1 /*
2 * TLS server-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_SRV_C)
23
24 #if defined(MBEDTLS_PLATFORM_C)
25 #include "mbedtls/platform.h"
26 #else
27 #include <stdlib.h>
28 #define mbedtls_calloc calloc
29 #define mbedtls_free free
30 #endif
31
32 #include "mbedtls/ssl.h"
33 #include "ssl_misc.h"
34 #include "mbedtls/debug.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/platform_util.h"
37 #include "constant_time_internal.h"
38 #include "mbedtls/constant_time.h"
39
40 #include <string.h>
41
42 #if defined(VENDOR_ONT_TLS_CERT_FAILED_NOTICE_C)
43 #include "mbedtls/crypto_api.h"
44 #endif
45
46 #if defined(MBEDTLS_ECP_C)
47 #include "mbedtls/ecp.h"
48 #endif
49
50 #if defined(MBEDTLS_HAVE_TIME)
51 #include "mbedtls/platform_time.h"
52 #endif
53
54 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context * ssl,const unsigned char * info,size_t ilen)55 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
56 const unsigned char *info,
57 size_t ilen )
58 {
59 #if defined(VENDOR_IOT_DTLS_CLIENT_SET_COOKIE_C)
60 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
61 {
62 if( ssl->handshake->verify_cookie != NULL )
63 mbedtls_free( ssl->handshake->verify_cookie );
64
65 ssl->handshake->verify_cookie = mbedtls_calloc( 1, ilen );
66 if( ssl->handshake->verify_cookie == NULL )
67 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
68
69 memcpy( ssl->handshake->verify_cookie, info, ilen );
70 ssl->handshake->verify_cookie_len = ilen;
71 return( 0 );
72 }
73 #endif
74 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
75 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
76
77 mbedtls_free( ssl->cli_id );
78
79 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
80 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
81
82 memcpy( ssl->cli_id, info, ilen );
83 ssl->cli_id_len = ilen;
84
85 return( 0 );
86 }
87
mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config * conf,mbedtls_ssl_cookie_write_t * f_cookie_write,mbedtls_ssl_cookie_check_t * f_cookie_check,void * p_cookie)88 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
89 mbedtls_ssl_cookie_write_t *f_cookie_write,
90 mbedtls_ssl_cookie_check_t *f_cookie_check,
91 void *p_cookie )
92 {
93 conf->f_cookie_write = f_cookie_write;
94 conf->f_cookie_check = f_cookie_check;
95 conf->p_cookie = p_cookie;
96 }
97 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
98
99 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
ssl_parse_servername_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)100 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
101 const unsigned char *buf,
102 size_t len )
103 {
104 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
105 size_t servername_list_size, hostname_len;
106 const unsigned char *p;
107
108 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
109
110 if( len < 2 )
111 {
112 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
113 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
114 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
115 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
116 }
117 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
118 if( servername_list_size + 2 != len )
119 {
120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
121 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
122 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
123 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
124 }
125
126 p = buf + 2;
127 while( servername_list_size > 2 )
128 {
129 hostname_len = ( ( p[1] << 8 ) | p[2] );
130 if( hostname_len + 3 > servername_list_size )
131 {
132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
133 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
134 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
135 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
136 }
137
138 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
139 {
140 ret = ssl->conf->f_sni( ssl->conf->p_sni,
141 ssl, p + 3, hostname_len );
142 if( ret != 0 )
143 {
144 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
145 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
146 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
147 return( MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME );
148 }
149 return( 0 );
150 }
151
152 servername_list_size -= hostname_len + 3;
153 p += hostname_len + 3;
154 }
155
156 if( servername_list_size != 0 )
157 {
158 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
159 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
160 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
161 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
162 }
163
164 return( 0 );
165 }
166 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
167
168 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
ssl_conf_has_psk_or_cb(mbedtls_ssl_config const * conf)169 static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
170 {
171 if( conf->f_psk != NULL )
172 return( 1 );
173
174 if( conf->psk_identity_len == 0 || conf->psk_identity == NULL )
175 return( 0 );
176
177 if( conf->psk != NULL && conf->psk_len != 0 )
178 return( 1 );
179
180 #if defined(MBEDTLS_USE_PSA_CRYPTO)
181 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
182 return( 1 );
183 #endif /* MBEDTLS_USE_PSA_CRYPTO */
184
185 return( 0 );
186 }
187
188 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_use_opaque_psk(mbedtls_ssl_context const * ssl)189 static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
190 {
191 if( ssl->conf->f_psk != NULL )
192 {
193 /* If we've used a callback to select the PSK,
194 * the static configuration is irrelevant. */
195
196 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
197 return( 1 );
198
199 return( 0 );
200 }
201
202 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
203 return( 1 );
204
205 return( 0 );
206 }
207 #endif /* MBEDTLS_USE_PSA_CRYPTO */
208 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
209
ssl_parse_renegotiation_info(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)210 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
211 const unsigned char *buf,
212 size_t len )
213 {
214 #if defined(MBEDTLS_SSL_RENEGOTIATION)
215 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
216 {
217 /* Check verify-data in constant-time. The length OTOH is no secret */
218 if( len != 1 + ssl->verify_data_len ||
219 buf[0] != ssl->verify_data_len ||
220 mbedtls_ct_memcmp( buf + 1, ssl->peer_verify_data,
221 ssl->verify_data_len ) != 0 )
222 {
223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
224 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
225 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
226 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
227 }
228 }
229 else
230 #endif /* MBEDTLS_SSL_RENEGOTIATION */
231 {
232 if( len != 1 || buf[0] != 0x0 )
233 {
234 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
235 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
236 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
237 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
238 }
239
240 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
241 }
242
243 return( 0 );
244 }
245
246 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
247 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
248
249 /*
250 * Status of the implementation of signature-algorithms extension:
251 *
252 * Currently, we are only considering the signature-algorithm extension
253 * to pick a ciphersuite which allows us to send the ServerKeyExchange
254 * message with a signature-hash combination that the user allows.
255 *
256 * We do *not* check whether all certificates in our certificate
257 * chain are signed with an allowed signature-hash pair.
258 * This needs to be done at a later stage.
259 *
260 */
ssl_parse_signature_algorithms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)261 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
262 const unsigned char *buf,
263 size_t len )
264 {
265 size_t sig_alg_list_size;
266
267 const unsigned char *p;
268 const unsigned char *end = buf + len;
269
270 mbedtls_md_type_t md_cur;
271 mbedtls_pk_type_t sig_cur;
272
273 if ( len < 2 ) {
274 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
275 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
276 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
277 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
278 }
279 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
280 if( sig_alg_list_size + 2 != len ||
281 sig_alg_list_size % 2 != 0 )
282 {
283 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
284 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
285 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
286 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
287 }
288
289 /* Currently we only guarantee signing the ServerKeyExchange message according
290 * to the constraints specified in this extension (see above), so it suffices
291 * to remember only one suitable hash for each possible signature algorithm.
292 *
293 * This will change when we also consider certificate signatures,
294 * in which case we will need to remember the whole signature-hash
295 * pair list from the extension.
296 */
297
298 for( p = buf + 2; p < end; p += 2 )
299 {
300 /* Silently ignore unknown signature or hash algorithms. */
301
302 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
303 {
304 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
305 " unknown sig alg encoding %d", p[1] ) );
306 continue;
307 }
308
309 /* Check if we support the hash the user proposes */
310 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
311 if( md_cur == MBEDTLS_MD_NONE )
312 {
313 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
314 " unknown hash alg encoding %d", p[0] ) );
315 continue;
316 }
317
318 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
319 {
320 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
321 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
322 " match sig %u and hash %u",
323 (unsigned) sig_cur, (unsigned) md_cur ) );
324 }
325 else
326 {
327 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
328 "hash alg %u not supported", (unsigned) md_cur ) );
329 }
330 }
331
332 return( 0 );
333 }
334 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
335 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
336
337 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
338 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_supported_elliptic_curves(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)339 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
340 const unsigned char *buf,
341 size_t len )
342 {
343 size_t list_size, our_size;
344 const unsigned char *p;
345 const mbedtls_ecp_curve_info *curve_info, **curves;
346
347 if ( len < 2 ) {
348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
349 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
350 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
351 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
352 }
353 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
354 if( list_size + 2 != len ||
355 list_size % 2 != 0 )
356 {
357 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
358 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
359 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
360 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
361 }
362
363 /* Should never happen unless client duplicates the extension */
364 if( ssl->handshake->curves != NULL )
365 {
366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
367 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
368 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
369 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
370 }
371
372 /* Don't allow our peer to make us allocate too much memory,
373 * and leave room for a final 0 */
374 our_size = list_size / 2 + 1;
375 if( our_size > MBEDTLS_ECP_DP_MAX )
376 our_size = MBEDTLS_ECP_DP_MAX;
377
378 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
379 {
380 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
381 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
382 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
383 }
384
385 ssl->handshake->curves = curves;
386
387 p = buf + 2;
388 while( list_size > 0 && our_size > 1 )
389 {
390 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
391
392 if( curve_info != NULL )
393 {
394 *curves++ = curve_info;
395 our_size--;
396 }
397
398 list_size -= 2;
399 p += 2;
400 }
401
402 return( 0 );
403 }
404
ssl_parse_supported_point_formats(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)405 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
406 const unsigned char *buf,
407 size_t len )
408 {
409 size_t list_size;
410 const unsigned char *p;
411
412 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
413 {
414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
415 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
416 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
417 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
418 }
419 list_size = buf[0];
420
421 p = buf + 1;
422 while( list_size > 0 )
423 {
424 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
425 p[0] == MBEDTLS_ECP_PF_COMPRESSED )
426 {
427 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
428 ssl->handshake->ecdh_ctx.point_format = p[0];
429 #endif
430 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
431 mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx,
432 p[0] );
433 #endif
434 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
435 return( 0 );
436 }
437
438 list_size--;
439 p++;
440 }
441
442 return( 0 );
443 }
444 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
445 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
446
447 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_parse_ecjpake_kkpp(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)448 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
449 const unsigned char *buf,
450 size_t len )
451 {
452 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
453
454 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
455 {
456 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
457 return( 0 );
458 }
459
460 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
461 buf, len ) ) != 0 )
462 {
463 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
464 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
465 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
466 return( ret );
467 }
468
469 /* Only mark the extension as OK when we're sure it is */
470 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
471
472 return( 0 );
473 }
474 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
475
476 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_parse_max_fragment_length_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)477 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
478 const unsigned char *buf,
479 size_t len )
480 {
481 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
482 {
483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
484 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
485 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
486 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
487 }
488
489 ssl->session_negotiate->mfl_code = buf[0];
490
491 return( 0 );
492 }
493 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
494
495 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl_parse_cid_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)496 static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
497 const unsigned char *buf,
498 size_t len )
499 {
500 size_t peer_cid_len;
501
502 /* CID extension only makes sense in DTLS */
503 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
504 {
505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
506 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
507 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
508 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
509 }
510
511 /*
512 * Quoting draft-ietf-tls-dtls-connection-id-05
513 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
514 *
515 * struct {
516 * opaque cid<0..2^8-1>;
517 * } ConnectionId;
518 */
519
520 if( len < 1 )
521 {
522 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
523 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
524 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
525 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
526 }
527
528 peer_cid_len = *buf++;
529 len--;
530
531 if( len != peer_cid_len )
532 {
533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
534 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
535 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
536 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
537 }
538
539 /* Ignore CID if the user has disabled its use. */
540 if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
541 {
542 /* Leave ssl->handshake->cid_in_use in its default
543 * value of MBEDTLS_SSL_CID_DISABLED. */
544 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) );
545 return( 0 );
546 }
547
548 if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
549 {
550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
551 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
552 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
553 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
554 }
555
556 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
557 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
558 memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
559
560 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
561 MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len );
562
563 return( 0 );
564 }
565 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
566
567 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)568 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
569 const unsigned char *buf,
570 size_t len )
571 {
572 if( len != 0 )
573 {
574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
575 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
576 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
577 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
578 }
579
580 ((void) buf);
581
582 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
583 {
584 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
585 }
586
587 return( 0 );
588 }
589 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
590
591 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_parse_extended_ms_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)592 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
593 const unsigned char *buf,
594 size_t len )
595 {
596 if( len != 0 )
597 {
598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
599 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
601 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
602 }
603
604 ((void) buf);
605
606 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
607 {
608 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
609 }
610
611 return( 0 );
612 }
613 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
614
615 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_parse_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)616 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
617 unsigned char *buf,
618 size_t len )
619 {
620 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
621 mbedtls_ssl_session session;
622
623 mbedtls_ssl_session_init( &session );
624
625 if( ssl->conf->f_ticket_parse == NULL ||
626 ssl->conf->f_ticket_write == NULL )
627 {
628 return( 0 );
629 }
630
631 /* Remember the client asked us to send a new ticket */
632 ssl->handshake->new_session_ticket = 1;
633
634 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, len ) );
635
636 if( len == 0 )
637 return( 0 );
638
639 #if defined(MBEDTLS_SSL_RENEGOTIATION)
640 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
641 {
642 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
643 return( 0 );
644 }
645 #endif /* MBEDTLS_SSL_RENEGOTIATION */
646
647 /*
648 * Failures are ok: just ignore the ticket and proceed.
649 */
650 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
651 buf, len ) ) != 0 )
652 {
653 mbedtls_ssl_session_free( &session );
654
655 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
656 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
657 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
658 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
659 else
660 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
661
662 return( 0 );
663 }
664
665 /*
666 * Keep the session ID sent by the client, since we MUST send it back to
667 * inform them we're accepting the ticket (RFC 5077 section 3.4)
668 */
669 session.id_len = ssl->session_negotiate->id_len;
670 memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
671
672 mbedtls_ssl_session_free( ssl->session_negotiate );
673 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
674
675 /* Zeroize instead of free as we copied the content */
676 mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
677
678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
679
680 ssl->handshake->resume = 1;
681
682 /* Don't send a new ticket after all, this one is OK */
683 ssl->handshake->new_session_ticket = 0;
684
685 return( 0 );
686 }
687 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
688
689 #if defined(MBEDTLS_SSL_ALPN)
ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)690 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
691 const unsigned char *buf, size_t len )
692 {
693 size_t list_len, cur_len, ours_len;
694 const unsigned char *theirs, *start, *end;
695 const char **ours;
696
697 /* If ALPN not configured, just ignore the extension */
698 if( ssl->conf->alpn_list == NULL )
699 return( 0 );
700
701 /*
702 * opaque ProtocolName<1..2^8-1>;
703 *
704 * struct {
705 * ProtocolName protocol_name_list<2..2^16-1>
706 * } ProtocolNameList;
707 */
708
709 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
710 if( len < 4 )
711 {
712 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
713 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
714 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
715 }
716
717 list_len = ( buf[0] << 8 ) | buf[1];
718 if( list_len != len - 2 )
719 {
720 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
721 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
722 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
723 }
724
725 /*
726 * Validate peer's list (lengths)
727 */
728 start = buf + 2;
729 end = buf + len;
730 for( theirs = start; theirs != end; theirs += cur_len )
731 {
732 cur_len = *theirs++;
733
734 /* Current identifier must fit in list */
735 if( cur_len > (size_t)( end - theirs ) )
736 {
737 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
738 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
739 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
740 }
741
742 /* Empty strings MUST NOT be included */
743 if( cur_len == 0 )
744 {
745 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
746 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
747 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
748 }
749 }
750
751 /*
752 * Use our order of preference
753 */
754 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
755 {
756 ours_len = strlen( *ours );
757 for( theirs = start; theirs != end; theirs += cur_len )
758 {
759 cur_len = *theirs++;
760
761 if( cur_len == ours_len &&
762 memcmp( theirs, *ours, cur_len ) == 0 )
763 {
764 ssl->alpn_chosen = *ours;
765 return( 0 );
766 }
767 }
768 }
769
770 /* If we get there, no match was found */
771 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
772 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
773 return( MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL );
774 }
775 #endif /* MBEDTLS_SSL_ALPN */
776
777 #if defined(MBEDTLS_SSL_DTLS_SRTP)
ssl_parse_use_srtp_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)778 static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
779 const unsigned char *buf,
780 size_t len )
781 {
782 mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
783 size_t i,j;
784 size_t profile_length;
785 uint16_t mki_length;
786 /*! 2 bytes for profile length and 1 byte for mki len */
787 const size_t size_of_lengths = 3;
788
789 /* If use_srtp is not configured, just ignore the extension */
790 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
791 ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
792 ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
793 {
794 return( 0 );
795 }
796
797 /* RFC5764 section 4.1.1
798 * uint8 SRTPProtectionProfile[2];
799 *
800 * struct {
801 * SRTPProtectionProfiles SRTPProtectionProfiles;
802 * opaque srtp_mki<0..255>;
803 * } UseSRTPData;
804
805 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
806 */
807
808 /*
809 * Min length is 5: at least one protection profile(2 bytes)
810 * and length(2 bytes) + srtp_mki length(1 byte)
811 * Check here that we have at least 2 bytes of protection profiles length
812 * and one of srtp_mki length
813 */
814 if( len < size_of_lengths )
815 {
816 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
817 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
818 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
819 }
820
821 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
822
823 /* first 2 bytes are protection profile length(in bytes) */
824 profile_length = ( buf[0] << 8 ) | buf[1];
825 buf += 2;
826
827 /* The profile length cannot be bigger than input buffer size - lengths fields */
828 if( profile_length > len - size_of_lengths ||
829 profile_length % 2 != 0 ) /* profiles are 2 bytes long, so the length must be even */
830 {
831 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
832 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
833 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
834 }
835 /*
836 * parse the extension list values are defined in
837 * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
838 */
839 for( j = 0; j < profile_length; j += 2 )
840 {
841 uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
842 client_protection = mbedtls_ssl_check_srtp_profile_value( protection_profile_value );
843
844 if( client_protection != MBEDTLS_TLS_SRTP_UNSET )
845 {
846 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s",
847 mbedtls_ssl_get_srtp_profile_as_string(
848 client_protection ) ) );
849 }
850 else
851 {
852 continue;
853 }
854 /* check if suggested profile is in our list */
855 for( i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++)
856 {
857 if( client_protection == ssl->conf->dtls_srtp_profile_list[i] )
858 {
859 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s",
861 mbedtls_ssl_get_srtp_profile_as_string(
862 client_protection ) ) );
863 break;
864 }
865 }
866 if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET )
867 break;
868 }
869 buf += profile_length; /* buf points to the mki length */
870 mki_length = *buf;
871 buf++;
872
873 if( mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
874 mki_length + profile_length + size_of_lengths != len )
875 {
876 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
877 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
878 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
879 }
880
881 /* Parse the mki only if present and mki is supported locally */
882 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
883 mki_length > 0 )
884 {
885 ssl->dtls_srtp_info.mki_len = mki_length;
886
887 memcpy( ssl->dtls_srtp_info.mki_value, buf, mki_length );
888
889 MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value,
890 ssl->dtls_srtp_info.mki_len );
891 }
892
893 return( 0 );
894 }
895 #endif /* MBEDTLS_SSL_DTLS_SRTP */
896
897 /*
898 * Auxiliary functions for ServerHello parsing and related actions
899 */
900
901 #if defined(MBEDTLS_X509_CRT_PARSE_C)
902 /*
903 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
904 */
905 #if defined(MBEDTLS_ECDSA_C)
ssl_check_key_curve(mbedtls_pk_context * pk,const mbedtls_ecp_curve_info ** curves)906 static int ssl_check_key_curve( mbedtls_pk_context *pk,
907 const mbedtls_ecp_curve_info **curves )
908 {
909 const mbedtls_ecp_curve_info **crv = curves;
910 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
911
912 while( *crv != NULL )
913 {
914 if( (*crv)->grp_id == grp_id )
915 return( 0 );
916 crv++;
917 }
918
919 return( -1 );
920 }
921 #endif /* MBEDTLS_ECDSA_C */
922
923 /*
924 * Try picking a certificate for this ciphersuite,
925 * return 0 on success and -1 on failure.
926 */
ssl_pick_cert(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)927 static int ssl_pick_cert( mbedtls_ssl_context *ssl,
928 const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
929 {
930 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
931 mbedtls_pk_type_t pk_alg =
932 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
933 uint32_t flags;
934
935 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
936 if( ssl->handshake->sni_key_cert != NULL )
937 list = ssl->handshake->sni_key_cert;
938 else
939 #endif
940 list = ssl->conf->key_cert;
941
942 if( pk_alg == MBEDTLS_PK_NONE )
943 return( 0 );
944
945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
946
947 if( list == NULL )
948 {
949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
950 return( -1 );
951 }
952
953 for( cur = list; cur != NULL; cur = cur->next )
954 {
955 flags = 0;
956 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
957 cur->cert );
958
959 if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
960 {
961 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
962 continue;
963 }
964
965 /*
966 * This avoids sending the client a cert it'll reject based on
967 * keyUsage or other extensions.
968 *
969 * It also allows the user to provision different certificates for
970 * different uses based on keyUsage, eg if they want to avoid signing
971 * and decrypting with the same RSA key.
972 */
973 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
974 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
975 {
976 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
977 "(extended) key usage extension" ) );
978 continue;
979 }
980
981 #if defined(MBEDTLS_ECDSA_C)
982 if( pk_alg == MBEDTLS_PK_ECDSA &&
983 ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
984 {
985 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
986 continue;
987 }
988 #endif
989
990 /*
991 * Try to select a SHA-1 certificate for pre-1.2 clients, but still
992 * present them a SHA-higher cert rather than failing if it's the only
993 * one we got that satisfies the other conditions.
994 */
995 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
996 cur->cert->sig_md != MBEDTLS_MD_SHA1 )
997 {
998 if( fallback == NULL )
999 fallback = cur;
1000 {
1001 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
1002 "sha-2 with pre-TLS 1.2 client" ) );
1003 continue;
1004 }
1005 }
1006
1007 /* If we get there, we got a winner */
1008 break;
1009 }
1010
1011 if( cur == NULL )
1012 cur = fallback;
1013
1014 /* Do not update ssl->handshake->key_cert unless there is a match */
1015 if( cur != NULL )
1016 {
1017 ssl->handshake->key_cert = cur;
1018 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
1019 ssl->handshake->key_cert->cert );
1020 return( 0 );
1021 }
1022
1023 return( -1 );
1024 }
1025 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1026
1027 /*
1028 * Check if a given ciphersuite is suitable for use with our config/keys/etc
1029 * Sets ciphersuite_info only if the suite matches.
1030 */
ssl_ciphersuite_match(mbedtls_ssl_context * ssl,int suite_id,const mbedtls_ssl_ciphersuite_t ** ciphersuite_info)1031 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
1032 const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
1033 {
1034 const mbedtls_ssl_ciphersuite_t *suite_info;
1035
1036 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1037 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1038 mbedtls_pk_type_t sig_type;
1039 #endif
1040
1041 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
1042 if( suite_info == NULL )
1043 {
1044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1045 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1046 }
1047
1048 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %#04x (%s)",
1049 (unsigned int) suite_id, suite_info->name ) );
1050
1051 if( suite_info->min_minor_ver > ssl->minor_ver ||
1052 suite_info->max_minor_ver < ssl->minor_ver )
1053 {
1054 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
1055 return( 0 );
1056 }
1057
1058 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1059 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1060 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
1061 return( 0 );
1062 #endif
1063
1064 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1065 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
1066 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
1067 {
1068 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
1069 "not configured or ext missing" ) );
1070 return( 0 );
1071 }
1072 #endif
1073
1074
1075 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1076 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
1077 ( ssl->handshake->curves == NULL ||
1078 ssl->handshake->curves[0] == NULL ) )
1079 {
1080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
1081 "no common elliptic curve" ) );
1082 #if !defined(VENDOR_ONT_CUSTOMIZE_SSL_CIPHERSUIE_MATCH_C)
1083 return( 0 );
1084 #endif
1085 }
1086 #endif
1087
1088 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1089 /* If the ciphersuite requires a pre-shared key and we don't
1090 * have one, skip it now rather than failing later */
1091 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
1092 ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
1093 {
1094 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
1095 return( 0 );
1096 }
1097 #endif
1098
1099 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1100 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1101 /* If the ciphersuite requires signing, check whether
1102 * a suitable hash algorithm is present. */
1103 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1104 {
1105 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
1106 if( sig_type != MBEDTLS_PK_NONE &&
1107 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
1108 {
1109 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
1110 "for signature algorithm %u", (unsigned) sig_type ) );
1111 return( 0 );
1112 }
1113 }
1114
1115 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1116 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1117
1118 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1119 /*
1120 * Final check: if ciphersuite requires us to have a
1121 * certificate/key of a particular type:
1122 * - select the appropriate certificate if we have one, or
1123 * - try the next ciphersuite if we don't
1124 * This must be done last since we modify the key_cert list.
1125 */
1126 if( ssl_pick_cert( ssl, suite_info ) != 0 )
1127 {
1128 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
1129 "no suitable certificate" ) );
1130 return( 0 );
1131 }
1132 #endif
1133
1134 *ciphersuite_info = suite_info;
1135 return( 0 );
1136 }
1137
1138 /* This function doesn't alert on errors that happen early during
1139 ClientHello parsing because they might indicate that the client is
1140 not talking SSL/TLS at all and would not understand our alert. */
ssl_parse_client_hello(mbedtls_ssl_context * ssl)1141 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
1142 {
1143 int ret, got_common_suite;
1144 size_t i, j;
1145 size_t ciph_offset, comp_offset, ext_offset;
1146 size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
1147 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1148 size_t cookie_offset, cookie_len;
1149 #endif
1150 unsigned char *buf, *p, *ext;
1151 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1152 int renegotiation_info_seen = 0;
1153 #endif
1154 int handshake_failure = 0;
1155 const int *ciphersuites;
1156 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
1157 int major, minor;
1158
1159 /* If there is no signature-algorithm extension present,
1160 * we need to fall back to the default values for allowed
1161 * signature-hash pairs. */
1162 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1163 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1164 int sig_hash_alg_ext_present = 0;
1165 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1166 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1167
1168 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
1169
1170 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1171 read_record_header:
1172 #endif
1173 /*
1174 * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
1175 * otherwise read it ourselves manually in order to support SSLv2
1176 * ClientHello, which doesn't use the same record layer format.
1177 */
1178 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1179 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
1180 #endif
1181 {
1182 #ifdef ESCP_MBDTLS_CUSTOMIZATION
1183 if( ( ret = mbedtls_ssl_fetch_input_expand( ssl, 5 , 0)) != 0 )
1184 #else
1185 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
1186 #endif
1187 {
1188 /* No alert on a read error. */
1189 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1190 return( ret );
1191 }
1192 }
1193
1194 buf = ssl->in_hdr;
1195
1196 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) );
1197
1198 /*
1199 * TLS Client Hello
1200 *
1201 * Record layer:
1202 * 0 . 0 message type
1203 * 1 . 2 protocol version
1204 * 3 . 11 DTLS: epoch + record sequence number
1205 * 3 . 4 message length
1206 */
1207 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message type: %d",
1208 buf[0] ) );
1209
1210 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
1211 {
1212 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1213 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1214 }
1215
1216 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, message len.: %d",
1217 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
1218
1219 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, protocol version: [%d:%d]",
1220 buf[1], buf[2] ) );
1221
1222 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
1223
1224 /* According to RFC 5246 Appendix E.1, the version here is typically
1225 * "{03,00}, the lowest version number supported by the client, [or] the
1226 * value of ClientHello.client_version", so the only meaningful check here
1227 * is the major version shouldn't be less than 3 */
1228 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
1229 {
1230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1231 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
1232 }
1233
1234 /* For DTLS if this is the initial handshake, remember the client sequence
1235 * number to use it in our next message (RFC 6347 4.2.1) */
1236 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1237 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
1238 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1239 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1240 #endif
1241 )
1242 {
1243 /* Epoch should be 0 for initial handshakes */
1244 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
1245 {
1246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1247 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1248 }
1249
1250 memcpy( &ssl->cur_out_ctr[2], ssl->in_ctr + 2,
1251 sizeof( ssl->cur_out_ctr ) - 2 );
1252
1253 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1254 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
1255 {
1256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
1257 ssl->next_record_offset = 0;
1258 ssl->in_left = 0;
1259 goto read_record_header;
1260 }
1261
1262 /* No MAC to check yet, so we can update right now */
1263 mbedtls_ssl_dtls_replay_update( ssl );
1264 #endif
1265 }
1266 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1267
1268 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
1269
1270 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1271 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
1272 {
1273 /* Set by mbedtls_ssl_read_record() */
1274 msg_len = ssl->in_hslen;
1275 }
1276 else
1277 #endif
1278 {
1279 if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
1280 {
1281 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1282 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
1283 }
1284
1285 if( ( ret = mbedtls_ssl_fetch_input( ssl,
1286 mbedtls_ssl_in_hdr_len( ssl ) + msg_len ) ) != 0 )
1287 {
1288 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
1289 return( ret );
1290 }
1291
1292 /* Done reading this record, get ready for the next one */
1293 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1294 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1295 ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl );
1296 else
1297 #endif
1298 ssl->in_left = 0;
1299 }
1300
1301 buf = ssl->in_msg;
1302
1303 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
1304
1305 ssl->handshake->update_checksum( ssl, buf, msg_len );
1306
1307 /*
1308 * Handshake layer:
1309 * 0 . 0 handshake type
1310 * 1 . 3 handshake length
1311 * 4 . 5 DTLS only: message seqence number
1312 * 6 . 8 DTLS only: fragment offset
1313 * 9 . 11 DTLS only: fragment length
1314 */
1315 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
1316 {
1317 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1318 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1319 }
1320
1321 {
1322 size_t handshake_len = MBEDTLS_GET_UINT24_BE( buf, 1 );
1323 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %u",
1324 ( unsigned ) handshake_len ) );
1325
1326 /* The record layer has a record size limit of 2^14 - 1 and
1327 * fragmentation is not supported, so buf[1] should be zero. */
1328 if( buf[1] != 0 )
1329 {
1330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != 0",
1331 (unsigned) buf[1] ) );
1332 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1333 }
1334
1335 /* We don't support fragmentation of ClientHello (yet?) */
1336 if( msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + handshake_len )
1337 {
1338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message: %u != %u + %u",
1339 (unsigned) msg_len,
1340 (unsigned) mbedtls_ssl_hs_hdr_len( ssl ),
1341 (unsigned) handshake_len ) );
1342 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1343 }
1344 }
1345
1346 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1347 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1348 {
1349 /*
1350 * Copy the client's handshake message_seq on initial handshakes,
1351 * check sequence number on renego.
1352 */
1353 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1354 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1355 {
1356 /* This couldn't be done in ssl_prepare_handshake_record() */
1357 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1358 ssl->in_msg[5];
1359
1360 if( cli_msg_seq != ssl->handshake->in_msg_seq )
1361 {
1362 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
1363 "%u (expected %u)", cli_msg_seq,
1364 ssl->handshake->in_msg_seq ) );
1365 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1366 }
1367
1368 ssl->handshake->in_msg_seq++;
1369 }
1370 else
1371 #endif
1372 {
1373 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
1374 ssl->in_msg[5];
1375 ssl->handshake->out_msg_seq = cli_msg_seq;
1376 ssl->handshake->in_msg_seq = cli_msg_seq + 1;
1377 }
1378
1379 /*
1380 * For now we don't support fragmentation, so make sure
1381 * fragment_offset == 0 and fragment_length == length
1382 */
1383 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
1384 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
1385 {
1386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
1387 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
1388 }
1389 }
1390 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1391
1392 buf += mbedtls_ssl_hs_hdr_len( ssl );
1393 msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
1394
1395 /*
1396 * ClientHello layer:
1397 * 0 . 1 protocol version
1398 * 2 . 33 random bytes (starting with 4 bytes of Unix time)
1399 * 34 . 35 session id length (1 byte)
1400 * 35 . 34+x session id
1401 * 35+x . 35+x DTLS only: cookie length (1 byte)
1402 * 36+x . .. DTLS only: cookie
1403 * .. . .. ciphersuite list length (2 bytes)
1404 * .. . .. ciphersuite list
1405 * .. . .. compression alg. list length (1 byte)
1406 * .. . .. compression alg. list
1407 * .. . .. extensions length (2 bytes, optional)
1408 * .. . .. extensions (optional)
1409 */
1410
1411 /*
1412 * Minimal length (with everything empty and extensions omitted) is
1413 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
1414 * read at least up to session id length without worrying.
1415 */
1416 if( msg_len < 38 )
1417 {
1418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1419 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1420 }
1421
1422 /*
1423 * Check and save the protocol version
1424 */
1425 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
1426
1427 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
1428 ssl->conf->transport, buf );
1429 ssl->session_negotiate->minor_ver = ssl->minor_ver;
1430
1431 ssl->handshake->max_major_ver = ssl->major_ver;
1432 ssl->handshake->max_minor_ver = ssl->minor_ver;
1433
1434 if( ssl->major_ver < ssl->conf->min_major_ver ||
1435 ssl->minor_ver < ssl->conf->min_minor_ver )
1436 {
1437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
1438 " [%d:%d] < [%d:%d]",
1439 ssl->major_ver, ssl->minor_ver,
1440 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
1441 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1442 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
1443 return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
1444 }
1445
1446 if( ssl->major_ver > ssl->conf->max_major_ver )
1447 {
1448 ssl->major_ver = ssl->conf->max_major_ver;
1449 ssl->minor_ver = ssl->conf->max_minor_ver;
1450 }
1451 else if( ssl->minor_ver > ssl->conf->max_minor_ver )
1452 ssl->minor_ver = ssl->conf->max_minor_ver;
1453
1454 /*
1455 * Save client random (inc. Unix time)
1456 */
1457 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
1458
1459 memcpy( ssl->handshake->randbytes, buf + 2, 32 );
1460
1461 /*
1462 * Check the session ID length and save session ID
1463 */
1464 sess_len = buf[34];
1465
1466 if( sess_len > sizeof( ssl->session_negotiate->id ) ||
1467 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
1468 {
1469 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1470 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1471 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1472 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1473 }
1474
1475 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
1476
1477 ssl->session_negotiate->id_len = sess_len;
1478 memset( ssl->session_negotiate->id, 0,
1479 sizeof( ssl->session_negotiate->id ) );
1480 memcpy( ssl->session_negotiate->id, buf + 35,
1481 ssl->session_negotiate->id_len );
1482
1483 /*
1484 * Check the cookie length and content
1485 */
1486 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1487 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1488 {
1489 cookie_offset = 35 + sess_len;
1490 cookie_len = buf[cookie_offset];
1491
1492 if( cookie_offset + 1 + cookie_len + 2 > msg_len )
1493 {
1494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1495 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1496 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1497 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1498 }
1499
1500 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
1501 buf + cookie_offset + 1, cookie_len );
1502
1503 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
1504 if( ssl->conf->f_cookie_check != NULL
1505 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1506 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
1507 #endif
1508 )
1509 {
1510 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
1511 buf + cookie_offset + 1, cookie_len,
1512 ssl->cli_id, ssl->cli_id_len ) != 0 )
1513 {
1514 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
1515 ssl->handshake->verify_cookie_len = 1;
1516 }
1517 else
1518 {
1519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
1520 ssl->handshake->verify_cookie_len = 0;
1521 }
1522 }
1523 else
1524 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
1525 {
1526 /* We know we didn't send a cookie, so it should be empty */
1527 if( cookie_len != 0 )
1528 {
1529 /* This may be an attacker's probe, so don't send an alert */
1530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1531 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1532 }
1533
1534 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
1535 }
1536
1537 /*
1538 * Check the ciphersuitelist length (will be parsed later)
1539 */
1540 ciph_offset = cookie_offset + 1 + cookie_len;
1541 }
1542 else
1543 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1544 ciph_offset = 35 + sess_len;
1545
1546 ciph_len = ( buf[ciph_offset + 0] << 8 )
1547 | ( buf[ciph_offset + 1] );
1548
1549 if( ciph_len < 2 ||
1550 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
1551 ( ciph_len % 2 ) != 0 )
1552 {
1553 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1554 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1555 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1556 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1557 }
1558
1559 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
1560 buf + ciph_offset + 2, ciph_len );
1561
1562 /*
1563 * Check the compression algorithms length and pick one
1564 */
1565 comp_offset = ciph_offset + 2 + ciph_len;
1566
1567 comp_len = buf[comp_offset];
1568
1569 if( comp_len < 1 ||
1570 comp_len > 16 ||
1571 comp_len + comp_offset + 1 > msg_len )
1572 {
1573 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1574 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1575 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1576 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1577 }
1578
1579 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
1580 buf + comp_offset + 1, comp_len );
1581
1582 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1583 /* See comments in ssl_write_client_hello() */
1584 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1585 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1586 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
1587 #endif
1588 /*
1589 * Check the extension length
1590 */
1591 ext_offset = comp_offset + 1 + comp_len;
1592 if( msg_len > ext_offset )
1593 {
1594 if( msg_len < ext_offset + 2 )
1595 {
1596 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1597 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1598 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1599 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1600 }
1601
1602 ext_len = ( buf[ext_offset + 0] << 8 )
1603 | ( buf[ext_offset + 1] );
1604
1605 if( msg_len != ext_offset + 2 + ext_len )
1606 {
1607 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1608 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1609 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1610 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1611 }
1612 }
1613 else
1614 ext_len = 0;
1615
1616 ext = buf + ext_offset + 2;
1617 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
1618
1619 while( ext_len != 0 )
1620 {
1621 unsigned int ext_id;
1622 unsigned int ext_size;
1623 if ( ext_len < 4 ) {
1624 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1625 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1626 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1627 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1628 }
1629 ext_id = ( ( ext[0] << 8 ) | ( ext[1] ) );
1630 ext_size = ( ( ext[2] << 8 ) | ( ext[3] ) );
1631
1632 if( ext_size + 4 > ext_len )
1633 {
1634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
1635 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1636 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1637 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1638 }
1639 switch( ext_id )
1640 {
1641 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1642 case MBEDTLS_TLS_EXT_SERVERNAME:
1643 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
1644 if( ssl->conf->f_sni == NULL )
1645 break;
1646
1647 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
1648 if( ret != 0 )
1649 return( ret );
1650 break;
1651 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1652
1653 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
1654 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
1655 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1656 renegotiation_info_seen = 1;
1657 #endif
1658
1659 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
1660 if( ret != 0 )
1661 return( ret );
1662 break;
1663
1664 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1665 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1666 case MBEDTLS_TLS_EXT_SIG_ALG:
1667 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
1668
1669 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
1670 if( ret != 0 )
1671 return( ret );
1672
1673 sig_hash_alg_ext_present = 1;
1674 break;
1675 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1676 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1677
1678 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1679 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1680 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
1681 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
1682
1683 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
1684 if( ret != 0 )
1685 return( ret );
1686 break;
1687
1688 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
1689 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
1690 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
1691
1692 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
1693 if( ret != 0 )
1694 return( ret );
1695 break;
1696 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1697 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1698
1699 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1700 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
1701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
1702
1703 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
1704 if( ret != 0 )
1705 return( ret );
1706 break;
1707 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1708
1709 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1710 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
1711 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
1712
1713 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
1714 if( ret != 0 )
1715 return( ret );
1716 break;
1717 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1718
1719 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1720 case MBEDTLS_TLS_EXT_CID:
1721 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
1722
1723 ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size );
1724 if( ret != 0 )
1725 return( ret );
1726 break;
1727 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1728
1729 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1730 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
1731 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
1732
1733 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
1734 if( ret != 0 )
1735 return( ret );
1736 break;
1737 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1738
1739 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1740 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
1741 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
1742
1743 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
1744 if( ret != 0 )
1745 return( ret );
1746 break;
1747 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1748
1749 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1750 case MBEDTLS_TLS_EXT_SESSION_TICKET:
1751 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
1752
1753 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
1754 if( ret != 0 )
1755 return( ret );
1756 break;
1757 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1758
1759 #if defined(MBEDTLS_SSL_ALPN)
1760 case MBEDTLS_TLS_EXT_ALPN:
1761 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
1762
1763 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
1764 if( ret != 0 )
1765 return( ret );
1766 break;
1767 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
1768
1769 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1770 case MBEDTLS_TLS_EXT_USE_SRTP:
1771 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
1772
1773 ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size );
1774 if( ret != 0 )
1775 return( ret );
1776 break;
1777 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1778
1779 default:
1780 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %u (ignoring)",
1781 ext_id ) );
1782 }
1783
1784 ext_len -= 4 + ext_size;
1785 ext += 4 + ext_size;
1786 }
1787
1788 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1789 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1790
1791 /*
1792 * Try to fall back to default hash SHA1 if the client
1793 * hasn't provided any preferred signature-hash combinations.
1794 */
1795 if( sig_hash_alg_ext_present == 0 )
1796 {
1797 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
1798
1799 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
1800 md_default = MBEDTLS_MD_NONE;
1801
1802 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
1803 }
1804
1805 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1806 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1807
1808 /*
1809 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1810 */
1811 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
1812 {
1813 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
1814 {
1815 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
1816 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1817 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1818 {
1819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
1820 "during renegotiation" ) );
1821 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1822 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1823 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1824 }
1825 #endif
1826 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1827 break;
1828 }
1829 }
1830
1831 /*
1832 * Renegotiation security checks
1833 */
1834 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1835 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
1836 {
1837 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
1838 handshake_failure = 1;
1839 }
1840 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1841 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1842 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1843 renegotiation_info_seen == 0 )
1844 {
1845 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
1846 handshake_failure = 1;
1847 }
1848 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1849 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1850 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
1851 {
1852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
1853 handshake_failure = 1;
1854 }
1855 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1856 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1857 renegotiation_info_seen == 1 )
1858 {
1859 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
1860 handshake_failure = 1;
1861 }
1862 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1863
1864 if( handshake_failure == 1 )
1865 {
1866 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1867 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1868 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1869 }
1870
1871 /*
1872 * Search for a matching ciphersuite
1873 * (At the end because we need information from the EC-based extensions
1874 * and certificate from the SNI callback triggered by the SNI extension.)
1875 */
1876 got_common_suite = 0;
1877 ciphersuites = ssl->conf->ciphersuite_list;
1878 ciphersuite_info = NULL;
1879
1880 if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
1881 {
1882 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1883 for( i = 0; ciphersuites[i] != 0; i++ )
1884 {
1885 if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] )
1886 continue;
1887
1888 got_common_suite = 1;
1889
1890 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1891 &ciphersuite_info ) ) != 0 )
1892 return( ret );
1893
1894 if( ciphersuite_info != NULL )
1895 goto have_ciphersuite;
1896 }
1897 } else {
1898 for( i = 0; ciphersuites[i] != 0; i++ )
1899 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
1900 {
1901 if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] )
1902 continue;
1903
1904 got_common_suite = 1;
1905
1906 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
1907 &ciphersuite_info ) ) != 0 )
1908 return( ret );
1909
1910 if( ciphersuite_info != NULL )
1911 goto have_ciphersuite;
1912 }
1913 }
1914
1915 if( got_common_suite )
1916 {
1917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
1918 "but none of them usable" ) );
1919 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1920 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1921 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1922 }
1923 else
1924 {
1925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
1926 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1927 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
1928 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
1929 }
1930
1931 have_ciphersuite:
1932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
1933
1934 ssl->session_negotiate->ciphersuite = ciphersuites[i];
1935 ssl->handshake->ciphersuite_info = ciphersuite_info;
1936
1937 ssl->state++;
1938
1939 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1940 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1941 mbedtls_ssl_recv_flight_completed( ssl );
1942 #endif
1943
1944 /* Debugging-only output for testsuite */
1945 #if defined(MBEDTLS_DEBUG_C) && \
1946 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1947 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1948 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1949 {
1950 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
1951 if( sig_alg != MBEDTLS_PK_NONE )
1952 {
1953 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
1954 sig_alg );
1955 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
1956 mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
1957 }
1958 else
1959 {
1960 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
1961 "%u - should not happen", (unsigned) sig_alg ) );
1962 }
1963 }
1964 #endif
1965
1966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
1967
1968 return( 0 );
1969 }
1970
1971 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl_write_cid_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)1972 static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
1973 unsigned char *buf,
1974 size_t *olen )
1975 {
1976 unsigned char *p = buf;
1977 size_t ext_len;
1978 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
1979
1980 *olen = 0;
1981
1982 /* Skip writing the extension if we don't want to use it or if
1983 * the client hasn't offered it. */
1984 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED )
1985 return;
1986
1987 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
1988 * which is at most 255, so the increment cannot overflow. */
1989 if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
1990 {
1991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
1992 return;
1993 }
1994
1995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
1996
1997 /*
1998 * Quoting draft-ietf-tls-dtls-connection-id-05
1999 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
2000 *
2001 * struct {
2002 * opaque cid<0..2^8-1>;
2003 * } ConnectionId;
2004 */
2005 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 );
2006 p += 2;
2007 ext_len = (size_t) ssl->own_cid_len + 1;
2008 MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
2009 p += 2;
2010
2011 *p++ = (uint8_t) ssl->own_cid_len;
2012 memcpy( p, ssl->own_cid, ssl->own_cid_len );
2013
2014 *olen = ssl->own_cid_len + 5;
2015 }
2016 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2017
2018 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2019 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
2020 unsigned char *buf,
2021 size_t *olen )
2022 {
2023 unsigned char *p = buf;
2024 const mbedtls_ssl_ciphersuite_t *suite = NULL;
2025 const mbedtls_cipher_info_t *cipher = NULL;
2026
2027 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
2028 {
2029 *olen = 0;
2030 return;
2031 }
2032
2033 /*
2034 * RFC 7366: "If a server receives an encrypt-then-MAC request extension
2035 * from a client and then selects a stream or Authenticated Encryption
2036 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
2037 * encrypt-then-MAC response extension back to the client."
2038 */
2039 if( ( suite = mbedtls_ssl_ciphersuite_from_id(
2040 ssl->session_negotiate->ciphersuite ) ) == NULL ||
2041 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
2042 cipher->mode != MBEDTLS_MODE_CBC )
2043 {
2044 *olen = 0;
2045 return;
2046 }
2047
2048 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
2049
2050 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 );
2051 p += 2;
2052
2053 *p++ = 0x00;
2054 *p++ = 0x00;
2055
2056 *olen = 4;
2057 }
2058 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2059
2060 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
ssl_write_extended_ms_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2061 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
2062 unsigned char *buf,
2063 size_t *olen )
2064 {
2065 unsigned char *p = buf;
2066
2067 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
2068 {
2069 *olen = 0;
2070 return;
2071 }
2072
2073 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
2074 "extension" ) );
2075
2076 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 );
2077 p += 2;
2078
2079 *p++ = 0x00;
2080 *p++ = 0x00;
2081
2082 *olen = 4;
2083 }
2084 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2085
2086 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_session_ticket_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2087 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
2088 unsigned char *buf,
2089 size_t *olen )
2090 {
2091 unsigned char *p = buf;
2092
2093 if( ssl->handshake->new_session_ticket == 0 )
2094 {
2095 *olen = 0;
2096 return;
2097 }
2098
2099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
2100
2101 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 );
2102 p += 2;
2103
2104 *p++ = 0x00;
2105 *p++ = 0x00;
2106
2107 *olen = 4;
2108 }
2109 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2110
ssl_write_renegotiation_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2111 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
2112 unsigned char *buf,
2113 size_t *olen )
2114 {
2115 unsigned char *p = buf;
2116
2117 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
2118 {
2119 *olen = 0;
2120 return;
2121 }
2122
2123 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
2124
2125 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 );
2126 p += 2;
2127
2128 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2129 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
2130 {
2131 *p++ = 0x00;
2132 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
2133 *p++ = ssl->verify_data_len * 2 & 0xFF;
2134
2135 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
2136 p += ssl->verify_data_len;
2137 memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
2138 p += ssl->verify_data_len;
2139 }
2140 else
2141 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2142 {
2143 *p++ = 0x00;
2144 *p++ = 0x01;
2145 *p++ = 0x00;
2146 }
2147
2148 *olen = p - buf;
2149 }
2150
2151 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
ssl_write_max_fragment_length_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2152 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
2153 unsigned char *buf,
2154 size_t *olen )
2155 {
2156 unsigned char *p = buf;
2157
2158 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
2159 {
2160 *olen = 0;
2161 return;
2162 }
2163
2164 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
2165
2166 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 );
2167 p += 2;
2168
2169 *p++ = 0x00;
2170 *p++ = 1;
2171
2172 *p++ = ssl->session_negotiate->mfl_code;
2173
2174 *olen = 5;
2175 }
2176 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2177
2178 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2179 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_supported_point_formats_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2180 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
2181 unsigned char *buf,
2182 size_t *olen )
2183 {
2184 unsigned char *p = buf;
2185 ((void) ssl);
2186
2187 if( ( ssl->handshake->cli_exts &
2188 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
2189 {
2190 *olen = 0;
2191 return;
2192 }
2193
2194 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
2195
2196 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 );
2197 p += 2;
2198
2199 *p++ = 0x00;
2200 *p++ = 2;
2201
2202 *p++ = 1;
2203 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
2204
2205 *olen = 6;
2206 }
2207 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2208
2209 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2210 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
2211 unsigned char *buf,
2212 size_t *olen )
2213 {
2214 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2215 unsigned char *p = buf;
2216 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2217 size_t kkpp_len;
2218
2219 *olen = 0;
2220
2221 /* Skip costly computation if not needed */
2222 if( ssl->handshake->ciphersuite_info->key_exchange !=
2223 MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2224 return;
2225
2226 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
2227
2228 if( end - p < 4 )
2229 {
2230 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2231 return;
2232 }
2233
2234 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 );
2235 p += 2;
2236
2237 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
2238 p + 2, end - p - 2, &kkpp_len,
2239 ssl->conf->f_rng, ssl->conf->p_rng );
2240 if( ret != 0 )
2241 {
2242 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
2243 return;
2244 }
2245
2246 MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 );
2247 p += 2;
2248
2249 *olen = kkpp_len + 4;
2250 }
2251 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2252
2253 #if defined(MBEDTLS_SSL_ALPN )
ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2254 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2255 unsigned char *buf, size_t *olen )
2256 {
2257 if( ssl->alpn_chosen == NULL )
2258 {
2259 *olen = 0;
2260 return;
2261 }
2262
2263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
2264
2265 /*
2266 * 0 . 1 ext identifier
2267 * 2 . 3 ext length
2268 * 4 . 5 protocol list length
2269 * 6 . 6 protocol name length
2270 * 7 . 7+n protocol name
2271 */
2272 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, buf, 0);
2273
2274 *olen = 7 + strlen( ssl->alpn_chosen );
2275
2276 MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 );
2277
2278 MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 );
2279
2280 buf[6] = MBEDTLS_BYTE_0( *olen - 7 );
2281
2282 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
2283 }
2284 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
2285
2286 #if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_write_use_srtp_ext(mbedtls_ssl_context * ssl,unsigned char * buf,size_t * olen)2287 static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
2288 unsigned char *buf,
2289 size_t *olen )
2290 {
2291 size_t mki_len = 0, ext_len = 0;
2292 uint16_t profile_value = 0;
2293 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2294
2295 *olen = 0;
2296
2297 if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
2298 ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET ) )
2299 {
2300 return;
2301 }
2302
2303 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding use_srtp extension" ) );
2304
2305 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
2306 {
2307 mki_len = ssl->dtls_srtp_info.mki_len;
2308 }
2309
2310 /* The extension total size is 9 bytes :
2311 * - 2 bytes for the extension tag
2312 * - 2 bytes for the total size
2313 * - 2 bytes for the protection profile length
2314 * - 2 bytes for the protection profile
2315 * - 1 byte for the mki length
2316 * + the actual mki length
2317 * Check we have enough room in the output buffer */
2318 if( (size_t)( end - buf ) < mki_len + 9 )
2319 {
2320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
2321 return;
2322 }
2323
2324 /* extension */
2325 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0 );
2326 /*
2327 * total length 5 and mki value: only one profile(2 bytes)
2328 * and length(2 bytes) and srtp_mki )
2329 */
2330 ext_len = 5 + mki_len;
2331 MBEDTLS_PUT_UINT16_BE( ext_len, buf, 2 );
2332
2333 /* protection profile length: 2 */
2334 buf[4] = 0x00;
2335 buf[5] = 0x02;
2336 profile_value = mbedtls_ssl_check_srtp_profile_value(
2337 ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
2338 if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
2339 {
2340 MBEDTLS_PUT_UINT16_BE( profile_value, buf, 6 );
2341 }
2342 else
2343 {
2344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) );
2345 return;
2346 }
2347
2348 buf[8] = mki_len & 0xFF;
2349 memcpy( &buf[9], ssl->dtls_srtp_info.mki_value, mki_len );
2350
2351 *olen = 9 + mki_len;
2352 }
2353 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2354
2355 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
ssl_write_hello_verify_request(mbedtls_ssl_context * ssl)2356 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
2357 {
2358 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2359 unsigned char *p = ssl->out_msg + 4;
2360 unsigned char *cookie_len_byte;
2361
2362 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
2363
2364 /*
2365 * struct {
2366 * ProtocolVersion server_version;
2367 * opaque cookie<0..2^8-1>;
2368 * } HelloVerifyRequest;
2369 */
2370
2371 /* The RFC is not clear on this point, but sending the actual negotiated
2372 * version looks like the most interoperable thing to do. */
2373 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2374 ssl->conf->transport, p );
2375 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
2376 p += 2;
2377
2378 /* If we get here, f_cookie_check is not null */
2379 if( ssl->conf->f_cookie_write == NULL )
2380 {
2381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
2382 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2383 }
2384
2385 /* Skip length byte until we know the length */
2386 cookie_len_byte = p++;
2387
2388 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
2389 &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
2390 ssl->cli_id, ssl->cli_id_len ) ) != 0 )
2391 {
2392 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
2393 return( ret );
2394 }
2395
2396 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
2397
2398 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
2399
2400 ssl->out_msglen = p - ssl->out_msg;
2401 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2402 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
2403
2404 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
2405
2406 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
2407 {
2408 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
2409 return( ret );
2410 }
2411
2412 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2413 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2414 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2415 {
2416 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2417 return( ret );
2418 }
2419 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2420
2421 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
2422
2423 return( 0 );
2424 }
2425 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2426
ssl_handle_id_based_session_resumption(mbedtls_ssl_context * ssl)2427 static void ssl_handle_id_based_session_resumption( mbedtls_ssl_context *ssl )
2428 {
2429 int ret;
2430 mbedtls_ssl_session session_tmp;
2431 mbedtls_ssl_session * const session = ssl->session_negotiate;
2432
2433 /* Resume is 0 by default, see ssl_handshake_init().
2434 * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
2435 if( ssl->handshake->resume == 1 )
2436 return;
2437 if( session->id_len == 0 )
2438 return;
2439 if( ssl->conf->f_get_cache == NULL )
2440 return;
2441 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2442 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
2443 return;
2444 #endif
2445
2446 mbedtls_ssl_session_init( &session_tmp );
2447
2448 ret = ssl->conf->f_get_cache( ssl->conf->p_cache,
2449 session->id,
2450 session->id_len,
2451 &session_tmp );
2452 if( ret != 0 )
2453 goto exit;
2454
2455 if( session->ciphersuite != session_tmp.ciphersuite ||
2456 session->compression != session_tmp.compression )
2457 {
2458 /* Mismatch between cached and negotiated session */
2459 goto exit;
2460 }
2461
2462 /* Move semantics */
2463 mbedtls_ssl_session_free( session );
2464 *session = session_tmp;
2465 memset( &session_tmp, 0, sizeof( session_tmp ) );
2466
2467 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
2468 ssl->handshake->resume = 1;
2469
2470 exit:
2471
2472 mbedtls_ssl_session_free( &session_tmp );
2473 }
2474
ssl_write_server_hello(mbedtls_ssl_context * ssl)2475 static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
2476 {
2477 #if defined(MBEDTLS_HAVE_TIME)
2478 mbedtls_time_t t;
2479 #endif
2480 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2481 size_t olen, ext_len = 0, n;
2482 unsigned char *buf, *p;
2483
2484 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
2485
2486 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2487 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2488 ssl->handshake->verify_cookie_len != 0 )
2489 {
2490 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
2491 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2492
2493 return( ssl_write_hello_verify_request( ssl ) );
2494 }
2495 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2496
2497 if( ssl->conf->f_rng == NULL )
2498 {
2499 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
2500 return( MBEDTLS_ERR_SSL_NO_RNG );
2501 }
2502
2503 /*
2504 * 0 . 0 handshake type
2505 * 1 . 3 handshake length
2506 * 4 . 5 protocol version
2507 * 6 . 9 UNIX time()
2508 * 10 . 37 random bytes
2509 */
2510 buf = ssl->out_msg;
2511 p = buf + 4;
2512
2513 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2514 ssl->conf->transport, p );
2515 p += 2;
2516
2517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
2518 buf[4], buf[5] ) );
2519
2520 #if defined(MBEDTLS_HAVE_TIME)
2521 t = mbedtls_time( NULL );
2522 MBEDTLS_PUT_UINT32_BE( t, p, 0 );
2523 p += 4;
2524
2525 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
2526 (long long) t ) );
2527 #else
2528 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
2529 return( ret );
2530
2531 p += 4;
2532 #endif /* MBEDTLS_HAVE_TIME */
2533
2534 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
2535 return( ret );
2536
2537 p += 28;
2538
2539 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
2540
2541 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
2542
2543 ssl_handle_id_based_session_resumption( ssl );
2544
2545 if( ssl->handshake->resume == 0 )
2546 {
2547 /*
2548 * New session, create a new session id,
2549 * unless we're about to issue a session ticket
2550 */
2551 ssl->state++;
2552
2553 #if defined(MBEDTLS_HAVE_TIME)
2554 ssl->session_negotiate->start = mbedtls_time( NULL );
2555 #endif
2556
2557 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2558 if( ssl->handshake->new_session_ticket != 0 )
2559 {
2560 ssl->session_negotiate->id_len = n = 0;
2561 memset( ssl->session_negotiate->id, 0, 32 );
2562 }
2563 else
2564 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
2565 {
2566 ssl->session_negotiate->id_len = n = 32;
2567 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
2568 n ) ) != 0 )
2569 return( ret );
2570 }
2571 }
2572 else
2573 {
2574 /*
2575 * Resuming a session
2576 */
2577 n = ssl->session_negotiate->id_len;
2578 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2579
2580 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
2581 {
2582 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
2583 return( ret );
2584 }
2585 }
2586
2587 /*
2588 * 38 . 38 session id length
2589 * 39 . 38+n session id
2590 * 39+n . 40+n chosen ciphersuite
2591 * 41+n . 41+n chosen compression alg.
2592 * 42+n . 43+n extensions length
2593 * 44+n . 43+n+m extensions
2594 */
2595 *p++ = (unsigned char) ssl->session_negotiate->id_len;
2596 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
2597 p += ssl->session_negotiate->id_len;
2598
2599 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
2600 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
2601 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
2602 ssl->handshake->resume ? "a" : "no" ) );
2603
2604 MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
2605 p += 2;
2606 *p++ = MBEDTLS_BYTE_0( ssl->session_negotiate->compression );
2607
2608 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
2609 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
2610 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
2611 (unsigned int) ssl->session_negotiate->compression ) );
2612
2613 /*
2614 * First write extensions, then the total length
2615 */
2616 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
2617 ext_len += olen;
2618
2619 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2620 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
2621 ext_len += olen;
2622 #endif
2623
2624 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2625 ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
2626 ext_len += olen;
2627 #endif
2628
2629 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2630 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
2631 ext_len += olen;
2632 #endif
2633
2634 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2635 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
2636 ext_len += olen;
2637 #endif
2638
2639 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2640 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
2641 ext_len += olen;
2642 #endif
2643
2644 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2645 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2646 if ( mbedtls_ssl_ciphersuite_uses_ec(
2647 mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
2648 {
2649 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
2650 ext_len += olen;
2651 }
2652 #endif
2653
2654 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2655 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
2656 ext_len += olen;
2657 #endif
2658
2659 #if defined(MBEDTLS_SSL_ALPN)
2660 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
2661 ext_len += olen;
2662 #endif
2663
2664 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2665 ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen );
2666 ext_len += olen;
2667 #endif
2668
2669 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2670 ext_len ) );
2671
2672 if( ext_len > 0 )
2673 {
2674 MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
2675 p += 2 + ext_len;
2676 }
2677
2678 ssl->out_msglen = p - buf;
2679 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2680 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
2681
2682 ret = mbedtls_ssl_write_handshake_msg( ssl );
2683
2684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
2685
2686 return( ret );
2687 }
2688
2689 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2690 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2691 {
2692 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2693 ssl->handshake->ciphersuite_info;
2694
2695 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2696
2697 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2698 {
2699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2700 ssl->state++;
2701 return( 0 );
2702 }
2703
2704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2705 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2706 }
2707 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
ssl_write_certificate_request(mbedtls_ssl_context * ssl)2708 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
2709 {
2710 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2711 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2712 ssl->handshake->ciphersuite_info;
2713 uint16_t dn_size, total_dn_size; /* excluding length bytes */
2714 size_t ct_len, sa_len; /* including length bytes */
2715 unsigned char *buf, *p;
2716 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2717 const mbedtls_x509_crt *crt;
2718 int authmode;
2719
2720 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
2721
2722 ssl->state++;
2723
2724 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2725 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
2726 authmode = ssl->handshake->sni_authmode;
2727 else
2728 #endif
2729 authmode = ssl->conf->authmode;
2730
2731 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
2732 authmode == MBEDTLS_SSL_VERIFY_NONE )
2733 {
2734 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
2735 return( 0 );
2736 }
2737
2738 /*
2739 * 0 . 0 handshake type
2740 * 1 . 3 handshake length
2741 * 4 . 4 cert type count
2742 * 5 .. m-1 cert types
2743 * m .. m+1 sig alg length (TLS 1.2 only)
2744 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only)
2745 * n .. n+1 length of all DNs
2746 * n+2 .. n+3 length of DN 1
2747 * n+4 .. ... Distinguished Name #1
2748 * ... .. ... length of DN 2, etc.
2749 */
2750 buf = ssl->out_msg;
2751 p = buf + 4;
2752
2753 /*
2754 * Supported certificate types
2755 *
2756 * ClientCertificateType certificate_types<1..2^8-1>;
2757 * enum { (255) } ClientCertificateType;
2758 */
2759 ct_len = 0;
2760
2761 #if defined(MBEDTLS_RSA_C)
2762 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
2763 #endif
2764 #if defined(MBEDTLS_ECDSA_C)
2765 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
2766 #endif
2767
2768 p[0] = (unsigned char) ct_len++;
2769 p += ct_len;
2770
2771 sa_len = 0;
2772 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2773 /*
2774 * Add signature_algorithms for verify (TLS 1.2)
2775 *
2776 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
2777 *
2778 * struct {
2779 * HashAlgorithm hash;
2780 * SignatureAlgorithm signature;
2781 * } SignatureAndHashAlgorithm;
2782 *
2783 * enum { (255) } HashAlgorithm;
2784 * enum { (255) } SignatureAlgorithm;
2785 */
2786 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
2787 {
2788 const int *cur;
2789
2790 /*
2791 * Supported signature algorithms
2792 */
2793 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
2794 {
2795 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
2796
2797 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
2798 continue;
2799
2800 #if defined(MBEDTLS_RSA_C)
2801 p[2 + sa_len++] = hash;
2802 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
2803 #endif
2804 #if defined(MBEDTLS_ECDSA_C)
2805 p[2 + sa_len++] = hash;
2806 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
2807 #endif
2808 }
2809
2810 MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 );
2811 sa_len += 2;
2812 p += sa_len;
2813 }
2814 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2815
2816 /*
2817 * DistinguishedName certificate_authorities<0..2^16-1>;
2818 * opaque DistinguishedName<1..2^16-1>;
2819 */
2820 p += 2;
2821
2822 total_dn_size = 0;
2823
2824 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
2825 {
2826 /* NOTE: If trusted certificates are provisioned
2827 * via a CA callback (configured through
2828 * `mbedtls_ssl_conf_ca_cb()`, then the
2829 * CertificateRequest is currently left empty. */
2830
2831 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2832 if( ssl->handshake->sni_ca_chain != NULL )
2833 crt = ssl->handshake->sni_ca_chain;
2834 else
2835 #endif
2836 crt = ssl->conf->ca_chain;
2837
2838 while( crt != NULL && crt->version != 0 )
2839 {
2840 /* It follows from RFC 5280 A.1 that this length
2841 * can be represented in at most 11 bits. */
2842 dn_size = (uint16_t) crt->subject_raw.len;
2843
2844 if( end < p || (size_t)( end - p ) < 2 + (size_t) dn_size )
2845 {
2846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
2847 break;
2848 }
2849
2850 MBEDTLS_PUT_UINT16_BE( dn_size, p, 0 );
2851 p += 2;
2852 memcpy( p, crt->subject_raw.p, dn_size );
2853 p += dn_size;
2854
2855 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
2856
2857 total_dn_size += 2 + dn_size;
2858 crt = crt->next;
2859 }
2860 }
2861
2862 ssl->out_msglen = p - buf;
2863 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2864 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
2865 MBEDTLS_PUT_UINT16_BE( total_dn_size, ssl->out_msg, 4 + ct_len + sa_len );
2866
2867 ret = mbedtls_ssl_write_handshake_msg( ssl );
2868
2869 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
2870
2871 return( ret );
2872 }
2873 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
2874
2875 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2876 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
ssl_get_ecdh_params_from_cert(mbedtls_ssl_context * ssl)2877 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2878 {
2879 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2880
2881 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
2882 {
2883 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2884 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
2885 }
2886
2887 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
2888 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
2889 MBEDTLS_ECDH_OURS ) ) != 0 )
2890 {
2891 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2892 return( ret );
2893 }
2894
2895 return( 0 );
2896 }
2897 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2898 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2899
2900 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
2901 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_resume_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2902 static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
2903 size_t *signature_len )
2904 {
2905 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
2906 * signature length which will be added in ssl_write_server_key_exchange
2907 * after the call to ssl_prepare_server_key_exchange.
2908 * ssl_write_server_key_exchange also takes care of incrementing
2909 * ssl->out_msglen. */
2910 unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
2911 size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
2912 - sig_start );
2913 int ret = ssl->conf->f_async_resume( ssl,
2914 sig_start, signature_len, sig_max_len );
2915 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
2916 {
2917 ssl->handshake->async_in_progress = 0;
2918 mbedtls_ssl_set_async_operation_data( ssl, NULL );
2919 }
2920 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
2921 return( ret );
2922 }
2923 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
2924 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
2925
2926 /* Prepare the ServerKeyExchange message, up to and including
2927 * calculating the signature if any, but excluding formatting the
2928 * signature and sending the message. */
ssl_prepare_server_key_exchange(mbedtls_ssl_context * ssl,size_t * signature_len)2929 static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
2930 size_t *signature_len )
2931 {
2932 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2933 ssl->handshake->ciphersuite_info;
2934
2935 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
2936 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2937 unsigned char *dig_signed = NULL;
2938 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2939 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
2940
2941 (void) ciphersuite_info; /* unused in some configurations */
2942 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2943 (void) signature_len;
2944 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
2945
2946 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
2947 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2948 size_t out_buf_len = ssl->out_buf_len - ( ssl->out_msg - ssl->out_buf );
2949 #else
2950 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - ( ssl->out_msg - ssl->out_buf );
2951 #endif
2952 #endif
2953
2954 ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
2955
2956 /*
2957 *
2958 * Part 1: Provide key exchange parameters for chosen ciphersuite.
2959 *
2960 */
2961
2962 /*
2963 * - ECJPAKE key exchanges
2964 */
2965 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2966 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2967 {
2968 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2969 size_t len = 0;
2970
2971 ret = mbedtls_ecjpake_write_round_two(
2972 &ssl->handshake->ecjpake_ctx,
2973 ssl->out_msg + ssl->out_msglen,
2974 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
2975 ssl->conf->f_rng, ssl->conf->p_rng );
2976 if( ret != 0 )
2977 {
2978 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
2979 return( ret );
2980 }
2981
2982 ssl->out_msglen += len;
2983 }
2984 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2985
2986 /*
2987 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
2988 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
2989 * we use empty support identity hints here.
2990 **/
2991 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
2992 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2993 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2994 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2995 {
2996 ssl->out_msg[ssl->out_msglen++] = 0x00;
2997 ssl->out_msg[ssl->out_msglen++] = 0x00;
2998 }
2999 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
3000 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3001
3002 /*
3003 * - DHE key exchanges
3004 */
3005 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
3006 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
3007 {
3008 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3009 size_t len = 0;
3010
3011 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
3012 {
3013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
3014 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3015 }
3016
3017 /*
3018 * Ephemeral DH parameters:
3019 *
3020 * struct {
3021 * opaque dh_p<1..2^16-1>;
3022 * opaque dh_g<1..2^16-1>;
3023 * opaque dh_Ys<1..2^16-1>;
3024 * } ServerDHParams;
3025 */
3026 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
3027 &ssl->conf->dhm_P,
3028 &ssl->conf->dhm_G ) ) != 0 )
3029 {
3030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
3031 return( ret );
3032 }
3033
3034 if( ( ret = mbedtls_dhm_make_params(
3035 &ssl->handshake->dhm_ctx,
3036 (int) mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx ),
3037 ssl->out_msg + ssl->out_msglen, &len,
3038 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3039 {
3040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
3041 return( ret );
3042 }
3043
3044 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3045 dig_signed = ssl->out_msg + ssl->out_msglen;
3046 #endif
3047
3048 ssl->out_msglen += len;
3049
3050 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3051 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
3052 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
3053 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3054 }
3055 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
3056
3057 /*
3058 * - ECDHE key exchanges
3059 */
3060 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
3061 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
3062 {
3063 /*
3064 * Ephemeral ECDH parameters:
3065 *
3066 * struct {
3067 * ECParameters curve_params;
3068 * ECPoint public;
3069 * } ServerECDHParams;
3070 */
3071 const mbedtls_ecp_curve_info **curve = NULL;
3072 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
3073 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3074 size_t len = 0;
3075
3076 /* Match our preference list against the offered curves */
3077 if( group_list == NULL )
3078 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3079 for( ; *group_list != 0; group_list++ )
3080 #if defined(VENDOR_ONT_CUSTOMIZE_SSL_CIPHERSUIE_MATCH_C)
3081 for( curve = ssl->handshake->curves; (curve != NULL && *curve != NULL); curve++ )
3082 #else
3083 for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
3084 #endif
3085 if( (*curve)->tls_id == *group_list )
3086 goto curve_matching_done;
3087
3088 curve_matching_done:
3089 if( curve == NULL || *curve == NULL )
3090 {
3091 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
3092 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
3093 }
3094
3095 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
3096
3097 if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
3098 (*curve)->grp_id ) ) != 0 )
3099 {
3100 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
3101 return( ret );
3102 }
3103
3104 if( ( ret = mbedtls_ecdh_make_params(
3105 &ssl->handshake->ecdh_ctx, &len,
3106 ssl->out_msg + ssl->out_msglen,
3107 MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
3108 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3109 {
3110 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
3111 return( ret );
3112 }
3113
3114 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3115 dig_signed = ssl->out_msg + ssl->out_msglen;
3116 #endif
3117
3118 ssl->out_msglen += len;
3119
3120 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3121 MBEDTLS_DEBUG_ECDH_Q );
3122 }
3123 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
3124
3125 /*
3126 *
3127 * Part 2: For key exchanges involving the server signing the
3128 * exchange parameters, compute and add the signature here.
3129 *
3130 */
3131 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3132 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
3133 {
3134 size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
3135 size_t hashlen = 0;
3136 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3137 unsigned char hash[PSA_HASH_MAX_SIZE];
3138 #else
3139 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3140 #endif
3141 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3142
3143 /*
3144 * 2.1: Choose hash algorithm:
3145 * For TLS 1.2, obey signature-hash-algorithm extension
3146 * to choose appropriate hash.
3147 */
3148
3149 mbedtls_md_type_t md_alg;
3150
3151 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3152 mbedtls_pk_type_t sig_alg =
3153 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
3154 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3155 {
3156 /* For TLS 1.2, obey signature-hash-algorithm extension
3157 * (RFC 5246, Sec. 7.4.1.4.1). */
3158 if( sig_alg == MBEDTLS_PK_NONE ||
3159 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
3160 sig_alg ) ) == MBEDTLS_MD_NONE )
3161 {
3162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3163 /* (... because we choose a cipher suite
3164 * only if there is a matching hash.) */
3165 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3166 }
3167 }
3168 else
3169 {
3170 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3171 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3172 }
3173 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3174
3175 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) );
3176
3177 /*
3178 * 2.2: Compute the hash to be signed
3179 */
3180 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3181 if( md_alg != MBEDTLS_MD_NONE )
3182 {
3183 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
3184 dig_signed,
3185 dig_signed_len,
3186 md_alg );
3187 if( ret != 0 )
3188 return( ret );
3189 }
3190 else
3191 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3192 {
3193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3194 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3195 }
3196
3197 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
3198
3199 /*
3200 * 2.3: Compute and add the signature
3201 */
3202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3203 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
3204 {
3205 /*
3206 * For TLS 1.2, we need to specify signature and hash algorithm
3207 * explicitly through a prefix to the signature.
3208 *
3209 * struct {
3210 * HashAlgorithm hash;
3211 * SignatureAlgorithm signature;
3212 * } SignatureAndHashAlgorithm;
3213 *
3214 * struct {
3215 * SignatureAndHashAlgorithm algorithm;
3216 * opaque signature<0..2^16-1>;
3217 * } DigitallySigned;
3218 *
3219 */
3220
3221 ssl->out_msg[ssl->out_msglen++] =
3222 mbedtls_ssl_hash_from_md_alg( md_alg );
3223 ssl->out_msg[ssl->out_msglen++] =
3224 mbedtls_ssl_sig_from_pk_alg( sig_alg );
3225 }
3226 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3227
3228 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3229 if( ssl->conf->f_async_sign_start != NULL )
3230 {
3231 ret = ssl->conf->f_async_sign_start( ssl,
3232 mbedtls_ssl_own_cert( ssl ),
3233 md_alg, hash, hashlen );
3234 switch( ret )
3235 {
3236 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3237 /* act as if f_async_sign was null */
3238 break;
3239 case 0:
3240 ssl->handshake->async_in_progress = 1;
3241 return( ssl_resume_server_key_exchange( ssl, signature_len ) );
3242 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3243 ssl->handshake->async_in_progress = 1;
3244 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3245 default:
3246 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
3247 return( ret );
3248 }
3249 }
3250 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3251
3252 if( mbedtls_ssl_own_key( ssl ) == NULL )
3253 {
3254 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
3255 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3256 }
3257
3258 /* Append the signature to ssl->out_msg, leaving 2 bytes for the
3259 * signature length which will be added in ssl_write_server_key_exchange
3260 * after the call to ssl_prepare_server_key_exchange.
3261 * ssl_write_server_key_exchange also takes care of incrementing
3262 * ssl->out_msglen. */
3263 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
3264 md_alg, hash, hashlen,
3265 ssl->out_msg + ssl->out_msglen + 2,
3266 out_buf_len - ssl->out_msglen - 2,
3267 signature_len,
3268 ssl->conf->f_rng,
3269 ssl->conf->p_rng ) ) != 0 )
3270 {
3271 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3272 return( ret );
3273 }
3274 }
3275 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3276
3277 return( 0 );
3278 }
3279
3280 /* Prepare the ServerKeyExchange message and send it. For ciphersuites
3281 * that do not include a ServerKeyExchange message, do nothing. Either
3282 * way, if successful, move on to the next step in the SSL state
3283 * machine. */
ssl_write_server_key_exchange(mbedtls_ssl_context * ssl)3284 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
3285 {
3286 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3287 size_t signature_len = 0;
3288 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3289 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3290 ssl->handshake->ciphersuite_info;
3291 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3292
3293 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
3294
3295 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
3296 /* Extract static ECDH parameters and abort if ServerKeyExchange
3297 * is not needed. */
3298 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
3299 {
3300 /* For suites involving ECDH, extract DH parameters
3301 * from certificate at this point. */
3302 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
3303 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
3304 {
3305 ssl_get_ecdh_params_from_cert( ssl );
3306 }
3307 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
3308
3309 /* Key exchanges not involving ephemeral keys don't use
3310 * ServerKeyExchange, so end here. */
3311 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
3312 ssl->state++;
3313 return( 0 );
3314 }
3315 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
3316
3317 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \
3318 defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3319 /* If we have already prepared the message and there is an ongoing
3320 * signature operation, resume signing. */
3321 if( ssl->handshake->async_in_progress != 0 )
3322 {
3323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
3324 ret = ssl_resume_server_key_exchange( ssl, &signature_len );
3325 }
3326 else
3327 #endif /* defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) &&
3328 defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
3329 {
3330 /* ServerKeyExchange is needed. Prepare the message. */
3331 ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
3332 }
3333
3334 if( ret != 0 )
3335 {
3336 /* If we're starting to write a new message, set ssl->out_msglen
3337 * to 0. But if we're resuming after an asynchronous message,
3338 * out_msglen is the amount of data written so far and mst be
3339 * preserved. */
3340 if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3341 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
3342 else
3343 ssl->out_msglen = 0;
3344 return( ret );
3345 }
3346
3347 /* If there is a signature, write its length.
3348 * ssl_prepare_server_key_exchange already wrote the signature
3349 * itself at its proper place in the output buffer. */
3350 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3351 if( signature_len != 0 )
3352 {
3353 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1( signature_len );
3354 ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0( signature_len );
3355
3356 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
3357 ssl->out_msg + ssl->out_msglen,
3358 signature_len );
3359
3360 /* Skip over the already-written signature */
3361 ssl->out_msglen += signature_len;
3362 }
3363 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3364
3365 /* Add header and send. */
3366 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3367 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
3368
3369 ssl->state++;
3370
3371 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3372 {
3373 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3374 return( ret );
3375 }
3376
3377 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
3378 return( 0 );
3379 }
3380
ssl_write_server_hello_done(mbedtls_ssl_context * ssl)3381 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
3382 {
3383 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3384
3385 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
3386
3387 ssl->out_msglen = 4;
3388 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3389 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
3390
3391 ssl->state++;
3392
3393 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3394 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3395 mbedtls_ssl_send_flight_completed( ssl );
3396 #endif
3397
3398 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3399 {
3400 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3401 return( ret );
3402 }
3403
3404 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3405 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3406 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3407 {
3408 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
3409 return( ret );
3410 }
3411 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3412
3413 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
3414
3415 return( 0 );
3416 }
3417
3418 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3419 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
ssl_parse_client_dh_public(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3420 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
3421 const unsigned char *end )
3422 {
3423 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3424 size_t n;
3425
3426 /*
3427 * Receive G^Y mod P, premaster = (G^Y)^X mod P
3428 */
3429 if( *p + 2 > end )
3430 {
3431 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3432 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3433 }
3434
3435 n = ( (*p)[0] << 8 ) | (*p)[1];
3436 *p += 2;
3437
3438 if( *p + n > end )
3439 {
3440 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3441 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3442 }
3443
3444 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
3445 {
3446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
3447 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3448 }
3449
3450 *p += n;
3451
3452 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
3453
3454 return( ret );
3455 }
3456 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3457 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3458
3459 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3460 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3461
3462 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_resume_decrypt_pms(mbedtls_ssl_context * ssl,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3463 static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
3464 unsigned char *peer_pms,
3465 size_t *peer_pmslen,
3466 size_t peer_pmssize )
3467 {
3468 int ret = ssl->conf->f_async_resume( ssl,
3469 peer_pms, peer_pmslen, peer_pmssize );
3470 if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3471 {
3472 ssl->handshake->async_in_progress = 0;
3473 mbedtls_ssl_set_async_operation_data( ssl, NULL );
3474 }
3475 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
3476 return( ret );
3477 }
3478 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3479
ssl_decrypt_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,unsigned char * peer_pms,size_t * peer_pmslen,size_t peer_pmssize)3480 static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
3481 const unsigned char *p,
3482 const unsigned char *end,
3483 unsigned char *peer_pms,
3484 size_t *peer_pmslen,
3485 size_t peer_pmssize )
3486 {
3487 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3488 mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
3489 mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
3490 size_t len = mbedtls_pk_get_len( public_key );
3491
3492 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3493 /* If we have already started decoding the message and there is an ongoing
3494 * decryption operation, resume signing. */
3495 if( ssl->handshake->async_in_progress != 0 )
3496 {
3497 MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
3498 return( ssl_resume_decrypt_pms( ssl,
3499 peer_pms, peer_pmslen, peer_pmssize ) );
3500 }
3501 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3502
3503 /*
3504 * Prepare to decrypt the premaster using own private RSA key
3505 */
3506 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3507 if ( p + 2 > end ) {
3508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3509 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3510 }
3511 if( *p++ != MBEDTLS_BYTE_1( len ) ||
3512 *p++ != MBEDTLS_BYTE_0( len ) )
3513 {
3514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3515 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3516 }
3517 #endif
3518
3519 if( p + len != end )
3520 {
3521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3522 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3523 }
3524
3525 /*
3526 * Decrypt the premaster secret
3527 */
3528 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3529 if( ssl->conf->f_async_decrypt_start != NULL )
3530 {
3531 ret = ssl->conf->f_async_decrypt_start( ssl,
3532 mbedtls_ssl_own_cert( ssl ),
3533 p, len );
3534 switch( ret )
3535 {
3536 case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
3537 /* act as if f_async_decrypt_start was null */
3538 break;
3539 case 0:
3540 ssl->handshake->async_in_progress = 1;
3541 return( ssl_resume_decrypt_pms( ssl,
3542 peer_pms,
3543 peer_pmslen,
3544 peer_pmssize ) );
3545 case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
3546 ssl->handshake->async_in_progress = 1;
3547 return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
3548 default:
3549 MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
3550 return( ret );
3551 }
3552 }
3553 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3554
3555 if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
3556 {
3557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
3558 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3559 }
3560
3561 ret = mbedtls_pk_decrypt( private_key, p, len,
3562 peer_pms, peer_pmslen, peer_pmssize,
3563 ssl->conf->f_rng, ssl->conf->p_rng );
3564 return( ret );
3565 }
3566
ssl_parse_encrypted_pms(mbedtls_ssl_context * ssl,const unsigned char * p,const unsigned char * end,size_t pms_offset)3567 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
3568 const unsigned char *p,
3569 const unsigned char *end,
3570 size_t pms_offset )
3571 {
3572 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3573 unsigned char *pms = ssl->handshake->premaster + pms_offset;
3574 unsigned char ver[2];
3575 unsigned char fake_pms[48], peer_pms[48];
3576 unsigned char mask;
3577 size_t i, peer_pmslen;
3578 unsigned int diff;
3579
3580 /* In case of a failure in decryption, the decryption may write less than
3581 * 2 bytes of output, but we always read the first two bytes. It doesn't
3582 * matter in the end because diff will be nonzero in that case due to
3583 * ret being nonzero, and we only care whether diff is 0.
3584 * But do initialize peer_pms and peer_pmslen for robustness anyway. This
3585 * also makes memory analyzers happy (don't access uninitialized memory,
3586 * even if it's an unsigned char). */
3587 peer_pms[0] = peer_pms[1] = ~0;
3588 peer_pmslen = 0;
3589
3590 ret = ssl_decrypt_encrypted_pms( ssl, p, end,
3591 peer_pms,
3592 &peer_pmslen,
3593 sizeof( peer_pms ) );
3594
3595 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3596 if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
3597 return( ret );
3598 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3599
3600 mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
3601 ssl->handshake->max_minor_ver,
3602 ssl->conf->transport, ver );
3603
3604 /* Avoid data-dependent branches while checking for invalid
3605 * padding, to protect against timing-based Bleichenbacher-type
3606 * attacks. */
3607 diff = (unsigned int) ret;
3608 diff |= peer_pmslen ^ 48;
3609 diff |= peer_pms[0] ^ ver[0];
3610 diff |= peer_pms[1] ^ ver[1];
3611
3612 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
3613 mask = mbedtls_ct_uint_mask( diff );
3614
3615 /*
3616 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
3617 * must not cause the connection to end immediately; instead, send a
3618 * bad_record_mac later in the handshake.
3619 * To protect against timing-based variants of the attack, we must
3620 * not have any branch that depends on whether the decryption was
3621 * successful. In particular, always generate the fake premaster secret,
3622 * regardless of whether it will ultimately influence the output or not.
3623 */
3624 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
3625 if( ret != 0 )
3626 {
3627 /* It's ok to abort on an RNG failure, since this does not reveal
3628 * anything about the RSA decryption. */
3629 return( ret );
3630 }
3631
3632 #if defined(MBEDTLS_SSL_DEBUG_ALL)
3633 if( diff != 0 )
3634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3635 #endif
3636
3637 if( sizeof( ssl->handshake->premaster ) < pms_offset ||
3638 sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
3639 {
3640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3641 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3642 }
3643 ssl->handshake->pmslen = 48;
3644
3645 /* Set pms to either the true or the fake PMS, without
3646 * data-dependent branches. */
3647 for( i = 0; i < ssl->handshake->pmslen; i++ )
3648 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
3649
3650 return( 0 );
3651 }
3652 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
3653 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3654
3655 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
ssl_parse_client_psk_identity(mbedtls_ssl_context * ssl,unsigned char ** p,const unsigned char * end)3656 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
3657 const unsigned char *end )
3658 {
3659 int ret = 0;
3660 uint16_t n;
3661
3662 if( ssl_conf_has_psk_or_cb( ssl->conf ) == 0 )
3663 {
3664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
3665 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
3666 }
3667
3668 /*
3669 * Receive client pre-shared key identity name
3670 */
3671 if( end - *p < 2 )
3672 {
3673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3674 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3675 }
3676
3677 n = ( (*p)[0] << 8 ) | (*p)[1];
3678 *p += 2;
3679
3680 if( n == 0 || n > end - *p )
3681 {
3682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3683 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3684 }
3685
3686 if( ssl->conf->f_psk != NULL )
3687 {
3688 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
3689 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3690 }
3691 else
3692 {
3693 /* Identity is not a big secret since clients send it in the clear,
3694 * but treat it carefully anyway, just in case */
3695 if( n != ssl->conf->psk_identity_len ||
3696 mbedtls_ct_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
3697 {
3698 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
3699 }
3700 }
3701
3702 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
3703 {
3704 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
3705 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3706 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
3707 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
3708 }
3709
3710 *p += n;
3711
3712 return( 0 );
3713 }
3714 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3715
ssl_parse_client_key_exchange(mbedtls_ssl_context * ssl)3716 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
3717 {
3718 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3719 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3720 unsigned char *p, *end;
3721
3722 ciphersuite_info = ssl->handshake->ciphersuite_info;
3723
3724 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
3725
3726 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
3727 ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
3728 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
3729 if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3730 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
3731 ( ssl->handshake->async_in_progress != 0 ) )
3732 {
3733 /* We've already read a record and there is an asynchronous
3734 * operation in progress to decrypt it. So skip reading the
3735 * record. */
3736 MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
3737 }
3738 else
3739 #endif
3740 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3741 {
3742 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3743 return( ret );
3744 }
3745
3746 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3747 end = ssl->in_msg + ssl->in_hslen;
3748
3749 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
3750 {
3751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3752 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3753 }
3754
3755 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
3756 {
3757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
3758 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
3759 }
3760
3761 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3762 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3763 {
3764 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3765 {
3766 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3767 return( ret );
3768 }
3769
3770 if( p != end )
3771 {
3772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3773 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3774 }
3775
3776 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
3777 ssl->handshake->premaster,
3778 MBEDTLS_PREMASTER_SIZE,
3779 &ssl->handshake->pmslen,
3780 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3781 {
3782 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3783 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3784 }
3785
3786 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3787 }
3788 else
3789 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3790 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3791 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3792 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3793 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3794 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3795 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3796 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3797 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3798 {
3799 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3800 p, end - p) ) != 0 )
3801 {
3802 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3803 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3804 }
3805
3806 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3807 MBEDTLS_DEBUG_ECDH_QP );
3808
3809 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
3810 &ssl->handshake->pmslen,
3811 ssl->handshake->premaster,
3812 MBEDTLS_MPI_MAX_SIZE,
3813 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3814 {
3815 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3816 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3817 }
3818
3819 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3820 MBEDTLS_DEBUG_ECDH_Z );
3821 }
3822 else
3823 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3824 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3825 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3826 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3827 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3828 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3829 {
3830 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3831 {
3832 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3833 return( ret );
3834 }
3835
3836 if( p != end )
3837 {
3838 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3839 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3840 }
3841
3842 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3843 /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically
3844 * and skip the intermediate PMS. */
3845 if( ssl_use_opaque_psk( ssl ) == 1 )
3846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
3847 else
3848 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3849 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3850 ciphersuite_info->key_exchange ) ) != 0 )
3851 {
3852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3853 return( ret );
3854 }
3855 }
3856 else
3857 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3858 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3859 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3860 {
3861 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3862 if ( ssl->handshake->async_in_progress != 0 )
3863 {
3864 /* There is an asynchronous operation in progress to
3865 * decrypt the encrypted premaster secret, so skip
3866 * directly to resuming this operation. */
3867 MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
3868 /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
3869 * won't actually use it, but maintain p anyway for robustness. */
3870 p += ssl->conf->psk_identity_len + 2;
3871 }
3872 else
3873 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3874 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3875 {
3876 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3877 return( ret );
3878 }
3879
3880 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3881 /* Opaque PSKs are currently only supported for PSK-only. */
3882 if( ssl_use_opaque_psk( ssl ) == 1 )
3883 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3884 #endif
3885
3886 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
3887 {
3888 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
3889 return( ret );
3890 }
3891
3892 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3893 ciphersuite_info->key_exchange ) ) != 0 )
3894 {
3895 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3896 return( ret );
3897 }
3898 }
3899 else
3900 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3901 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3902 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3903 {
3904 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3905 {
3906 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3907 return( ret );
3908 }
3909 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
3910 {
3911 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
3912 return( ret );
3913 }
3914
3915 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3916 /* Opaque PSKs are currently only supported for PSK-only. */
3917 if( ssl_use_opaque_psk( ssl ) == 1 )
3918 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3919 #endif
3920
3921 if( p != end )
3922 {
3923 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
3924 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3925 }
3926
3927 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3928 ciphersuite_info->key_exchange ) ) != 0 )
3929 {
3930 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3931 return( ret );
3932 }
3933 }
3934 else
3935 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3936 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3937 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3938 {
3939 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
3940 {
3941 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
3942 return( ret );
3943 }
3944
3945 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
3946 p, end - p ) ) != 0 )
3947 {
3948 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
3949 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3950 }
3951
3952 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3953 /* Opaque PSKs are currently only supported for PSK-only. */
3954 if( ssl_use_opaque_psk( ssl ) == 1 )
3955 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3956 #endif
3957
3958 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
3959 MBEDTLS_DEBUG_ECDH_QP );
3960
3961 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3962 ciphersuite_info->key_exchange ) ) != 0 )
3963 {
3964 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
3965 return( ret );
3966 }
3967 }
3968 else
3969 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3970 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3971 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3972 {
3973 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
3974 {
3975 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
3976 return( ret );
3977 }
3978 }
3979 else
3980 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3981 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3982 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3983 {
3984 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
3985 p, end - p );
3986 if( ret != 0 )
3987 {
3988 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
3989 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3990 }
3991
3992 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3993 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3994 ssl->conf->f_rng, ssl->conf->p_rng );
3995 if( ret != 0 )
3996 {
3997 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3998 return( ret );
3999 }
4000 }
4001 else
4002 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
4003 {
4004 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4005 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4006 }
4007
4008 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
4009 {
4010 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
4011 return( ret );
4012 }
4013
4014 ssl->state++;
4015
4016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
4017
4018 return( 0 );
4019 }
4020
4021 #if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4022 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4023 {
4024 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4025 ssl->handshake->ciphersuite_info;
4026
4027 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4028
4029 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
4030 {
4031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4032 ssl->state++;
4033 return( 0 );
4034 }
4035
4036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4037 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4038 }
4039 #else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl)4040 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
4041 {
4042 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4043 size_t i, sig_len;
4044 unsigned char hash[48];
4045 unsigned char *hash_start = hash;
4046 size_t hashlen;
4047 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4048 mbedtls_pk_type_t pk_alg;
4049 #endif
4050 mbedtls_md_type_t md_alg;
4051 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
4052 ssl->handshake->ciphersuite_info;
4053 mbedtls_pk_context * peer_pk;
4054
4055 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
4056
4057 if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
4058 {
4059 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4060 ssl->state++;
4061 return( 0 );
4062 }
4063
4064 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4065 if( ssl->session_negotiate->peer_cert == NULL )
4066 {
4067 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4068 ssl->state++;
4069 return( 0 );
4070 }
4071 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4072 if( ssl->session_negotiate->peer_cert_digest == NULL )
4073 {
4074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
4075 ssl->state++;
4076 return( 0 );
4077 }
4078 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4079
4080 /* Read the message without adding it to the checksum */
4081 ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
4082 if( 0 != ret )
4083 {
4084 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
4085 return( ret );
4086 }
4087
4088 ssl->state++;
4089
4090 /* Process the message contents */
4091 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
4092 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
4093 {
4094 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4095 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
4096 }
4097
4098 i = mbedtls_ssl_hs_hdr_len( ssl );
4099
4100 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4101 peer_pk = &ssl->handshake->peer_pubkey;
4102 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4103 if( ssl->session_negotiate->peer_cert == NULL )
4104 {
4105 /* Should never happen */
4106 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4107 }
4108 peer_pk = &ssl->session_negotiate->peer_cert->pk;
4109 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4110
4111 /*
4112 * struct {
4113 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
4114 * opaque signature<0..2^16-1>;
4115 * } DigitallySigned;
4116 */
4117 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4118 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
4119 {
4120 if( i + 2 > ssl->in_hslen )
4121 {
4122 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4123 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
4124 }
4125
4126 /*
4127 * Hash
4128 */
4129 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
4130
4131 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
4132 {
4133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4134 " for verify message" ) );
4135 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
4136 }
4137
4138 #if !defined(MBEDTLS_MD_SHA1)
4139 if( MBEDTLS_MD_SHA1 == md_alg )
4140 hash_start += 16;
4141 #endif
4142
4143 /* Info from md_alg will be used instead */
4144 hashlen = 0;
4145
4146 i++;
4147
4148 /*
4149 * Signature
4150 */
4151 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
4152 == MBEDTLS_PK_NONE )
4153 {
4154 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
4155 " for verify message" ) );
4156 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
4157 }
4158
4159 /*
4160 * Check the certificate's key type matches the signature alg
4161 */
4162 if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
4163 {
4164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
4165 return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
4166 }
4167
4168 i++;
4169 }
4170 else
4171 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4172 {
4173 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4174 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4175 }
4176
4177 if( i + 2 > ssl->in_hslen )
4178 {
4179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4180 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
4181 }
4182
4183 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
4184 i += 2;
4185
4186 if( i + sig_len != ssl->in_hslen )
4187 {
4188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
4189 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
4190 }
4191
4192 /* Calculate hash and verify signature */
4193 {
4194 size_t dummy_hlen;
4195 ssl->handshake->calc_verify( ssl, hash, &dummy_hlen );
4196 }
4197
4198 if( ( ret = mbedtls_pk_verify( peer_pk,
4199 md_alg, hash_start, hashlen,
4200 ssl->in_msg + i, sig_len ) ) != 0 )
4201 {
4202 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
4203 return( ret );
4204 }
4205
4206 mbedtls_ssl_update_handshake_status( ssl );
4207
4208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
4209
4210 return( ret );
4211 }
4212 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4213
4214 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
ssl_write_new_session_ticket(mbedtls_ssl_context * ssl)4215 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
4216 {
4217 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4218 size_t tlen;
4219 uint32_t lifetime;
4220
4221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
4222
4223 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4224 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
4225
4226 /*
4227 * struct {
4228 * uint32 ticket_lifetime_hint;
4229 * opaque ticket<0..2^16-1>;
4230 * } NewSessionTicket;
4231 *
4232 * 4 . 7 ticket_lifetime_hint (0 = unspecified)
4233 * 8 . 9 ticket_len (n)
4234 * 10 . 9+n ticket content
4235 */
4236
4237 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
4238 ssl->session_negotiate,
4239 ssl->out_msg + 10,
4240 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
4241 &tlen, &lifetime ) ) != 0 )
4242 {
4243 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
4244 tlen = 0;
4245 }
4246
4247 MBEDTLS_PUT_UINT32_BE( lifetime, ssl->out_msg, 4 );
4248 MBEDTLS_PUT_UINT16_BE( tlen, ssl->out_msg, 8 );
4249 ssl->out_msglen = 10 + tlen;
4250
4251 /*
4252 * Morally equivalent to updating ssl->state, but NewSessionTicket and
4253 * ChangeCipherSpec share the same state.
4254 */
4255 ssl->handshake->new_session_ticket = 0;
4256
4257 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4258 {
4259 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4260 return( ret );
4261 }
4262
4263 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
4264
4265 return( 0 );
4266 }
4267 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4268
4269 /*
4270 * SSL handshake -- server side -- single step
4271 */
mbedtls_ssl_handshake_server_step(mbedtls_ssl_context * ssl)4272 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
4273 {
4274 int ret = 0;
4275
4276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
4277
4278 switch( ssl->state )
4279 {
4280 case MBEDTLS_SSL_HELLO_REQUEST:
4281 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4282 break;
4283
4284 /*
4285 * <== ClientHello
4286 */
4287 case MBEDTLS_SSL_CLIENT_HELLO:
4288 ret = ssl_parse_client_hello( ssl );
4289 break;
4290
4291 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4292 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
4293 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4294 #endif
4295
4296 /*
4297 * ==> ServerHello
4298 * Certificate
4299 * ( ServerKeyExchange )
4300 * ( CertificateRequest )
4301 * ServerHelloDone
4302 */
4303 case MBEDTLS_SSL_SERVER_HELLO:
4304 ret = ssl_write_server_hello( ssl );
4305 break;
4306
4307 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4308 ret = mbedtls_ssl_write_certificate( ssl );
4309 #if defined(VENDOR_ONT_TLS_CERT_FAILED_NOTICE_C)
4310 if ( ( ret != 0 ) && ( polarssl_get_caupdate() != 0 ) )
4311 {
4312 MBEDTLS_SSL_DEBUG_MSG( 1, ( "scp [ssl]handshake: failed try to fetch" ) );
4313 FILE *file = fopen("/var/certificatefaild","a+");
4314 if ( file == NULL )
4315 break;
4316 fclose(file);
4317 }
4318 #endif
4319 break;
4320
4321 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4322 ret = ssl_write_server_key_exchange( ssl );
4323 break;
4324
4325 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4326 ret = ssl_write_certificate_request( ssl );
4327 break;
4328
4329 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4330 ret = ssl_write_server_hello_done( ssl );
4331 break;
4332
4333 /*
4334 * <== ( Certificate/Alert )
4335 * ClientKeyExchange
4336 * ( CertificateVerify )
4337 * ChangeCipherSpec
4338 * Finished
4339 */
4340 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4341 ret = mbedtls_ssl_parse_certificate( ssl );
4342 break;
4343
4344 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4345 ret = ssl_parse_client_key_exchange( ssl );
4346 break;
4347
4348 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4349 ret = ssl_parse_certificate_verify( ssl );
4350 break;
4351
4352 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4353 ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
4354 break;
4355
4356 case MBEDTLS_SSL_CLIENT_FINISHED:
4357 ret = mbedtls_ssl_parse_finished( ssl );
4358 break;
4359
4360 /*
4361 * ==> ( NewSessionTicket )
4362 * ChangeCipherSpec
4363 * Finished
4364 */
4365 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4366 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4367 if( ssl->handshake->new_session_ticket != 0 )
4368 ret = ssl_write_new_session_ticket( ssl );
4369 else
4370 #endif
4371 ret = mbedtls_ssl_write_change_cipher_spec( ssl );
4372 break;
4373
4374 case MBEDTLS_SSL_SERVER_FINISHED:
4375 ret = mbedtls_ssl_write_finished( ssl );
4376 break;
4377
4378 case MBEDTLS_SSL_FLUSH_BUFFERS:
4379 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
4380 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4381 break;
4382
4383 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4384 mbedtls_ssl_handshake_wrapup( ssl );
4385 break;
4386
4387 default:
4388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
4389 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4390 }
4391
4392 return( ret );
4393 }
4394
mbedtls_ssl_conf_preference_order(mbedtls_ssl_config * conf,int order)4395 void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order )
4396 {
4397 conf->respect_cli_pref = order;
4398 }
4399
4400 #endif /* MBEDTLS_SSL_SRV_C */
4401