md_type_t md_alg;
3267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3268 mbedtls_pk_type_t sig_alg =
3269 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
3270 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3272 /* A: For TLS 1.2, obey signature-hash-algorithm extension
3273 * (RFC 5246, Sec. 7.4.1.4.1). */
3274 if( sig_alg == MBEDTLS_PK_NONE ||
3275 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
3276 sig_alg ) ) == MBEDTLS_MD_NONE )
3278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3279 /* (... because we choose a cipher suite
3280 * only if there is a matching hash.) */
3281 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3285 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3286 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3287 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3288 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
3290 /* B: Default hash SHA1 */
3291 md_alg = MBEDTLS_MD_SHA1;
3294 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3295 MBEDTLS_SSL_PROTO_TLS1_1 */
3298 md_alg = MBEDTLS_MD_NONE;
3301 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
3304 * 2.2: Compute the hash to be signed
3306 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3307 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3308 if( md_alg == MBEDTLS_MD_NONE )
3311 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
3318 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3319 MBEDTLS_SSL_PROTO_TLS1_1 */
3320 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3321 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3322 if( md_alg != MBEDTLS_MD_NONE )
3324 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3332 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3333 MBEDTLS_SSL_PROTO_TLS1_2 */
3335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3336 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3339 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
3342 * 2.3: Compute and add the signature
3344 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3345 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3348 * For TLS 1.2, we need to specify signature and hash algorithm
3349 * explicitly through a prefix to the signature.
3352 * HashAlgorithm hash;
3353 * SignatureAlgorithm signature;
3354 * } SignatureAndHashAlgorithm;
3357 * SignatureAndHashAlgorithm algorithm;
3358 * opaque signature<0..2^16-1>;
3359 * } DigitallySigned;
3363 ssl->out_msg[ssl->out_msglen++] =
3364 mbedtls_ssl_hash_from_md_alg( md_alg );
3365 ssl->out_msg[ssl->out_msglen++] =
3366 mbedtls_ssl_sig_from_pk_alg( sig_alg );
3368 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3370 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3371 if( ssl->conf->f_async_sign_start != NULL )
3373 ret = ssl->conf->f_async_sign_start( ssl,
3374 mbedtls_ssl_own_cert( ssl ),
3375 md_alg, hash, hashlen );
3378 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3379 /* act as if f_async_sign was null */
3382 ssl->handshake->async_in_progress = 1;
3383 return( ssl_resume_server_key_exchange( ssl, signature_len ) );
3384 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3385 ssl->handshake->async_in_progress = 1;
3386 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3388 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
3392 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3394 if( mbedtls_ssl_own_key( ssl ) == NULL )
3396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
3397 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3400 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3401 * signature length which will be added in ssl_write_server_key_exchange
3402 * after the call to ssl_prepare_server_key_exchange.
3403 * ssl_write_server_key_exchange also takes care of incrementing
3404 * ssl->out_msglen. */
3405 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
3406 md_alg, hash, hashlen,
3407 ssl->out_msg + ssl->out_msglen + 2,
3410 ssl->conf->p_rng ) ) != 0 )
3412 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3416 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3421 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3422 * that do not include a ServerKeyExchange message, do nothing. Either
3423 * way, if successful, move on to the next step in the SSL state
3425 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
3428 size_t signature_len = 0;
3429 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3430 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3431 ssl->handshake->ciphersuite_info;
3432 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
3436 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
3437 /* Extract static ECDH parameters and abort if ServerKeyExchange
3439 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
3441 /* For suites involving ECDH, extract DH parameters
3442 * from certificate at this point. */
3443 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
3444 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
3446 ssl_get_ecdh_params_from_cert( ssl );
3448 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
3450 /* Key exchanges not involving ephemeral keys don't use
3451 * ServerKeyExchange, so end here. */
3452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
3456 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
3458 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
3459 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3460 /* If we have already prepared the message and there is an ongoing
3461 * signature operation, resume signing. */
3462 if( ssl->handshake->async_in_progress != 0 )
3464 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
3465 ret = ssl_resume_server_key_exchange( ssl, &signature_len );
3468 #endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
3469 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3471 /* ServerKeyExchange is needed. Prepare the message. */
3472 ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
3477 /* If we're starting to write a new message, set ssl->out_msglen
3478 * to 0. But if we're resuming after an asynchronous message,
3479 * out_msglen is the amount of data written so far and mst be
3481 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3482 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
3484 ssl->out_msglen = 0;
3488 /* If there is a signature, write its length.
3489 * ssl_prepare_server_key_exchange already wrote the signature
3490 * itself at its proper place in the output buffer. */
3491 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
3492 if( signature_len != 0 )
3494 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
3495 ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
3497 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
3498 ssl->out_msg + ssl->out_msglen,
3501 /* Skip over the already-written signature */
3502 ssl->out_msglen += signature_len;
3504 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
3506 /* Add header and send. */
3507 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3508 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3512 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3514 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3518 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3522 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
3526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3528 ssl->out_msglen = 4;
3529 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3530 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3534 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3535 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3536 mbedtls_ssl_send_flight_completed( ssl );
3539 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3541 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3545 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3546 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3547 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3549 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
3552 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3554 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3559 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3560 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3561 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
3562 const unsigned char *end )
3564 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3568 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3573 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3576 n = ( (*p)[0] << 8 ) | (*p)[1];
3581 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3585 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
3587 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
3588 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3593 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
3597 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3598 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3600 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3601 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3603 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3604 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
3605 unsigned char *peer_pms,
3606 size_t *peer_pmslen,
3607 size_t peer_pmssize )
3609 int ret = ssl->conf->f_async_resume( ssl,
3610 peer_pms, peer_pmslen, peer_pmssize );
3611 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3613 ssl->handshake->async_in_progress = 0;
3614 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3616 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
3619 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3621 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
3622 const unsigned char *p,
3623 const unsigned char *end,
3624 unsigned char *peer_pms,
3625 size_t *peer_pmslen,
3626 size_t peer_pmssize )
3629 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
3630 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
3631 size_t len = mbedtls_pk_get_len( public_key );
3633 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3634 /* If we have already started decoding the message and there is an ongoing
3635 * decryption operation, resume signing. */
3636 if( ssl->handshake->async_in_progress != 0 )
3638 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
3639 return( ssl_resume_decrypt_pms( ssl,
3640 peer_pms, peer_pmslen, peer_pmssize ) );
3642 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3645 * Prepare to decrypt the premaster using own private RSA key
3647 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3648 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3649 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
3651 if ( p + 2 > end ) {
3652 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3653 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3655 if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
3656 *p++ != ( ( len ) & 0xFF ) )
3658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3659 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3664 if( p + len != end )
3666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3671 * Decrypt the premaster secret
3673 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3674 if( ssl->conf->f_async_decrypt_start != NULL )
3676 ret = ssl->conf->f_async_decrypt_start( ssl,
3677 mbedtls_ssl_own_cert( ssl ),
3681 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3682 /* act as if f_async_decrypt_start was null */
3685 ssl->handshake->async_in_progress = 1;
3686 return( ssl_resume_decrypt_pms( ssl,
3690 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3691 ssl->handshake->async_in_progress = 1;
3692 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3694 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
3698 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3700 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
3702 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3703 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3706 ret = mbedtls_pk_decrypt( private_key, p, len,
3707 peer_pms, peer_pmslen, peer_pmssize,
3708 ssl->conf->f_rng, ssl->conf->p_rng );
3712 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
3713 const unsigned char *p,
3714 const unsigned char *end,
3718 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3719 unsigned char ver[2];
3720 unsigned char fake_pms[48], peer_pms[48];
3722 size_t i, peer_pmslen;
3725 /* In case of a failure in decryption, the decryption may write less than
3726 * 2 bytes of output, but we always read the first two bytes. It doesn't
3727 * matter in the end because diff will be nonzero in that case due to
3728 * peer_pmslen being less than 48, and we only care whether diff is 0.
3729 * But do initialize peer_pms for robustness anyway. This also makes
3730 * memory analyzers happy (don't access uninitialized memory, even
3731 * if it's an unsigned char). */
3732 peer_pms[0] = peer_pms[1] = ~0;
3734 ret = ssl_decrypt_encrypted_pms( ssl, p, end,
3737 sizeof( peer_pms ) );
3739 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3740 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3742 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3744 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
3745 ssl->handshake->max_minor_ver,
3746 ssl->conf->transport, ver );
3748 /* Avoid data-dependent branches while checking for invalid
3749 * padding, to protect against timing-based Bleichenbacher-type
3751 diff = (unsigned int) ret;
3752 diff |= peer_pmslen ^ 48;
3753 diff |= peer_pms[0] ^ ver[0];
3754 diff |= peer_pms[1] ^ ver[1];
3756 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3757 /* MSVC has a warning about unary minus on unsigned, but this is
3758 * well-defined and precisely what we want to do here */
3759 #if defined(_MSC_VER)
3760 #pragma warning( push )
3761 #pragma warning( disable : 4146 )
3763 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
3764 #if defined(_MSC_VER)
3765 #pragma warning( pop )
3769 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3770 * must not cause the connection to end immediately; instead, send a
3771 * bad_record_mac later in the handshake.
3772 * To protect against timing-based variants of the attack, we must
3773 * not have any branch that depends on whether the decryption was
3774 * successful. In particular, always generate the fake premaster secret,
3775 * regardless of whether it will ultimately influence the output or not.
3777 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
3780 /* It's ok to abort on an RNG failure, since this does not reveal
3781 * anything about the RSA decryption. */
3785 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3790 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
3791 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
3793 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3794 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3796 ssl->handshake->pmslen = 48;
3798 /* Set pms to either the true or the fake PMS, without
3799 * data-dependent branches. */
3800 for( i = 0; i < ssl->handshake->pmslen; i++ )
3801 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
3805 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3806 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3808 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3809 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
3810 const unsigned char *end )
3815 if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
3817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3818 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3822 * Receive client pre-shared key identity name
3826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3827 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3830 n = ( (*p)[0] << 8 ) | (*p)[1];
3833 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
3835 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3836 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3839 if( ssl->conf->f_psk != NULL )
3841 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
3842 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3846 /* Identity is not a big secret since clients send it in the clear,
3847 * but treat it carefully anyway, just in case */
3848 if( n != ssl->conf->psk_identity_len ||
3849 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
3851 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3855 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
3857 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
3858 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3859 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
3860 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
3867 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3869 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
3872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3873 unsigned char *p, *end;
3875 ciphersuite_info = ssl->handshake->ciphersuite_info;
3877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3879 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3880 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3881 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
3882 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3883 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
3884 ( ssl->handshake->async_in_progress != 0 ) )
3886 /* We've already read a record and there is an asynchronous
3887 * operation in progress to decrypt it. So skip reading the
3889 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
3893 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3895 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3899 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3900 end = ssl->in_msg + ssl->in_hslen;
3902 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3905 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3908 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
3910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3911 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3914 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3915 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3917 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3919 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3926 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3929 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3930 ssl->handshake->premaster,
3931 MBEDTLS_PREMASTER_SIZE,
3932 &ssl->handshake->pmslen,
3933 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3935 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3936 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3939 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3942 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3943 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3944 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3945 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3946 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3947 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3948 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3949 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3950 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3952 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3953 p, end - p) ) != 0 )
3955 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3956 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
3959 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3960 MBEDTLS_DEBUG_ECDH_QP );
3962 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3963 &ssl->handshake->pmslen,
3964 ssl->handshake->premaster,
3965 MBEDTLS_MPI_MAX_SIZE,
3966 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3968 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3969 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
3972 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3973 MBEDTLS_DEBUG_ECDH_Z );
3976 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3977 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3978 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3979 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3980 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3981 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3983 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3985 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3992 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
3995 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3996 /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically
3997 * and skip the intermediate PMS. */
3998 if( ssl_use_opaque_psk( ssl ) == 1 )
3999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
4001 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4002 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4003 ciphersuite_info->key_exchange ) ) != 0 )
4005 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4010 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
4011 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
4012 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
4014 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4015 if ( ssl->handshake->async_in_progress != 0 )
4017 /* There is an asynchronous operation in progress to
4018 * decrypt the encrypted premaster secret, so skip
4019 * directly to resuming this operation. */
4020 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
4021 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
4022 * won't actually use it, but maintain p anyway for robustness. */
4023 p += ssl->conf->psk_identity_len + 2;
4026 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4027 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4029 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4034 /* Opaque PSKs are currently only supported for PSK-only. */
4035 if( ssl_use_opaque_psk( ssl ) == 1 )
4036 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4039 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
4041 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
4045 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4046 ciphersuite_info->key_exchange ) ) != 0 )
4048 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4053 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
4054 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
4055 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
4057 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4059 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4062 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
4064 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
4068 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4069 /* Opaque PSKs are currently only supported for PSK-only. */
4070 if( ssl_use_opaque_psk( ssl ) == 1 )
4071 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4076 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
4077 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
4080 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4081 ciphersuite_info->key_exchange ) ) != 0 )
4083 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4088 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
4089 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
4090 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
4092 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
4094 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
4098 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
4099 p, end - p ) ) != 0 )
4101 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
4102 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
4105 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4106 /* Opaque PSKs are currently only supported for PSK-only. */
4107 if( ssl_use_opaque_psk( ssl ) == 1 )
4108 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4111 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
4112 MBEDTLS_DEBUG_ECDH_QP );
4114 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
4115 ciphersuite_info->key_exchange ) ) != 0 )
4117 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
4122 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
4123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
4124 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
4126 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
4128 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
4133 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
4134 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4135 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
4137 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
4141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
4142 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
4145 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
4146 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
4147 ssl->conf->f_rng, ssl->conf->p_rng );
4150 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
4155 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4157 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4158 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4161 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
4163 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
4169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
4174 #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
4175 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4177 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4178 ssl->handshake->ciphersuite_info;
4180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4182 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
4184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4192 #else /* !MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
4193 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4195 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4197 unsigned char hash[48];
4198 unsigned char *hash_start = hash;
4200 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4201 mbedtls_pk_type_t pk_alg;
4203 mbedtls_md_type_t md_alg;
4204 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4205 ssl->handshake->ciphersuite_info;
4206 mbedtls_pk_context * peer_pk;
4208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4210 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
4212 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4217 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4218 if( ssl->session_negotiate->peer_cert == NULL )
4220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4224 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4225 if( ssl->session_negotiate->peer_cert_digest == NULL )
4227 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4231 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4233 /* Read the message without adding it to the checksum */
4234 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
4237 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
4243 /* Process the message contents */
4244 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4245 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
4247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4248 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4251 i = mbedtls_ssl_hs_hdr_len( ssl );
4253 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4254 peer_pk = &ssl->handshake->peer_pubkey;
4255 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4256 if( ssl->session_negotiate->peer_cert == NULL )
4258 /* Should never happen */
4259 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4261 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4262 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4266 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4267 * opaque signature<0..2^16-1>;
4268 * } DigitallySigned;
4270 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4271 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4272 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
4274 md_alg = MBEDTLS_MD_NONE;
4277 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
4278 if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) )
4282 md_alg = MBEDTLS_MD_SHA1;
4286 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
4287 MBEDTLS_SSL_PROTO_TLS1_1 */
4288 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4289 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
4291 if( i + 2 > ssl->in_hslen )
4293 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4294 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4300 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
4302 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
4304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4305 " for verify message" ) );
4306 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4309 #if !defined(MBEDTLS_MD_SHA1)
4310 if( MBEDTLS_MD_SHA1 == md_alg )
4314 /* Info from md_alg will be used instead */
4322 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
4323 == MBEDTLS_PK_NONE )
4325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4326 " for verify message" ) );
4327 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4331 * Check the certificate's key type matches the signature alg
4333 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
4335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
4336 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4348 if( i + 2 > ssl->in_hslen )
4350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4351 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4354 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
4357 if( i + sig_len != ssl->in_hslen )
4359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4360 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
4363 /* Calculate hash and verify signature */
4364 ssl->handshake->calc_verify( ssl, hash );
4366 if( ( ret = mbedtls_pk_verify( peer_pk,
4367 md_alg, hash_start, hashlen,
4368 ssl->in_msg + i, sig_len ) ) != 0 )
4370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
4374 mbedtls_ssl_update_handshake_status( ssl );
4376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
4380 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
4382 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4383 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
4389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
4391 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4392 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4396 * uint32 ticket_lifetime_hint;
4397 * opaque ticket<0..2^16-1>;
4398 * } NewSessionTicket;
4400 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4401 * 8 . 9 ticket_len (n)
4402 * 10 . 9+n ticket content
4405 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
4406 ssl->session_negotiate,
4408 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4409 &tlen, &lifetime ) ) != 0 )
4411 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
4415 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
4416 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
4417 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
4418 ssl->out_msg[7] = ( lifetime ) & 0xFF;
4420 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
4421 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
4423 ssl->out_msglen = 10 + tlen;
4426 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4427 * ChangeCipherSpec share the same state.
4429 ssl->handshake->new_session_ticket = 0;
4431 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4433 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4437 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
4441 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4444 * SSL handshake -- server side -- single step
4446 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
4450 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
4451 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4453 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
4455 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
4458 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4459 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4460 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
4462 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
4465 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4467 switch( ssl->state )
4469 case MBEDTLS_SSL_HELLO_REQUEST:
4470 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4476 case MBEDTLS_SSL_CLIENT_HELLO:
4477 ret = ssl_parse_client_hello( ssl );
4480 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4481 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4482 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4488 * ( ServerKeyExchange )
4489 * ( CertificateRequest )
4492 case MBEDTLS_SSL_SERVER_HELLO:
4493 ret = ssl_write_server_hello( ssl );
4496 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4497 ret = mbedtls_ssl_write_certificate( ssl );
4500 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4501 ret = ssl_write_server_key_exchange( ssl );
4504 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4505 ret = ssl_write_certificate_request( ssl );
4508 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4509 ret = ssl_write_server_hello_done( ssl );
4513 * <== ( Certificate/Alert )
4515 * ( CertificateVerify )
4519 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4520 ret = mbedtls_ssl_parse_certificate( ssl );
4523 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4524 ret = ssl_parse_client_key_exchange( ssl );
4527 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4528 ret = ssl_parse_certificate_verify( ssl );
4531 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4532 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4535 case MBEDTLS_SSL_CLIENT_FINISHED:
4536 ret = mbedtls_ssl_parse_finished( ssl );
4540 * ==> ( NewSessionTicket )
4544 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4545 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4546 if( ssl->handshake->new_session_ticket != 0 )
4547 ret = ssl_write_new_session_ticket( ssl );
4550 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4553 case MBEDTLS_SSL_SERVER_FINISHED:
4554 ret = mbedtls_ssl_write_finished( ssl );
4557 case MBEDTLS_SSL_FLUSH_BUFFERS:
4558 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4559 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4562 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4563 mbedtls_ssl_handshake_wrapup( ssl );
4567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4568 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4573 #endif /* MBEDTLS_SSL_SRV_C */