ReactOS 0.4.15-dev-8344-g0574987
ssl_cli.c
Go to the documentation of this file.
1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47#if !defined(MBEDTLS_CONFIG_FILE)
48#include "mbedtls/config.h"
49#else
50#include MBEDTLS_CONFIG_FILE
51#endif
52
53#if defined(MBEDTLS_SSL_CLI_C)
54
55#if defined(MBEDTLS_PLATFORM_C)
56#include "mbedtls/platform.h"
57#else
58#include <stdlib.h>
59#define mbedtls_calloc calloc
60#define mbedtls_free free
61#endif
62
63#include "mbedtls/debug.h"
64#include "mbedtls/ssl.h"
66
67#include <string.h>
68
69#include <stdint.h>
70
71#if defined(MBEDTLS_HAVE_TIME)
73#endif
74
75#if defined(MBEDTLS_SSL_SESSION_TICKETS)
77#endif
78
79#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
80static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
81 unsigned char *buf,
82 const unsigned char *end,
83 size_t *olen )
84{
85 unsigned char *p = buf;
86 size_t hostname_len;
87
88 *olen = 0;
89
90 if( ssl->hostname == NULL )
91 return( 0 );
92
94 ( "client hello, adding server name extension: %s",
95 ssl->hostname ) );
96
97 hostname_len = strlen( ssl->hostname );
98
99 MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
100
101 /*
102 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
103 *
104 * In order to provide any of the server names, clients MAY include an
105 * extension of type "server_name" in the (extended) client hello. The
106 * "extension_data" field of this extension SHALL contain
107 * "ServerNameList" where:
108 *
109 * struct {
110 * NameType name_type;
111 * select (name_type) {
112 * case host_name: HostName;
113 * } name;
114 * } ServerName;
115 *
116 * enum {
117 * host_name(0), (255)
118 * } NameType;
119 *
120 * opaque HostName<1..2^16-1>;
121 *
122 * struct {
123 * ServerName server_name_list<1..2^16-1>
124 * } ServerNameList;
125 *
126 */
127 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
128 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
129
130 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
131 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
132
133 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
134 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
135
136 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
137 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
138 *p++ = (unsigned char)( ( hostname_len ) & 0xFF );
139
140 memcpy( p, ssl->hostname, hostname_len );
141
142 *olen = hostname_len + 9;
143
144 return( 0 );
145}
146#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
147
148#if defined(MBEDTLS_SSL_RENEGOTIATION)
149static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
150 unsigned char *buf,
151 const unsigned char *end,
152 size_t *olen )
153{
154 unsigned char *p = buf;
155
156 *olen = 0;
157
158 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
159 * initial ClientHello, in which case also adding the renegotiation
160 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
162 return( 0 );
163
165 ( "client hello, adding renegotiation extension" ) );
166
168
169 /*
170 * Secure renegotiation
171 */
172 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
173 & 0xFF );
174 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
175 & 0xFF );
176
177 *p++ = 0x00;
178 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
179 *p++ = ssl->verify_data_len & 0xFF;
180
182
183 *olen = 5 + ssl->verify_data_len;
184
185 return( 0 );
186}
187#endif /* MBEDTLS_SSL_RENEGOTIATION */
188
189/*
190 * Only if we handle at least one key exchange that needs signatures.
191 */
192#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
193 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
194static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
195 unsigned char *buf,
196 const unsigned char *end,
197 size_t *olen )
198{
199 unsigned char *p = buf;
200 size_t sig_alg_len = 0;
201 const int *md;
202
203#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
204 unsigned char *sig_alg_list = buf + 6;
205#endif
206
207 *olen = 0;
208
210 return( 0 );
211
213 ( "client hello, adding signature_algorithms extension" ) );
214
215 if( ssl->conf->sig_hashes == NULL )
217
218 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
219 {
220#if defined(MBEDTLS_ECDSA_C)
221 sig_alg_len += 2;
222#endif
223#if defined(MBEDTLS_RSA_C)
224 sig_alg_len += 2;
225#endif
226 if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
227 {
229 ( "length in bytes of sig-hash-alg extension too big" ) );
231 }
232 }
233
234 /* Empty signature algorithms list, this is a configuration error. */
235 if( sig_alg_len == 0 )
237
238 MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
239
240 /*
241 * Prepare signature_algorithms extension (TLS 1.2)
242 */
243 sig_alg_len = 0;
244
245 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
246 {
247#if defined(MBEDTLS_ECDSA_C)
248 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
249 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
250#endif
251#if defined(MBEDTLS_RSA_C)
252 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
253 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
254#endif
255 }
256
257 /*
258 * enum {
259 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
260 * sha512(6), (255)
261 * } HashAlgorithm;
262 *
263 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
264 * SignatureAlgorithm;
265 *
266 * struct {
267 * HashAlgorithm hash;
268 * SignatureAlgorithm signature;
269 * } SignatureAndHashAlgorithm;
270 *
271 * SignatureAndHashAlgorithm
272 * supported_signature_algorithms<2..2^16-2>;
273 */
274 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
275 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
276
277 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
278 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
279
280 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
281 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
282
283 *olen = 6 + sig_alg_len;
284
285 return( 0 );
286}
287#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
288 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
289
290#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
291 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
292static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
293 unsigned char *buf,
294 const unsigned char *end,
295 size_t *olen )
296{
297 unsigned char *p = buf;
298 unsigned char *elliptic_curve_list = p + 6;
299 size_t elliptic_curve_len = 0;
301 const mbedtls_ecp_group_id *grp_id;
302
303 *olen = 0;
304
306 ( "client hello, adding supported_elliptic_curves extension" ) );
307
308 if( ssl->conf->curve_list == NULL )
310
311 for( grp_id = ssl->conf->curve_list;
312 *grp_id != MBEDTLS_ECP_DP_NONE;
313 grp_id++ )
314 {
316 if( info == NULL )
317 {
319 ( "invalid curve in ssl configuration" ) );
321 }
322 elliptic_curve_len += 2;
323
324 if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
325 {
327 ( "malformed supported_elliptic_curves extension in config" ) );
329 }
330 }
331
332 /* Empty elliptic curve list, this is a configuration error. */
333 if( elliptic_curve_len == 0 )
335
336 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
337
338 elliptic_curve_len = 0;
339
340 for( grp_id = ssl->conf->curve_list;
341 *grp_id != MBEDTLS_ECP_DP_NONE;
342 grp_id++ )
343 {
345 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
346 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
347 }
348
349 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
350 & 0xFF );
352 & 0xFF );
353
354 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
355 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
356
357 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
358 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
359
360 *olen = 6 + elliptic_curve_len;
361
362 return( 0 );
363}
364
365static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
366 unsigned char *buf,
367 const unsigned char *end,
368 size_t *olen )
369{
370 unsigned char *p = buf;
371 (void) ssl; /* ssl used for debugging only */
372
373 *olen = 0;
374
376 ( "client hello, adding supported_point_formats extension" ) );
378
379 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
380 & 0xFF );
382 & 0xFF );
383
384 *p++ = 0x00;
385 *p++ = 2;
386
387 *p++ = 1;
389
390 *olen = 6;
391
392 return( 0 );
393}
394#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
395 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
396
397#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
398static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
399 unsigned char *buf,
400 const unsigned char *end,
401 size_t *olen )
402{
403 int ret;
404 unsigned char *p = buf;
405 size_t kkpp_len;
406
407 *olen = 0;
408
409 /* Skip costly extension if we can't use EC J-PAKE anyway */
410 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
411 return( 0 );
412
414 ( "client hello, adding ecjpake_kkpp extension" ) );
415
417
418 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
419 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
420
421 /*
422 * We may need to send ClientHello multiple times for Hello verification.
423 * We don't want to compute fresh values every time (both for performance
424 * and consistency reasons), so cache the extension content.
425 */
426 if( ssl->handshake->ecjpake_cache == NULL ||
427 ssl->handshake->ecjpake_cache_len == 0 )
428 {
429 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
430
431 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
432 p + 2, end - p - 2, &kkpp_len,
433 ssl->conf->f_rng, ssl->conf->p_rng );
434 if( ret != 0 )
435 {
437 "mbedtls_ecjpake_write_round_one", ret );
438 return( ret );
439 }
440
441 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
442 if( ssl->handshake->ecjpake_cache == NULL )
443 {
444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
446 }
447
448 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
449 ssl->handshake->ecjpake_cache_len = kkpp_len;
450 }
451 else
452 {
453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
454
455 kkpp_len = ssl->handshake->ecjpake_cache_len;
456 MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
457
458 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
459 }
460
461 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
462 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
463
464 *olen = kkpp_len + 4;
465
466 return( 0 );
467}
468#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
469
470#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
471static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
472 unsigned char *buf,
473 const unsigned char *end,
474 size_t *olen )
475{
476 unsigned char *p = buf;
477
478 *olen = 0;
479
481 return( 0 );
482
484 ( "client hello, adding max_fragment_length extension" ) );
485
487
488 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
489 & 0xFF );
490 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
491 & 0xFF );
492
493 *p++ = 0x00;
494 *p++ = 1;
495
496 *p++ = ssl->conf->mfl_code;
497
498 *olen = 5;
499
500 return( 0 );
501}
502#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
503
504#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
505static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
506 unsigned char *buf,
507 const unsigned char *end,
508 size_t *olen )
509{
510 unsigned char *p = buf;
511
512 *olen = 0;
513
515 return( 0 );
516
518 ( "client hello, adding truncated_hmac extension" ) );
519
521
522 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
523 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
524
525 *p++ = 0x00;
526 *p++ = 0x00;
527
528 *olen = 4;
529
530 return( 0 );
531}
532#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
533
534#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
535static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
536 unsigned char *buf,
537 const unsigned char *end,
538 size_t *olen )
539{
540 unsigned char *p = buf;
541
542 *olen = 0;
543
546 return( 0 );
547
549 ( "client hello, adding encrypt_then_mac extension" ) );
550
552
553 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
554 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
555
556 *p++ = 0x00;
557 *p++ = 0x00;
558
559 *olen = 4;
560
561 return( 0 );
562}
563#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
564
565#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
566static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
567 unsigned char *buf,
568 const unsigned char *end,
569 size_t *olen )
570{
571 unsigned char *p = buf;
572
573 *olen = 0;
574
577 return( 0 );
578
580 ( "client hello, adding extended_master_secret extension" ) );
581
583
584 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
585 & 0xFF );
587 & 0xFF );
588
589 *p++ = 0x00;
590 *p++ = 0x00;
591
592 *olen = 4;
593
594 return( 0 );
595}
596#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
597
598#if defined(MBEDTLS_SSL_SESSION_TICKETS)
599static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
600 unsigned char *buf,
601 const unsigned char *end,
602 size_t *olen )
603{
604 unsigned char *p = buf;
605 size_t tlen = ssl->session_negotiate->ticket_len;
606
607 *olen = 0;
608
610 return( 0 );
611
613 ( "client hello, adding session ticket extension" ) );
614
615 /* The addition is safe here since the ticket length is 16 bit. */
616 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
617
618 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
619 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
620
621 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
622 *p++ = (unsigned char)( ( tlen ) & 0xFF );
623
624 *olen = 4;
625
626 if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
627 return( 0 );
628
630 ( "sending session ticket of length %d", tlen ) );
631
632 memcpy( p, ssl->session_negotiate->ticket, tlen );
633
634 *olen += tlen;
635
636 return( 0 );
637}
638#endif /* MBEDTLS_SSL_SESSION_TICKETS */
639
640#if defined(MBEDTLS_SSL_ALPN)
641static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
642 unsigned char *buf,
643 const unsigned char *end,
644 size_t *olen )
645{
646 unsigned char *p = buf;
647 size_t alpnlen = 0;
648 const char **cur;
649
650 *olen = 0;
651
652 if( ssl->conf->alpn_list == NULL )
653 return( 0 );
654
655 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
656
657 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
658 alpnlen += strlen( *cur ) + 1;
659
660 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
661
662 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
663 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
664
665 /*
666 * opaque ProtocolName<1..2^8-1>;
667 *
668 * struct {
669 * ProtocolName protocol_name_list<2..2^16-1>
670 * } ProtocolNameList;
671 */
672
673 /* Skip writing extension and list length for now */
674 p += 4;
675
676 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
677 {
678 /*
679 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
680 * protocol names is less than 255.
681 */
682 *p = (unsigned char)strlen( *cur );
683 memcpy( p + 1, *cur, *p );
684 p += 1 + *p;
685 }
686
687 *olen = p - buf;
688
689 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
690 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
691 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
692
693 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
694 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
695 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
696
697 return( 0 );
698}
699#endif /* MBEDTLS_SSL_ALPN */
700
701/*
702 * Generate random bytes for ClientHello
703 */
704static int ssl_generate_random( mbedtls_ssl_context *ssl )
705{
706 int ret;
707 unsigned char *p = ssl->handshake->randbytes;
708#if defined(MBEDTLS_HAVE_TIME)
710#endif
711
712 /*
713 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
714 */
715#if defined(MBEDTLS_SSL_PROTO_DTLS)
717 ssl->handshake->verify_cookie != NULL )
718 {
719 return( 0 );
720 }
721#endif
722
723#if defined(MBEDTLS_HAVE_TIME)
724 t = mbedtls_time( NULL );
725 *p++ = (unsigned char)( t >> 24 );
726 *p++ = (unsigned char)( t >> 16 );
727 *p++ = (unsigned char)( t >> 8 );
728 *p++ = (unsigned char)( t );
729
730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
731#else
732 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
733 return( ret );
734
735 p += 4;
736#endif /* MBEDTLS_HAVE_TIME */
737
738 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
739 return( ret );
740
741 return( 0 );
742}
743
754static int ssl_validate_ciphersuite(
755 const mbedtls_ssl_ciphersuite_t * suite_info,
756 const mbedtls_ssl_context * ssl,
757 int min_minor_ver, int max_minor_ver )
758{
759 (void) ssl;
760 if( suite_info == NULL )
761 return( 1 );
762
763 if( suite_info->min_minor_ver > max_minor_ver ||
764 suite_info->max_minor_ver < min_minor_ver )
765 return( 1 );
766
767#if defined(MBEDTLS_SSL_PROTO_DTLS)
769 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
770 return( 1 );
771#endif
772
773#if defined(MBEDTLS_ARC4_C)
775 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
776 return( 1 );
777#endif
778
779#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
780 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
781 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
782 return( 1 );
783#endif
784
785 return( 0 );
786}
787
788static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
789{
790 int ret;
791 size_t i, n, olen, ext_len = 0;
792
793 unsigned char *buf;
794 unsigned char *p, *q;
795 const unsigned char *end;
796
797 unsigned char offer_compress;
798 const int *ciphersuites;
799 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
800#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
801 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
802 int uses_ec = 0;
803#endif
804
805 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
806
807 if( ssl->conf->f_rng == NULL )
808 {
809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
810 return( MBEDTLS_ERR_SSL_NO_RNG );
811 }
812
813#if defined(MBEDTLS_SSL_RENEGOTIATION)
815#endif
816 {
817 ssl->major_ver = ssl->conf->min_major_ver;
818 ssl->minor_ver = ssl->conf->min_minor_ver;
819 }
820
821 if( ssl->conf->max_major_ver == 0 )
822 {
824 ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
826 }
827
828 buf = ssl->out_msg;
830
831 /*
832 * Check if there's enough space for the first part of the ClientHello
833 * consisting of the 38 bytes described below, the session identifier (at
834 * most 32 bytes) and its length (1 byte).
835 *
836 * Use static upper bounds instead of the actual values
837 * to allow the compiler to optimize this away.
838 */
839 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
840
841 /*
842 * The 38 first bytes of the ClientHello:
843 * 0 . 0 handshake type (written later)
844 * 1 . 3 handshake length (written later)
845 * 4 . 5 highest version supported
846 * 6 . 9 current UNIX time
847 * 10 . 37 random bytes
848 *
849 * The current UNIX time (4 bytes) and following 28 random bytes are written
850 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
851 * copied from there into the output buffer.
852 */
853
854 p = buf + 4;
856 ssl->conf->max_minor_ver,
857 ssl->conf->transport, p );
858 p += 2;
859
860 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
861 buf[4], buf[5] ) );
862
863 if( ( ret = ssl_generate_random( ssl ) ) != 0 )
864 {
865 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
866 return( ret );
867 }
868
869 memcpy( p, ssl->handshake->randbytes, 32 );
870 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
871 p += 32;
872
873 /*
874 * 38 . 38 session id length
875 * 39 . 39+n session id
876 * 39+n . 39+n DTLS only: cookie length (1 byte)
877 * 40+n . .. DTLS only: cookie
878 * .. . .. ciphersuitelist length (2 bytes)
879 * .. . .. ciphersuitelist
880 * .. . .. compression methods length (1 byte)
881 * .. . .. compression methods
882 * .. . .. extensions length (2 bytes)
883 * .. . .. extensions
884 */
885 n = ssl->session_negotiate->id_len;
886
887 if( n < 16 || n > 32 ||
888#if defined(MBEDTLS_SSL_RENEGOTIATION)
890#endif
891 ssl->handshake->resume == 0 )
892 {
893 n = 0;
894 }
895
896#if defined(MBEDTLS_SSL_SESSION_TICKETS)
897 /*
898 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
899 * generate and include a Session ID in the TLS ClientHello."
900 */
901#if defined(MBEDTLS_SSL_RENEGOTIATION)
903#endif
904 {
905 if( ssl->session_negotiate->ticket != NULL &&
906 ssl->session_negotiate->ticket_len != 0 )
907 {
908 ret = ssl->conf->f_rng( ssl->conf->p_rng,
909 ssl->session_negotiate->id, 32 );
910
911 if( ret != 0 )
912 return( ret );
913
914 ssl->session_negotiate->id_len = n = 32;
915 }
916 }
917#endif /* MBEDTLS_SSL_SESSION_TICKETS */
918
919 /*
920 * The first check of the output buffer size above (
921 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
922 * has checked that there is enough space in the output buffer for the
923 * session identifier length byte and the session identifier (n <= 32).
924 */
925 *p++ = (unsigned char) n;
926
927 for( i = 0; i < n; i++ )
928 *p++ = ssl->session_negotiate->id[i];
929
930 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
931 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
932
933 /*
934 * With 'n' being the length of the session identifier
935 *
936 * 39+n . 39+n DTLS only: cookie length (1 byte)
937 * 40+n . .. DTLS only: cookie
938 * .. . .. ciphersuitelist length (2 bytes)
939 * .. . .. ciphersuitelist
940 * .. . .. compression methods length (1 byte)
941 * .. . .. compression methods
942 * .. . .. extensions length (2 bytes)
943 * .. . .. extensions
944 */
945
946 /*
947 * DTLS cookie
948 */
949#if defined(MBEDTLS_SSL_PROTO_DTLS)
951 {
953
954 if( ssl->handshake->verify_cookie == NULL )
955 {
956 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
957 *p++ = 0;
958 }
959 else
960 {
961 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
962 ssl->handshake->verify_cookie,
963 ssl->handshake->verify_cookie_len );
964
965 *p++ = ssl->handshake->verify_cookie_len;
966
968 ssl->handshake->verify_cookie_len );
969 memcpy( p, ssl->handshake->verify_cookie,
970 ssl->handshake->verify_cookie_len );
971 p += ssl->handshake->verify_cookie_len;
972 }
973 }
974#endif
975
976 /*
977 * Ciphersuite list
978 */
979 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
980
981 /* Skip writing ciphersuite length for now */
982 n = 0;
983 q = p;
984
986 p += 2;
987
988 for( i = 0; ciphersuites[i] != 0; i++ )
989 {
990 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
991
992 if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
993 ssl->conf->min_minor_ver,
994 ssl->conf->max_minor_ver ) != 0 )
995 continue;
996
997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
998 ciphersuites[i] ) );
999
1000#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1001 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1002 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
1003#endif
1004
1006
1007 n++;
1008 *p++ = (unsigned char)( ciphersuites[i] >> 8 );
1009 *p++ = (unsigned char)( ciphersuites[i] );
1010 }
1011
1013 ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
1014
1015 /*
1016 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1017 */
1018#if defined(MBEDTLS_SSL_RENEGOTIATION)
1020#endif
1021 {
1022 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
1024 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
1025 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
1026 n++;
1027 }
1028
1029 /* Some versions of OpenSSL don't handle it correctly if not at end */
1030#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1031 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
1032 {
1033 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
1034
1036 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
1037 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
1038 n++;
1039 }
1040#endif
1041
1042 *q++ = (unsigned char)( n >> 7 );
1043 *q++ = (unsigned char)( n << 1 );
1044
1045#if defined(MBEDTLS_ZLIB_SUPPORT)
1046 offer_compress = 1;
1047#else
1048 offer_compress = 0;
1049#endif
1050
1051 /*
1052 * We don't support compression with DTLS right now: if many records come
1053 * in the same datagram, uncompressing one could overwrite the next one.
1054 * We don't want to add complexity for handling that case unless there is
1055 * an actual need for it.
1056 */
1057#if defined(MBEDTLS_SSL_PROTO_DTLS)
1059 offer_compress = 0;
1060#endif
1061
1062 if( offer_compress )
1063 {
1064 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
1065 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
1068
1070 *p++ = 2;
1073 }
1074 else
1075 {
1076 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
1077 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
1079
1081 *p++ = 1;
1083 }
1084
1085 /* First write extensions, then the total length */
1086
1088
1089#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1090 if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
1091 end, &olen ) ) != 0 )
1092 {
1093 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
1094 return( ret );
1095 }
1096 ext_len += olen;
1097#endif
1098
1099 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1100 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1101#if defined(MBEDTLS_SSL_RENEGOTIATION)
1102 if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
1103 end, &olen ) ) != 0 )
1104 {
1105 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
1106 return( ret );
1107 }
1108 ext_len += olen;
1109#endif
1110
1111#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1112 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
1113 if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
1114 end, &olen ) ) != 0 )
1115 {
1116 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
1117 return( ret );
1118 }
1119 ext_len += olen;
1120#endif
1121
1122#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1123 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1124 if( uses_ec )
1125 {
1126 if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
1127 end, &olen ) ) != 0 )
1128 {
1129 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
1130 return( ret );
1131 }
1132 ext_len += olen;
1133
1134 if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
1135 end, &olen ) ) != 0 )
1136 {
1137 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
1138 return( ret );
1139 }
1140 ext_len += olen;
1141 }
1142#endif
1143
1144#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1145 if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
1146 end, &olen ) ) != 0 )
1147 {
1148 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
1149 return( ret );
1150 }
1151 ext_len += olen;
1152#endif
1153
1154#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1155 if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
1156 end, &olen ) ) != 0 )
1157 {
1158 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
1159 return( ret );
1160 }
1161 ext_len += olen;
1162#endif
1163
1164#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1165 if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
1166 end, &olen ) ) != 0 )
1167 {
1168 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
1169 return( ret );
1170 }
1171 ext_len += olen;
1172#endif
1173
1174#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1175 if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
1176 end, &olen ) ) != 0 )
1177 {
1178 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
1179 return( ret );
1180 }
1181 ext_len += olen;
1182#endif
1183
1184#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1185 if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
1186 end, &olen ) ) != 0 )
1187 {
1188 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
1189 return( ret );
1190 }
1191 ext_len += olen;
1192#endif
1193
1194#if defined(MBEDTLS_SSL_ALPN)
1195 if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
1196 end, &olen ) ) != 0 )
1197 {
1198 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
1199 return( ret );
1200 }
1201 ext_len += olen;
1202#endif
1203
1204#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1205 if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
1206 end, &olen ) ) != 0 )
1207 {
1208 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
1209 return( ret );
1210 }
1211 ext_len += olen;
1212#endif
1213
1214 /* olen unused if all extensions are disabled */
1215 ((void) olen);
1216
1217 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
1218 ext_len ) );
1219
1220 if( ext_len > 0 )
1221 {
1222 /* No need to check for space here, because the extension
1223 * writing functions already took care of that. */
1224 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
1225 *p++ = (unsigned char)( ( ext_len ) & 0xFF );
1226 p += ext_len;
1227 }
1228
1229 ssl->out_msglen = p - buf;
1232
1233 ssl->state++;
1234
1235#if defined(MBEDTLS_SSL_PROTO_DTLS)
1237 mbedtls_ssl_send_flight_completed( ssl );
1238#endif
1239
1240 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1241 {
1242 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1243 return( ret );
1244 }
1245
1246#if defined(MBEDTLS_SSL_PROTO_DTLS)
1248 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
1249 {
1250 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
1251 return( ret );
1252 }
1253#endif /* MBEDTLS_SSL_PROTO_DTLS */
1254
1255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
1256
1257 return( 0 );
1258}
1259
1260static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
1261 const unsigned char *buf,
1262 size_t len )
1263{
1264#if defined(MBEDTLS_SSL_RENEGOTIATION)
1266 {
1267 /* Check verify-data in constant-time. The length OTOH is no secret */
1268 if( len != 1 + ssl->verify_data_len * 2 ||
1269 buf[0] != ssl->verify_data_len * 2 ||
1271 ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
1273 ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
1274 {
1275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
1277 ssl,
1281 }
1282 }
1283 else
1284#endif /* MBEDTLS_SSL_RENEGOTIATION */
1285 {
1286 if( len != 1 || buf[0] != 0x00 )
1287 {
1289 ( "non-zero length renegotiation info" ) );
1291 ssl,
1295 }
1296
1298 }
1299
1300 return( 0 );
1301}
1302
1303#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1304static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
1305 const unsigned char *buf,
1306 size_t len )
1307{
1308 /*
1309 * server should use the extension only if we did,
1310 * and if so the server's value should match ours (and len is always 1)
1311 */
1313 len != 1 ||
1314 buf[0] != ssl->conf->mfl_code )
1315 {
1317 ( "non-matching max fragment length extension" ) );
1319 ssl,
1323 }
1324
1325 return( 0 );
1326}
1327#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1328
1329#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1330static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
1331 const unsigned char *buf,
1332 size_t len )
1333{
1335 len != 0 )
1336 {
1338 ( "non-matching truncated HMAC extension" ) );
1340 ssl,
1344 }
1345
1346 ((void) buf);
1347
1349
1350 return( 0 );
1351}
1352#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1353
1354#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1355static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
1356 const unsigned char *buf,
1357 size_t len )
1358{
1361 len != 0 )
1362 {
1364 ( "non-matching encrypt-then-MAC extension" ) );
1366 ssl,
1370 }
1371
1372 ((void) buf);
1373
1375
1376 return( 0 );
1377}
1378#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1379
1380#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1381static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
1382 const unsigned char *buf,
1383 size_t len )
1384{
1387 len != 0 )
1388 {
1390 ( "non-matching extended master secret extension" ) );
1392 ssl,
1396 }
1397
1398 ((void) buf);
1399
1401
1402 return( 0 );
1403}
1404#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1405
1406#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1407static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
1408 const unsigned char *buf,
1409 size_t len )
1410{
1412 len != 0 )
1413 {
1415 ( "non-matching session ticket extension" ) );
1417 ssl,
1421 }
1422
1423 ((void) buf);
1424
1425 ssl->handshake->new_session_ticket = 1;
1426
1427 return( 0 );
1428}
1429#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1430
1431#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1432 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1433static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
1434 const unsigned char *buf,
1435 size_t len )
1436{
1437 size_t list_size;
1438 const unsigned char *p;
1439
1440 if( len == 0 || (size_t)( buf[0] + 1 ) != len )
1441 {
1442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1446 }
1447 list_size = buf[0];
1448
1449 p = buf + 1;
1450 while( list_size > 0 )
1451 {
1452 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1454 {
1455#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1456 ssl->handshake->ecdh_ctx.point_format = p[0];
1457#endif
1458#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1459 ssl->handshake->ecjpake_ctx.point_format = p[0];
1460#endif
1461 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
1462 return( 0 );
1463 }
1464
1465 list_size--;
1466 p++;
1467 }
1468
1469 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
1473}
1474#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1475 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1476
1477#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1478static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
1479 const unsigned char *buf,
1480 size_t len )
1481{
1482 int ret;
1483
1486 {
1487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
1488 return( 0 );
1489 }
1490
1491 /* If we got here, we no longer need our cached extension */
1492 mbedtls_free( ssl->handshake->ecjpake_cache );
1493 ssl->handshake->ecjpake_cache = NULL;
1494 ssl->handshake->ecjpake_cache_len = 0;
1495
1496 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
1497 buf, len ) ) != 0 )
1498 {
1499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
1501 ssl,
1504 return( ret );
1505 }
1506
1507 return( 0 );
1508}
1509#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1510
1511#if defined(MBEDTLS_SSL_ALPN)
1512static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
1513 const unsigned char *buf, size_t len )
1514{
1515 size_t list_len, name_len;
1516 const char **p;
1517
1518 /* If we didn't send it, the server shouldn't send it */
1519 if( ssl->conf->alpn_list == NULL )
1520 {
1521 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
1523 ssl,
1527 }
1528
1529 /*
1530 * opaque ProtocolName<1..2^8-1>;
1531 *
1532 * struct {
1533 * ProtocolName protocol_name_list<2..2^16-1>
1534 * } ProtocolNameList;
1535 *
1536 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1537 */
1538
1539 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1540 if( len < 4 )
1541 {
1545 }
1546
1547 list_len = ( buf[0] << 8 ) | buf[1];
1548 if( list_len != len - 2 )
1549 {
1553 }
1554
1555 name_len = buf[2];
1556 if( name_len != list_len - 1 )
1557 {
1561 }
1562
1563 /* Check that the server chosen protocol was in our list and save it */
1564 for( p = ssl->conf->alpn_list; *p != NULL; p++ )
1565 {
1566 if( name_len == strlen( *p ) &&
1567 memcmp( buf + 3, *p, name_len ) == 0 )
1568 {
1569 ssl->alpn_chosen = *p;
1570 return( 0 );
1571 }
1572 }
1573
1574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
1578}
1579#endif /* MBEDTLS_SSL_ALPN */
1580
1581/*
1582 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1583 */
1584#if defined(MBEDTLS_SSL_PROTO_DTLS)
1585static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
1586{
1587 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
1588 int major_ver, minor_ver;
1589 unsigned char cookie_len;
1590
1591 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
1592
1593 /* Check that there is enough room for:
1594 * - 2 bytes of version
1595 * - 1 byte of cookie_len
1596 */
1597 if( mbedtls_ssl_hs_hdr_len( ssl ) + 3 > ssl->in_msglen )
1598 {
1600 ( "incoming HelloVerifyRequest message is too short" ) );
1604 }
1605
1606 /*
1607 * struct {
1608 * ProtocolVersion server_version;
1609 * opaque cookie<0..2^8-1>;
1610 * } HelloVerifyRequest;
1611 */
1612 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
1613 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
1614 p += 2;
1615
1616 /*
1617 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1618 * even is lower than our min version.
1619 */
1620 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1621 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1622 major_ver > ssl->conf->max_major_ver ||
1623 minor_ver > ssl->conf->max_minor_ver )
1624 {
1625 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
1626
1629
1631 }
1632
1633 cookie_len = *p++;
1634 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
1635 {
1637 ( "cookie length does not match incoming message size" ) );
1641 }
1642 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
1643
1644 mbedtls_free( ssl->handshake->verify_cookie );
1645
1646 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
1647 if( ssl->handshake->verify_cookie == NULL )
1648 {
1649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
1651 }
1652
1653 memcpy( ssl->handshake->verify_cookie, p, cookie_len );
1654 ssl->handshake->verify_cookie_len = cookie_len;
1655
1656 /* Start over at ClientHello */
1659
1660 mbedtls_ssl_recv_flight_completed( ssl );
1661
1662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
1663
1664 return( 0 );
1665}
1666#endif /* MBEDTLS_SSL_PROTO_DTLS */
1667
1668static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
1669{
1670 int ret, i;
1671 size_t n;
1672 size_t ext_len;
1673 unsigned char *buf, *ext;
1674 unsigned char comp;
1675#if defined(MBEDTLS_ZLIB_SUPPORT)
1676 int accept_comp;
1677#endif
1678#if defined(MBEDTLS_SSL_RENEGOTIATION)
1679 int renegotiation_info_seen = 0;
1680#endif
1681 int handshake_failure = 0;
1682 const mbedtls_ssl_ciphersuite_t *suite_info;
1683
1684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
1685
1686 buf = ssl->in_msg;
1687
1688 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
1689 {
1690 /* No alert on a read error. */
1691 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
1692 return( ret );
1693 }
1694
1696 {
1697#if defined(MBEDTLS_SSL_RENEGOTIATION)
1699 {
1700 ssl->renego_records_seen++;
1701
1702 if( ssl->conf->renego_max_records >= 0 &&
1704 {
1706 ( "renegotiation requested, but not honored by server" ) );
1708 }
1709
1711 ( "non-handshake message during renegotiation" ) );
1712
1713 ssl->keep_current_message = 1;
1715 }
1716#endif /* MBEDTLS_SSL_RENEGOTIATION */
1717
1718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1720 ssl,
1724 }
1725
1726#if defined(MBEDTLS_SSL_PROTO_DTLS)
1728 {
1730 {
1731 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
1732 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
1733 return( ssl_parse_hello_verify_request( ssl ) );
1734 }
1735 else
1736 {
1737 /* We made it through the verification process */
1738 mbedtls_free( ssl->handshake->verify_cookie );
1739 ssl->handshake->verify_cookie = NULL;
1740 ssl->handshake->verify_cookie_len = 0;
1741 }
1742 }
1743#endif /* MBEDTLS_SSL_PROTO_DTLS */
1744
1745 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
1747 {
1748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1752 }
1753
1754 /*
1755 * 0 . 1 server_version
1756 * 2 . 33 random (maybe including 4 bytes of Unix time)
1757 * 34 . 34 session_id length = n
1758 * 35 . 34+n session_id
1759 * 35+n . 36+n cipher_suite
1760 * 37+n . 37+n compression_method
1761 *
1762 * 38+n . 39+n extensions length (optional)
1763 * 40+n . .. extensions
1764 */
1765 buf += mbedtls_ssl_hs_hdr_len( ssl );
1766
1767 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
1769 ssl->conf->transport, buf + 0 );
1770
1771 if( ssl->major_ver < ssl->conf->min_major_ver ||
1772 ssl->minor_ver < ssl->conf->min_minor_ver ||
1773 ssl->major_ver > ssl->conf->max_major_ver ||
1774 ssl->minor_ver > ssl->conf->max_minor_ver )
1775 {
1777 ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
1778 ssl->conf->min_major_ver,
1779 ssl->conf->min_minor_ver,
1780 ssl->major_ver, ssl->minor_ver,
1781 ssl->conf->max_major_ver,
1782 ssl->conf->max_minor_ver ) );
1783
1786
1788 }
1789
1790 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
1791 ( (uint32_t) buf[2] << 24 ) |
1792 ( (uint32_t) buf[3] << 16 ) |
1793 ( (uint32_t) buf[4] << 8 ) |
1794 ( (uint32_t) buf[5] ) ) );
1795
1796 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
1797
1798 n = buf[34];
1799
1800 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
1801
1802 if( n > 32 )
1803 {
1804 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1808 }
1809
1810 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
1811 {
1812 ext_len = ( ( buf[38 + n] << 8 )
1813 | ( buf[39 + n] ) );
1814
1815 if( ( ext_len > 0 && ext_len < 4 ) ||
1816 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
1817 {
1818 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1820 ssl,
1824 }
1825 }
1826 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
1827 {
1828 ext_len = 0;
1829 }
1830 else
1831 {
1832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1836 }
1837
1838 /* ciphersuite (used later) */
1839 i = ( buf[35 + n] << 8 ) | buf[36 + n];
1840
1841 /*
1842 * Read and check compression
1843 */
1844 comp = buf[37 + n];
1845
1846#if defined(MBEDTLS_ZLIB_SUPPORT)
1847 /* See comments in ssl_write_client_hello() */
1848#if defined(MBEDTLS_SSL_PROTO_DTLS)
1850 accept_comp = 0;
1851 else
1852#endif
1853 accept_comp = 1;
1854
1855 if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
1856 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
1857#else /* MBEDTLS_ZLIB_SUPPORT */
1858 if( comp != MBEDTLS_SSL_COMPRESS_NULL )
1859#endif/* MBEDTLS_ZLIB_SUPPORT */
1860 {
1862 ( "server hello, bad compression: %d", comp ) );
1864 ssl,
1868 }
1869
1870 /*
1871 * Initialize update checksum functions
1872 */
1875
1877 {
1879 ( "ciphersuite info for %04x not found", i ) );
1883 }
1884
1887
1888 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
1889 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
1890
1891 /*
1892 * Check if the session can be resumed
1893 */
1894 if( ssl->handshake->resume == 0 || n == 0 ||
1895#if defined(MBEDTLS_SSL_RENEGOTIATION)
1897#endif
1898 ssl->session_negotiate->ciphersuite != i ||
1899 ssl->session_negotiate->compression != comp ||
1900 ssl->session_negotiate->id_len != n ||
1901 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
1902 {
1903 ssl->state++;
1904 ssl->handshake->resume = 0;
1905#if defined(MBEDTLS_HAVE_TIME)
1906 ssl->session_negotiate->start = mbedtls_time( NULL );
1907#endif
1909 ssl->session_negotiate->compression = comp;
1910 ssl->session_negotiate->id_len = n;
1911 memcpy( ssl->session_negotiate->id, buf + 35, n );
1912 }
1913 else
1914 {
1916
1917 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
1918 {
1919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
1921 ssl,
1924 return( ret );
1925 }
1926 }
1927
1928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
1929 ssl->handshake->resume ? "a" : "no" ) );
1930
1931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
1932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
1933 buf[37 + n] ) );
1934
1935 /*
1936 * Perform cipher suite validation in same way as in ssl_write_client_hello.
1937 */
1938 i = 0;
1939 while( 1 )
1940 {
1941 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
1942 {
1943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1945 ssl,
1949 }
1950
1951 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
1953 {
1954 break;
1955 }
1956 }
1957
1960 if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
1961 ssl->minor_ver ) != 0 )
1962 {
1963 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1965 ssl,
1969 }
1970
1972 ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
1973
1974#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
1977 {
1978 ssl->handshake->ecrs_enabled = 1;
1979 }
1980#endif
1981
1982 if( comp != MBEDTLS_SSL_COMPRESS_NULL
1983#if defined(MBEDTLS_ZLIB_SUPPORT)
1985#endif
1986 )
1987 {
1988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
1990 ssl,
1994 }
1995 ssl->session_negotiate->compression = comp;
1996
1997 ext = buf + 40 + n;
1998
2000 ( "server hello, total extension length: %d", ext_len ) );
2001
2002 while( ext_len )
2003 {
2004 unsigned int ext_id = ( ( ext[0] << 8 )
2005 | ( ext[1] ) );
2006 unsigned int ext_size = ( ( ext[2] << 8 )
2007 | ( ext[3] ) );
2008
2009 if( ext_size + 4 > ext_len )
2010 {
2011 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2016 }
2017
2018 switch( ext_id )
2019 {
2021 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
2022#if defined(MBEDTLS_SSL_RENEGOTIATION)
2023 renegotiation_info_seen = 1;
2024#endif
2025
2026 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
2027 ext_size ) ) != 0 )
2028 return( ret );
2029
2030 break;
2031
2032#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2035 ( "found max_fragment_length extension" ) );
2036
2037 if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
2038 ext + 4, ext_size ) ) != 0 )
2039 {
2040 return( ret );
2041 }
2042
2043 break;
2044#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2045
2046#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2048 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
2049
2050 if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
2051 ext + 4, ext_size ) ) != 0 )
2052 {
2053 return( ret );
2054 }
2055
2056 break;
2057#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2058
2059#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2061 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
2062
2063 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
2064 ext + 4, ext_size ) ) != 0 )
2065 {
2066 return( ret );
2067 }
2068
2069 break;
2070#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2071
2072#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2075 ( "found extended_master_secret extension" ) );
2076
2077 if( ( ret = ssl_parse_extended_ms_ext( ssl,
2078 ext + 4, ext_size ) ) != 0 )
2079 {
2080 return( ret );
2081 }
2082
2083 break;
2084#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2085
2086#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
2089
2090 if( ( ret = ssl_parse_session_ticket_ext( ssl,
2091 ext + 4, ext_size ) ) != 0 )
2092 {
2093 return( ret );
2094 }
2095
2096 break;
2097#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2098
2099#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2100 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2103 ( "found supported_point_formats extension" ) );
2104
2105 if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
2106 ext + 4, ext_size ) ) != 0 )
2107 {
2108 return( ret );
2109 }
2110
2111 break;
2112#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2113 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2114
2115#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2117 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
2118
2119 if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
2120 ext + 4, ext_size ) ) != 0 )
2121 {
2122 return( ret );
2123 }
2124
2125 break;
2126#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2127
2128#if defined(MBEDTLS_SSL_ALPN)
2130 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
2131
2132 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
2133 return( ret );
2134
2135 break;
2136#endif /* MBEDTLS_SSL_ALPN */
2137
2138 default:
2140 ( "unknown extension found: %d (ignoring)", ext_id ) );
2141 }
2142
2143 ext_len -= 4 + ext_size;
2144 ext += 4 + ext_size;
2145
2146 if( ext_len > 0 && ext_len < 4 )
2147 {
2148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
2150 }
2151 }
2152
2153 /*
2154 * Renegotiation security checks
2155 */
2159 {
2161 ( "legacy renegotiation, breaking off handshake" ) );
2162 handshake_failure = 1;
2163 }
2164#if defined(MBEDTLS_SSL_RENEGOTIATION)
2167 renegotiation_info_seen == 0 )
2168 {
2170 ( "renegotiation_info extension missing (secure)" ) );
2171 handshake_failure = 1;
2172 }
2177 {
2178 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
2179 handshake_failure = 1;
2180 }
2183 renegotiation_info_seen == 1 )
2184 {
2186 ( "renegotiation_info extension present (legacy)" ) );
2187 handshake_failure = 1;
2188 }
2189#endif /* MBEDTLS_SSL_RENEGOTIATION */
2190
2191 if( handshake_failure == 1 )
2192 {
2194 ssl,
2198 }
2199
2200 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
2201
2202 return( 0 );
2203}
2204
2205#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2206 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2207static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
2208 unsigned char **p,
2209 unsigned char *end )
2210{
2212 size_t dhm_actual_bitlen;
2213
2214 /*
2215 * Ephemeral DH parameters:
2216 *
2217 * struct {
2218 * opaque dh_p<1..2^16-1>;
2219 * opaque dh_g<1..2^16-1>;
2220 * opaque dh_Ys<1..2^16-1>;
2221 * } ServerDHParams;
2222 */
2224 p, end ) ) != 0 )
2225 {
2226 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
2227 return( ret );
2228 }
2229
2230 dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
2231 if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
2232 {
2233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
2234 (unsigned) dhm_actual_bitlen,
2235 ssl->conf->dhm_min_bitlen ) );
2237 }
2238
2239 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P );
2240 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G );
2241 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
2242
2243 return( ret );
2244}
2245#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2246 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2247
2248#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2249 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2250 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2251 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2252 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2253static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
2254{
2255 const mbedtls_ecp_curve_info *curve_info;
2256 mbedtls_ecp_group_id grp_id;
2257#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2258 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2259#else
2260 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2261#endif
2262
2263 curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
2264 if( curve_info == NULL )
2265 {
2266 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2268 }
2269
2270 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
2271
2272#if defined(MBEDTLS_ECP_C)
2273 if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
2274#else
2275 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2276 ssl->handshake->ecdh_ctx.grp.nbits > 521 )
2277#endif
2278 return( -1 );
2279
2282
2283 return( 0 );
2284}
2285#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2286 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2287 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2288 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2289 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2290
2291#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2292 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2293 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2294static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
2295 unsigned char **p,
2296 unsigned char *end )
2297{
2299
2300 /*
2301 * Ephemeral ECDH parameters:
2302 *
2303 * struct {
2304 * ECParameters curve_params;
2305 * ECPoint public;
2306 * } ServerECDHParams;
2307 */
2309 (const unsigned char **) p, end ) ) != 0 )
2310 {
2311 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
2312#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2315#endif
2316 return( ret );
2317 }
2318
2319 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2320 {
2322 ( "bad server key exchange message (ECDHE curve)" ) );
2324 }
2325
2326 return( ret );
2327}
2328#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2329 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2330 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2331
2332#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2333static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
2334 unsigned char **p,
2335 unsigned char *end )
2336{
2338 size_t len;
2339 ((void) ssl);
2340
2341 /*
2342 * PSK parameters:
2343 *
2344 * opaque psk_identity_hint<0..2^16-1>;
2345 */
2346 if( end - (*p) < 2 )
2347 {
2349 ( "bad server key exchange message (psk_identity_hint length)" ) );
2351 }
2352 len = (*p)[0] << 8 | (*p)[1];
2353 *p += 2;
2354
2355 if( end - (*p) < (int) len )
2356 {
2358 ( "bad server key exchange message (psk_identity_hint length)" ) );
2360 }
2361
2362 /*
2363 * Note: we currently ignore the PKS identity hint, as we only allow one
2364 * PSK to be provisionned on the client. This could be changed later if
2365 * someone needs that feature.
2366 */
2367 *p += len;
2368 ret = 0;
2369
2370 return( ret );
2371}
2372#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2373
2374#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2375 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2376/*
2377 * Generate a pre-master secret and encrypt it with the server's RSA key
2378 */
2379static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
2380 size_t offset, size_t *olen,
2381 size_t pms_offset )
2382{
2383 int ret;
2384 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2385 unsigned char *p = ssl->handshake->premaster + pms_offset;
2386
2387 if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
2388 {
2389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
2391 }
2392
2393 /*
2394 * Generate (part of) the pre-master as
2395 * struct {
2396 * ProtocolVersion client_version;
2397 * opaque random[46];
2398 * } PreMasterSecret;
2399 */
2401 ssl->conf->max_minor_ver,
2402 ssl->conf->transport, p );
2403
2404 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
2405 {
2406 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
2407 return( ret );
2408 }
2409
2410 ssl->handshake->pmslen = 48;
2411
2412 if( ssl->session_negotiate->peer_cert == NULL )
2413 {
2414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2416 }
2417
2418 /*
2419 * Now write it out, encrypted
2420 */
2422 MBEDTLS_PK_RSA ) )
2423 {
2424 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
2426 }
2427
2429 p, ssl->handshake->pmslen,
2430 ssl->out_msg + offset + len_bytes, olen,
2431 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2432 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2433 {
2434 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
2435 return( ret );
2436 }
2437
2438#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2439 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2440 if( len_bytes == 2 )
2441 {
2442 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
2443 ssl->out_msg[offset+1] = (unsigned char)( *olen );
2444 *olen += 2;
2445 }
2446#endif
2447
2448 return( 0 );
2449}
2450#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2451 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2452
2453#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2454#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2455 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2456 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2457static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
2458 unsigned char **p,
2459 unsigned char *end,
2460 mbedtls_md_type_t *md_alg,
2461 mbedtls_pk_type_t *pk_alg )
2462{
2463 ((void) ssl);
2464 *md_alg = MBEDTLS_MD_NONE;
2465 *pk_alg = MBEDTLS_PK_NONE;
2466
2467 /* Only in TLS 1.2 */
2469 {
2470 return( 0 );
2471 }
2472
2473 if( (*p) + 2 > end )
2475
2476 /*
2477 * Get hash algorithm
2478 */
2479 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
2480 == MBEDTLS_MD_NONE )
2481 {
2483 ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
2485 }
2486
2487 /*
2488 * Get signature algorithm
2489 */
2490 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
2491 == MBEDTLS_PK_NONE )
2492 {
2494 ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
2496 }
2497
2498 /*
2499 * Check if the hash is acceptable
2500 */
2501 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
2502 {
2504 ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
2506 }
2507
2508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
2509 (*p)[1] ) );
2510 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
2511 (*p)[0] ) );
2512 *p += 2;
2513
2514 return( 0 );
2515}
2516#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2517 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2518 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2519#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2520
2521#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2522 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2523static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
2524{
2525 int ret;
2526 const mbedtls_ecp_keypair *peer_key;
2527
2528 if( ssl->session_negotiate->peer_cert == NULL )
2529 {
2530 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2532 }
2533
2536 {
2537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
2539 }
2540
2541 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
2542
2543 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
2544 MBEDTLS_ECDH_THEIRS ) ) != 0 )
2545 {
2546 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
2547 return( ret );
2548 }
2549
2550 if( ssl_check_server_ecdh_params( ssl ) != 0 )
2551 {
2552 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
2554 }
2555
2556 return( ret );
2557}
2558#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2559 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2560
2561static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
2562{
2563 int ret;
2564 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2566 unsigned char *p = NULL, *end = NULL;
2567
2568 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
2569
2570#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2571 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
2572 {
2573 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2574 ssl->state++;
2575 return( 0 );
2576 }
2577 ((void) p);
2578 ((void) end);
2579#endif
2580
2581#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2582 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2583 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2584 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
2585 {
2586 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
2587 {
2588 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
2590 ssl,
2593 return( ret );
2594 }
2595
2596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
2597 ssl->state++;
2598 return( 0 );
2599 }
2600 ((void) p);
2601 ((void) end);
2602#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2603 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2604
2605#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2606 if( ssl->handshake->ecrs_enabled &&
2607 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
2608 {
2609 goto start_processing;
2610 }
2611#endif
2612
2613 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2614 {
2615 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2616 return( ret );
2617 }
2618
2620 {
2621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2623 ssl,
2627 }
2628
2629 /*
2630 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
2631 * doesn't use a psk_identity_hint
2632 */
2634 {
2635 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2636 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2637 {
2638 /* Current message is probably either
2639 * CertificateRequest or ServerHelloDone */
2640 ssl->keep_current_message = 1;
2641 goto exit;
2642 }
2643
2645 ( "server key exchange message must not be skipped" ) );
2647 ssl,
2650
2652 }
2653
2654#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2655 if( ssl->handshake->ecrs_enabled )
2656 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2657
2658start_processing:
2659#endif
2660 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2661 end = ssl->in_msg + ssl->in_hslen;
2662 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
2663
2664#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
2665 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2666 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
2667 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
2668 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
2669 {
2670 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
2671 {
2672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2674 ssl,
2678 }
2679 } /* FALLTROUGH */
2680#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
2681
2682#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
2683 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2684 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
2685 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
2686 ; /* nothing more to do */
2687 else
2688#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
2689 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2690#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2691 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2692 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
2693 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
2694 {
2695 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
2696 {
2697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2699 ssl,
2703 }
2704 }
2705 else
2706#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2707 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2708#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2709 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2710 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2711 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
2712 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
2713 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
2714 {
2715 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
2716 {
2717 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2719 ssl,
2723 }
2724 }
2725 else
2726#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2727 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2728 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2729#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2730 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
2731 {
2732 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
2733 p, end - p );
2734 if( ret != 0 )
2735 {
2736 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
2738 ssl,
2742 }
2743 }
2744 else
2745#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2746 {
2747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2749 }
2750
2751#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
2752 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
2753 {
2754 size_t sig_len, hashlen;
2755 unsigned char hash[64];
2758 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
2759 size_t params_len = p - params;
2760 void *rs_ctx = NULL;
2761
2762 /*
2763 * Handle the digitally-signed structure
2764 */
2765#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2767 {
2768 if( ssl_parse_signature_algorithm( ssl, &p, end,
2769 &md_alg, &pk_alg ) != 0 )
2770 {
2772 ( "bad server key exchange message" ) );
2774 ssl,
2778 }
2779
2780 if( pk_alg !=
2781 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
2782 {
2784 ( "bad server key exchange message" ) );
2786 ssl,
2790 }
2791 }
2792 else
2793#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2794#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2795 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2797 {
2798 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
2799
2800 /* Default hash for ECDSA is SHA-1 */
2801 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
2802 md_alg = MBEDTLS_MD_SHA1;
2803 }
2804 else
2805#endif
2806 {
2807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2809 }
2810
2811 /*
2812 * Read signature
2813 */
2814
2815 if( p > end - 2 )
2816 {
2817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2819 ssl,
2823 }
2824 sig_len = ( p[0] << 8 ) | p[1];
2825 p += 2;
2826
2827 if( p != end - sig_len )
2828 {
2829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2831 ssl,
2835 }
2836
2837 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
2838
2839 /*
2840 * Compute the hash that has been signed
2841 */
2842#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
2843 defined(MBEDTLS_SSL_PROTO_TLS1_1)
2844 if( md_alg == MBEDTLS_MD_NONE )
2845 {
2846 hashlen = 36;
2848 params_len );
2849 if( ret != 0 )
2850 return( ret );
2851 }
2852 else
2853#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
2854 MBEDTLS_SSL_PROTO_TLS1_1 */
2855#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2856 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2857 if( md_alg != MBEDTLS_MD_NONE )
2858 {
2860 params, params_len,
2861 md_alg );
2862 if( ret != 0 )
2863 return( ret );
2864 }
2865 else
2866#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2867 MBEDTLS_SSL_PROTO_TLS1_2 */
2868 {
2869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2871 }
2872
2873 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
2874
2875 if( ssl->session_negotiate->peer_cert == NULL )
2876 {
2877 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
2879 ssl,
2883 }
2884
2885 /*
2886 * Verify signature
2887 */
2889 pk_alg ) )
2890 {
2891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
2893 ssl,
2897 }
2898
2899#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2900 if( ssl->handshake->ecrs_enabled )
2901 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2902#endif
2903
2906 md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
2907 {
2908#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2910#endif
2912 ssl,
2915 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
2916#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
2919#endif
2920 return( ret );
2921 }
2922 }
2923#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
2924
2925exit:
2926 ssl->state++;
2927
2928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
2929
2930 return( 0 );
2931}
2932
2933#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
2934static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2935{
2936 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2938
2939 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2940
2941 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2942 {
2943 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2944 ssl->state++;
2945 return( 0 );
2946 }
2947
2948 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2950}
2951#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
2952static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
2953{
2954 int ret;
2955 unsigned char *buf;
2956 size_t n = 0;
2957 size_t cert_type_len = 0, dn_len = 0;
2958 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2960
2961 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
2962
2963 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
2964 {
2965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
2966 ssl->state++;
2967 return( 0 );
2968 }
2969
2970 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2971 {
2972 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2973 return( ret );
2974 }
2975
2977 {
2978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
2980 ssl,
2984 }
2985
2986 ssl->state++;
2988
2989 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
2990 ssl->client_auth ? "a" : "no" ) );
2991
2992 if( ssl->client_auth == 0 )
2993 {
2994 /* Current message is probably the ServerHelloDone */
2995 ssl->keep_current_message = 1;
2996 goto exit;
2997 }
2998
2999 /*
3000 * struct {
3001 * ClientCertificateType certificate_types<1..2^8-1>;
3002 * SignatureAndHashAlgorithm
3003 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3004 * DistinguishedName certificate_authorities<0..2^16-1>;
3005 * } CertificateRequest;
3006 *
3007 * Since we only support a single certificate on clients, let's just
3008 * ignore all the information that's supposed to help us pick a
3009 * certificate.
3010 *
3011 * We could check that our certificate matches the request, and bail out
3012 * if it doesn't, but it's simpler to just send the certificate anyway,
3013 * and give the server the opportunity to decide if it should terminate
3014 * the connection when it doesn't like our certificate.
3015 *
3016 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3017 * point we only have one hash available (see comments in
3018 * write_certificate_verify), so let's just use what we have.
3019 *
3020 * However, we still minimally parse the message to check it is at least
3021 * superficially sane.
3022 */
3023 buf = ssl->in_msg;
3024
3025 /* certificate_types */
3026 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
3027 {
3028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3032 }
3033 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
3034 n = cert_type_len;
3035
3036 /*
3037 * In the subsequent code there are two paths that read from buf:
3038 * * the length of the signature algorithms field (if minor version of
3039 * SSL is 3),
3040 * * distinguished name length otherwise.
3041 * Both reach at most the index:
3042 * ...hdr_len + 2 + n,
3043 * therefore the buffer length at this point must be greater than that
3044 * regardless of the actual code path.
3045 */
3046 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
3047 {
3048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3052 }
3053
3054 /* supported_signature_algorithms */
3055#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3057 {
3058 size_t sig_alg_len =
3059 ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3060 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3061#if defined(MBEDTLS_DEBUG_C)
3062 unsigned char* sig_alg;
3063 size_t i;
3064#endif
3065
3066 /*
3067 * The furthest access in buf is in the loop few lines below:
3068 * sig_alg[i + 1],
3069 * where:
3070 * sig_alg = buf + ...hdr_len + 3 + n,
3071 * max(i) = sig_alg_len - 1.
3072 * Therefore the furthest access is:
3073 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3074 * which reduces to:
3075 * buf[...hdr_len + 3 + n + sig_alg_len],
3076 * which is one less than we need the buf to be.
3077 */
3078 if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
3079 + 3 + n + sig_alg_len )
3080 {
3081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3083 ssl,
3087 }
3088
3089#if defined(MBEDTLS_DEBUG_C)
3090 sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
3091 for( i = 0; i < sig_alg_len; i += 2 )
3092 {
3094 ( "Supported Signature Algorithm found: %d,%d",
3095 sig_alg[i], sig_alg[i + 1] ) );
3096 }
3097#endif
3098
3099 n += 2 + sig_alg_len;
3100 }
3101#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3102
3103 /* certificate_authorities */
3104 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
3105 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
3106
3107 n += dn_len;
3108 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
3109 {
3110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
3114 }
3115
3116exit:
3117 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
3118
3119 return( 0 );
3120}
3121#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
3122
3123static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
3124{
3125 int ret;
3126
3127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
3128
3129 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3130 {
3131 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3132 return( ret );
3133 }
3134
3136 {
3137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3139 }
3140
3141 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ||
3143 {
3144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
3148 }
3149
3150 ssl->state++;
3151
3152#if defined(MBEDTLS_SSL_PROTO_DTLS)
3154 mbedtls_ssl_recv_flight_completed( ssl );
3155#endif
3156
3157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
3158
3159 return( 0 );
3160}
3161
3162static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
3163{
3164 int ret;
3165 size_t i, n;
3166 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3168
3169 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
3170
3171#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3172 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
3173 {
3174 /*
3175 * DHM key exchange -- send G^X mod P
3176 */
3177 n = ssl->handshake->dhm_ctx.len;
3178
3179 ssl->out_msg[4] = (unsigned char)( n >> 8 );
3180 ssl->out_msg[5] = (unsigned char)( n );
3181 i = 6;
3182
3184 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3185 &ssl->out_msg[i], n,
3186 ssl->conf->f_rng, ssl->conf->p_rng );
3187 if( ret != 0 )
3188 {
3189 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3190 return( ret );
3191 }
3192
3193 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X );
3194 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
3195
3197 ssl->handshake->premaster,
3199 &ssl->handshake->pmslen,
3200 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3201 {
3202 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
3203 return( ret );
3204 }
3205
3206 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
3207 }
3208 else
3209#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3210#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3211 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3212 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3213 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3214 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3215 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3216 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3217 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
3218 {
3219 /*
3220 * ECDH key exchange -- send client public value
3221 */
3222 i = 4;
3223
3224#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3225 if( ssl->handshake->ecrs_enabled )
3226 {
3227 if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
3228 goto ecdh_calc_secret;
3229
3230 mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
3231 }
3232#endif
3233
3235 &n,
3236 &ssl->out_msg[i], 1000,
3237 ssl->conf->f_rng, ssl->conf->p_rng );
3238 if( ret != 0 )
3239 {
3240 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3241#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3244#endif
3245 return( ret );
3246 }
3247
3250
3251#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3252 if( ssl->handshake->ecrs_enabled )
3253 {
3254 ssl->handshake->ecrs_n = n;
3255 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3256 }
3257
3259 if( ssl->handshake->ecrs_enabled )
3260 n = ssl->handshake->ecrs_n;
3261#endif
3263 &ssl->handshake->pmslen,
3264 ssl->handshake->premaster,
3266 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
3267 {
3268 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
3269#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3272#endif
3273 return( ret );
3274 }
3275
3278 }
3279 else
3280#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3281 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3282 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3283 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3284#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
3285 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
3286 {
3287 /*
3288 * opaque psk_identity<0..2^16-1>;
3289 */
3290 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
3291 {
3292 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
3294 }
3295
3296 i = 4;
3297 n = ssl->conf->psk_identity_len;
3298
3299 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3300 {
3302 ( "psk identity too long or SSL buffer too short" ) );
3304 }
3305
3306 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3307 ssl->out_msg[i++] = (unsigned char)( n );
3308
3309 memcpy( ssl->out_msg + i,
3310 ssl->conf->psk_identity,
3311 ssl->conf->psk_identity_len );
3312 i += ssl->conf->psk_identity_len;
3313
3314#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3315 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
3316 {
3317 n = 0;
3318 }
3319 else
3320#endif
3321#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3322 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
3323 {
3324 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
3325 return( ret );
3326 }
3327 else
3328#endif
3329#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3330 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
3331 {
3332 /*
3333 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3334 */
3335 n = ssl->handshake->dhm_ctx.len;
3336
3337 if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
3338 {
3340 ( "psk identity or DHM size too long or SSL buffer too short" ) );
3342 }
3343
3344 ssl->out_msg[i++] = (unsigned char)( n >> 8 );
3345 ssl->out_msg[i++] = (unsigned char)( n );
3346
3348 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
3349 &ssl->out_msg[i], n,
3350 ssl->conf->f_rng, ssl->conf->p_rng );
3351 if( ret != 0 )
3352 {
3353 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
3354 return( ret );
3355 }
3356 }
3357 else
3358#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3359#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3360 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
3361 {
3362 /*
3363 * ClientECDiffieHellmanPublic public;
3364 */
3367 ssl->conf->f_rng, ssl->conf->p_rng );
3368 if( ret != 0 )
3369 {
3370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
3371 return( ret );
3372 }
3373
3376 }
3377 else
3378#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3379 {
3380 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3382 }
3383
3384 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
3385 ciphersuite_info->key_exchange ) ) != 0 )
3386 {
3388 "mbedtls_ssl_psk_derive_premaster", ret );
3389 return( ret );
3390 }
3391 }
3392 else
3393#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
3394#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3395 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
3396 {
3397 i = 4;
3398 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
3399 return( ret );
3400 }
3401 else
3402#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3403#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3404 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3405 {
3406 i = 4;
3407
3408 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
3410 ssl->conf->f_rng, ssl->conf->p_rng );
3411 if( ret != 0 )
3412 {
3413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
3414 return( ret );
3415 }
3416
3417 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
3418 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3419 ssl->conf->f_rng, ssl->conf->p_rng );
3420 if( ret != 0 )
3421 {
3422 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
3423 return( ret );
3424 }
3425 }
3426 else
3427#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3428 {
3429 ((void) ciphersuite_info);
3430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3432 }
3433
3434 ssl->out_msglen = i + n;
3437
3438 ssl->state++;
3439
3440 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3441 {
3442 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3443 return( ret );
3444 }
3445
3446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
3447
3448 return( 0 );
3449}
3450
3451#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
3452 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
3453 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
3454 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
3455 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
3456 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3457static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3458{
3459 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3461 int ret;
3462
3463 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3464
3465 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3466 {
3467 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3468 return( ret );
3469 }
3470
3471 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3472 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3473 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3474 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3475 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3476 {
3477 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3478 ssl->state++;
3479 return( 0 );
3480 }
3481
3482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3484}
3485#else
3486static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
3487{
3489 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3491 size_t n = 0, offset = 0;
3492 unsigned char hash[48];
3493 unsigned char *hash_start = hash;
3495 unsigned int hashlen;
3496 void *rs_ctx = NULL;
3497
3498 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
3499
3500#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3501 if( ssl->handshake->ecrs_enabled &&
3502 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
3503 {
3504 goto sign;
3505 }
3506#endif
3507
3508 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
3509 {
3510 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
3511 return( ret );
3512 }
3513
3514 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3515 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3516 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3517 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3518 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
3519 {
3520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3521 ssl->state++;
3522 return( 0 );
3523 }
3524
3525 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
3526 {
3527 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
3528 ssl->state++;
3529 return( 0 );
3530 }
3531
3532 if( mbedtls_ssl_own_key( ssl ) == NULL )
3533 {
3534 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
3536 }
3537
3538 /*
3539 * Make a signature of the handshake digests
3540 */
3541#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3542 if( ssl->handshake->ecrs_enabled )
3543 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3544
3545sign:
3546#endif
3547
3548 ssl->handshake->calc_verify( ssl, hash );
3549
3550#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3551 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3553 {
3554 /*
3555 * digitally-signed struct {
3556 * opaque md5_hash[16];
3557 * opaque sha_hash[20];
3558 * };
3559 *
3560 * md5_hash
3561 * MD5(handshake_messages);
3562 *
3563 * sha_hash
3564 * SHA(handshake_messages);
3565 */
3566 hashlen = 36;
3567 md_alg = MBEDTLS_MD_NONE;
3568
3569 /*
3570 * For ECDSA, default hash is SHA-1 only
3571 */
3573 {
3574 hash_start += 16;
3575 hashlen -= 16;
3576 md_alg = MBEDTLS_MD_SHA1;
3577 }
3578 }
3579 else
3580#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3581 MBEDTLS_SSL_PROTO_TLS1_1 */
3582#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3584 {
3585 /*
3586 * digitally-signed struct {
3587 * opaque handshake_messages[handshake_messages_length];
3588 * };
3589 *
3590 * Taking shortcut here. We assume that the server always allows the
3591 * PRF Hash function and has sent it in the allowed signature
3592 * algorithms list received in the Certificate Request message.
3593 *
3594 * Until we encounter a server that does not, we will take this
3595 * shortcut.
3596 *
3597 * Reason: Otherwise we should have running hashes for SHA512 and
3598 * SHA224 in order to satisfy 'weird' needs from the server
3599 * side.
3600 */
3603 {
3604 md_alg = MBEDTLS_MD_SHA384;
3606 }
3607 else
3608 {
3609 md_alg = MBEDTLS_MD_SHA256;
3611 }
3613
3614 /* Info from md_alg will be used instead */
3615 hashlen = 0;
3616 offset = 2;
3617 }
3618 else
3619#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3620 {
3621 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3623 }
3624
3625#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3626 if( ssl->handshake->ecrs_enabled )
3627 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3628#endif
3629
3631 md_alg, hash_start, hashlen,
3632 ssl->out_msg + 6 + offset, &n,
3633 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
3634 {
3635 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
3636#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
3639#endif
3640 return( ret );
3641 }
3642
3643 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
3644 ssl->out_msg[5 + offset] = (unsigned char)( n );
3645
3646 ssl->out_msglen = 6 + n + offset;
3649
3650 ssl->state++;
3651
3652 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
3653 {
3654 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
3655 return( ret );
3656 }
3657
3658 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
3659
3660 return( ret );
3661}
3662#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
3663 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
3664 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
3665 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
3666 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
3667 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3668
3669#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3670static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
3671{
3672 int ret;
3673 uint32_t lifetime;
3674 size_t ticket_len;
3675 unsigned char *ticket;
3676 const unsigned char *msg;
3677
3678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
3679
3680 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
3681 {
3682 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
3683 return( ret );
3684 }
3685
3687 {
3688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3690 ssl,
3694 }
3695
3696 /*
3697 * struct {
3698 * uint32 ticket_lifetime_hint;
3699 * opaque ticket<0..2^16-1>;
3700 * } NewSessionTicket;
3701 *
3702 * 0 . 3 ticket_lifetime_hint
3703 * 4 . 5 ticket_len (n)
3704 * 6 . 5+n ticket content
3705 */
3707 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
3708 {
3709 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3713 }
3714
3715 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
3716
3717 lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
3718 ( msg[2] << 8 ) | ( msg[3] );
3719
3720 ticket_len = ( msg[4] << 8 ) | ( msg[5] );
3721
3722 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
3723 {
3724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
3728 }
3729
3730 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
3731
3732 /* We're not waiting for a NewSessionTicket message any more */
3733 ssl->handshake->new_session_ticket = 0;
3735
3736 /*
3737 * Zero-length ticket means the server changed his mind and doesn't want
3738 * to send a ticket after all, so just forget it
3739 */
3740 if( ticket_len == 0 )
3741 return( 0 );
3742
3747 ssl->session_negotiate->ticket_len = 0;
3748
3749 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
3750 {
3751 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
3755 }
3756
3757 memcpy( ticket, msg + 6, ticket_len );
3758
3759 ssl->session_negotiate->ticket = ticket;
3760 ssl->session_negotiate->ticket_len = ticket_len;
3761 ssl->session_negotiate->ticket_lifetime = lifetime;
3762
3763 /*
3764 * RFC 5077 section 3.4:
3765 * "If the client receives a session ticket from the server, then it
3766 * discards any Session ID that was sent in the ServerHello."
3767 */
3768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
3769 ssl->session_negotiate->id_len = 0;
3770
3771 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
3772
3773 return( 0 );
3774}
3775#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3776
3777/*
3778 * SSL handshake -- client side -- single step
3779 */
3781{
3782 int ret = 0;
3783
3784 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
3786
3787 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
3788
3789 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3790 return( ret );
3791
3792#if defined(MBEDTLS_SSL_PROTO_DTLS)
3794 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3795 {
3796 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
3797 return( ret );
3798 }
3799#endif /* MBEDTLS_SSL_PROTO_DTLS */
3800
3801 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
3802 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
3803#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3805 ssl->handshake->new_session_ticket != 0 )
3806 {
3808 }
3809#endif
3810
3811 switch( ssl->state )
3812 {
3815 break;
3816
3817 /*
3818 * ==> ClientHello
3819 */
3821 ret = ssl_write_client_hello( ssl );
3822 break;
3823
3824 /*
3825 * <== ServerHello
3826 * Certificate
3827 * ( ServerKeyExchange )
3828 * ( CertificateRequest )
3829 * ServerHelloDone
3830 */
3832 ret = ssl_parse_server_hello( ssl );
3833 break;
3834
3837 break;
3838
3840 ret = ssl_parse_server_key_exchange( ssl );
3841 break;
3842
3844 ret = ssl_parse_certificate_request( ssl );
3845 break;
3846
3848 ret = ssl_parse_server_hello_done( ssl );
3849 break;
3850
3851 /*
3852 * ==> ( Certificate/Alert )
3853 * ClientKeyExchange
3854 * ( CertificateVerify )
3855 * ChangeCipherSpec
3856 * Finished
3857 */
3860 break;
3861
3863 ret = ssl_write_client_key_exchange( ssl );
3864 break;
3865
3867 ret = ssl_write_certificate_verify( ssl );
3868 break;
3869
3872 break;
3873
3876 break;
3877
3878 /*
3879 * <== ( NewSessionTicket )
3880 * ChangeCipherSpec
3881 * Finished
3882 */
3883#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3885 ret = ssl_parse_new_session_ticket( ssl );
3886 break;
3887#endif
3888
3891 break;
3892
3895 break;
3896
3898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
3900 break;
3901
3904 break;
3905
3906 default:
3907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
3909 }
3910
3911 return( ret );
3912}
3913#endif /* MBEDTLS_SSL_CLI_C */
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
ACPI_SIZE strlen(const char *String)
Definition: utclib.c:269
#define msg(x)
Definition: auth_time.c:54
#define MBEDTLS_MPI_MAX_SIZE
Definition: bignum.h:107
size_t mbedtls_mpi_size(const mbedtls_mpi *X)
Return the total size of an MPI value in bytes.
size_t mbedtls_mpi_bitlen(const mbedtls_mpi *X)
Return the number of bits up to and including the most significant bit of value 1.
@ MBEDTLS_CIPHER_ARC4_128
Definition: cipher.h:172
#define ecdh_calc_secret
Definition: compat-1.3.h:1908
#define md
Definition: compat-1.3.h:2013
int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx, unsigned char **p, const unsigned char *end)
This function parses the DHM parameters in a TLS ServerKeyExchange handshake message (DHM modulus,...
int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx, unsigned char *output, size_t output_size, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function derives and exports the shared secret (G^Y)^X mod P.
int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size, unsigned char *output, size_t olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function creates a DHM key pair and exports the raw public key in big-endian format.
#define NULL
Definition: types.h:112
UINT32 uint32_t
Definition: types.h:75
static const WCHAR *const ext[]
Definition: module.c:53
unsigned char
Definition: typeof.h:29
int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, mbedtls_ecdh_side side)
This function sets up an ECDH context from an EC key.
int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function generates a public key and exports it as a TLS ClientKeyExchange payload.
int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function derives and exports the shared secret.
@ MBEDTLS_ECDH_THEIRS
Definition: ecdh.h:92
int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx, const unsigned char **buf, const unsigned char *end)
This function parses the ECDHE parameters in a TLS ServerKeyExchange handshake message.
int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len)
Read and process the second round message (TLS: contents of the Client/ServerKeyExchange).
int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate and write the first round message (TLS: contents of the Client/ServerHello extension,...
int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Generate and write the second round message (TLS: contents of the Client/ServerKeyExchange).
int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx, unsigned char *buf, size_t len, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Derive the shared secret (TLS: Pre-Master Secret).
int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx)
Check if an ECJPAKE context is ready for use.
int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx, const unsigned char *buf, size_t len)
Read and process the first round message (TLS: contents of the Client/ServerHello extension,...
#define MBEDTLS_ECP_PF_UNCOMPRESSED
Definition: ecp.h:408
#define MBEDTLS_ECP_PF_COMPRESSED
Definition: ecp.h:409
#define MBEDTLS_ERR_ECP_IN_PROGRESS
Definition: ecp.h:87
const mbedtls_ecp_curve_info * mbedtls_ecp_curve_info_from_grp_id(mbedtls_ecp_group_id grp_id)
This function retrieves curve information from an internal group identifier.
mbedtls_ecp_group_id
Definition: ecp.h:103
@ MBEDTLS_ECP_DP_NONE
Definition: ecp.h:104
FxCollectionEntry * cur
GLuint GLuint end
Definition: gl.h:1545
GLdouble GLdouble t
Definition: gl.h:2047
GLdouble GLdouble GLdouble GLdouble q
Definition: gl.h:2063
GLdouble n
Definition: glext.h:7729
GLenum const GLfloat * params
Definition: glext.h:5645
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
GLfloat GLfloat p
Definition: glext.h:8902
GLenum GLsizei len
Definition: glext.h:6722
GLintptr offset
Definition: glext.h:5920
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
mbedtls_pk_context pk
Definition: x509_crt.h:96
#define sign(x)
Definition: mapdesc.cc:613
mbedtls_md_type_t
Supported message digests.
Definition: md.h:83
@ MBEDTLS_MD_SHA384
Definition: md.h:91
@ MBEDTLS_MD_NONE
Definition: md.h:84
@ MBEDTLS_MD_SHA256
Definition: md.h:90
@ MBEDTLS_MD_SHA1
Definition: md.h:88
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
#define uint32_t
Definition: nsiface.idl:61
int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, mbedtls_pk_restart_ctx *rs_ctx)
Restartable version of mbedtls_pk_sign()
int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
Tell if a context can do the operation given by type.
mbedtls_pk_type_t
Public key types.
Definition: pk.h:103
@ MBEDTLS_PK_NONE
Definition: pk.h:104
@ MBEDTLS_PK_ECDSA
Definition: pk.h:108
@ MBEDTLS_PK_RSA
Definition: pk.h:105
@ MBEDTLS_PK_ECKEY
Definition: pk.h:106
static mbedtls_ecp_keypair * mbedtls_pk_ec(const mbedtls_pk_context pk)
Definition: pk.h:195
int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, const unsigned char *sig, size_t sig_len, mbedtls_pk_restart_ctx *rs_ctx)
Restartable version of mbedtls_pk_verify()
int mbedtls_pk_encrypt(mbedtls_pk_context *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, size_t osize, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
Encrypt message (including padding if relevant).
mbed TLS Platform time abstraction
#define mbedtls_time
Definition: platform_time.h:99
time_t mbedtls_time_t
Definition: platform_time.h:78
void mbedtls_platform_zeroize(void *buf, size_t len)
Securely zeroize a buffer.
Definition: platform_util.c:98
Common and shared functions used by multiple modules in the Mbed TLS library.
#define mbedtls_ssl_ciphersuite_from_id
Configuration options (set of defines)
#define MBEDTLS_SSL_RENEGOTIATION
Definition: config.h:1518
Functions for controlling and providing debug output from the library.
#define MBEDTLS_SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:101
#define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr)
Definition: debug.h:106
#define MBEDTLS_SSL_DEBUG_MSG(level, args)
Definition: debug.h:100
#define MBEDTLS_SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:103
#define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:102
@ MBEDTLS_DEBUG_ECDH_QP
Definition: debug.h:259
@ MBEDTLS_DEBUG_ECDH_Q
Definition: debug.h:258
@ MBEDTLS_DEBUG_ECDH_Z
Definition: debug.h:260
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
#define mbedtls_free
Definition: platform.h:168
#define mbedtls_calloc
Definition: platform.h:169
#define exit(n)
Definition: config.h:202
LOCAL int ext_size(UInt32_t starting_extent)
Definition: write.c:2503
SSL/TLS functions.
#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
Definition: ssl.h:375
#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
Definition: ssl.h:213
#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:216
#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:341
#define MBEDTLS_ERR_SSL_BAD_CONFIG
Definition: ssl.h:151
#define MBEDTLS_SSL_ARC4_DISABLED
Definition: ssl.h:226
#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
Definition: ssl.h:354
#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
Definition: ssl.h:384
#define MBEDTLS_SSL_MINOR_VERSION_0
Definition: ssl.h:157
#define MBEDTLS_SSL_SIG_RSA
Definition: ssl.h:314
#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
Definition: ssl.h:395
@ MBEDTLS_SSL_CERTIFICATE_VERIFY
Definition: ssl.h:465
@ MBEDTLS_SSL_HANDSHAKE_OVER
Definition: ssl.h:472
@ MBEDTLS_SSL_SERVER_HELLO_DONE
Definition: ssl.h:462
@ MBEDTLS_SSL_SERVER_FINISHED
Definition: ssl.h:469
@ MBEDTLS_SSL_SERVER_KEY_EXCHANGE
Definition: ssl.h:460
@ MBEDTLS_SSL_SERVER_HELLO
Definition: ssl.h:458
@ MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
Definition: ssl.h:464
@ MBEDTLS_SSL_CLIENT_HELLO
Definition: ssl.h:457
@ MBEDTLS_SSL_SERVER_CERTIFICATE
Definition: ssl.h:459
@ MBEDTLS_SSL_CERTIFICATE_REQUEST
Definition: ssl.h:461
@ MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
Definition: ssl.h:473
@ MBEDTLS_SSL_CLIENT_FINISHED
Definition: ssl.h:467
@ MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
Definition: ssl.h:468
@ MBEDTLS_SSL_HANDSHAKE_WRAPUP
Definition: ssl.h:471
@ MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
Definition: ssl.h:466
@ MBEDTLS_SSL_HELLO_REQUEST
Definition: ssl.h:456
@ MBEDTLS_SSL_CLIENT_CERTIFICATE
Definition: ssl.h:463
@ MBEDTLS_SSL_FLUSH_BUFFERS
Definition: ssl.h:470
#define MBEDTLS_SSL_MINOR_VERSION_3
Definition: ssl.h:160
int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
Definition: ssl.h:116
#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
Definition: ssl.h:107
#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
Definition: ssl.h:351
#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE
Definition: ssl.h:373
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP
Definition: ssl.h:400
#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
Definition: ssl.h:348
#define MBEDTLS_TLS_EXT_ALPN
Definition: ssl.h:393
#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
Definition: ssl.h:402
#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
Definition: ssl.h:130
#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
Definition: ssl.h:382
#define MBEDTLS_SSL_EXTENDED_MS_DISABLED
Definition: ssl.h:185
#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED
Definition: ssl.h:215
#define MBEDTLS_TLS_EXT_SIG_ALG
Definition: ssl.h:391
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS
Definition: ssl.h:150
#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA
Definition: ssl.h:97
#define MBEDTLS_SSL_HASH_SHA256
Definition: ssl.h:309
#define MBEDTLS_SSL_COMPRESS_NULL
Definition: ssl.h:191
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:199
#define MBEDTLS_ERR_SSL_ALLOC_FAILED
Definition: ssl.h:125
#define MBEDTLS_SSL_EXTENDED_MS_ENABLED
Definition: ssl.h:186
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:117
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
Definition: ssl.h:114
#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
Definition: ssl.h:396
#define MBEDTLS_SSL_IS_FALLBACK
Definition: ssl.h:183
#define MBEDTLS_TLS_EXT_SESSION_TICKET
Definition: ssl.h:398
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED
Definition: ssl.h:219
#define MBEDTLS_SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:333
#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:211
#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
Definition: ssl.h:371
#define MBEDTLS_SSL_SECURE_RENEGOTIATION
Definition: ssl.h:200
#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
Definition: ssl.h:356
#define MBEDTLS_TLS_EXT_SERVERNAME
Definition: ssl.h:381
#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:172
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
Definition: ssl.h:115
#define MBEDTLS_SSL_MAJOR_VERSION_3
Definition: ssl.h:156
#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
Definition: ssl.h:360
#define MBEDTLS_SSL_MINOR_VERSION_2
Definition: ssl.h:159
#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
Definition: ssl.h:118
#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET
Definition: ssl.h:369
#define MBEDTLS_SSL_SIG_ECDSA
Definition: ssl.h:315
#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
Definition: ssl.h:374
#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:336
#define MBEDTLS_SSL_ETM_ENABLED
Definition: ssl.h:189
#define MBEDTLS_SSL_ETM_DISABLED
Definition: ssl.h:188
#define MBEDTLS_SSL_HASH_SHA384
Definition: ssl.h:310
#define MBEDTLS_SSL_COMPRESS_DEFLATE
Definition: ssl.h:192
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM
Definition: ssl.h:163
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
Definition: ssl.h:389
#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
Definition: ssl.h:368
#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
Definition: ssl.h:132
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
Definition: ssl.h:138
#define MBEDTLS_PREMASTER_SIZE
Definition: ssl.h:445
#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE
Definition: ssl.h:299
#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
Definition: ssl.h:109
#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
Definition: ssl.h:136
#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
Definition: ssl.h:298
#define MBEDTLS_SSL_HS_SERVER_HELLO
Definition: ssl.h:367
#define MBEDTLS_SSL_OUT_CONTENT_LEN
Definition: ssl.h:273
#define MBEDTLS_SSL_HS_CLIENT_HELLO
Definition: ssl.h:366
#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
Definition: ssl.h:129
#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
Definition: ssl.h:96
#define MBEDTLS_ERR_SSL_NO_RNG
Definition: ssl.h:103
#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
Definition: ssl.h:372
#define MBEDTLS_ERR_SSL_INTERNAL_ERROR
Definition: ssl.h:134
#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
Definition: ssl.h:352
#define MBEDTLS_SSL_MSG_HANDSHAKE
Definition: ssl.h:329
#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC
Definition: ssl.h:386
#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
Definition: ssl.h:388
int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
static int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
#define MBEDTLS_CIPHERSUITE_NODTLS
static int mbedtls_ssl_ciphersuite_uses_server_signature(const mbedtls_ssl_ciphersuite_t *info)
@ MBEDTLS_KEY_EXCHANGE_PSK
@ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
@ MBEDTLS_KEY_EXCHANGE_DHE_PSK
@ MBEDTLS_KEY_EXCHANGE_DHE_RSA
@ MBEDTLS_KEY_EXCHANGE_ECDH_RSA
@ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
@ MBEDTLS_KEY_EXCHANGE_RSA
@ MBEDTLS_KEY_EXCHANGE_ECJPAKE
@ MBEDTLS_KEY_EXCHANGE_RSA_PSK
@ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
@ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
Internal functions shared by the SSL modules.
static int mbedtls_ssl_safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl_internal.h:826
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
#define MBEDTLS_SSL_INITIAL_HANDSHAKE
Definition: ssl_internal.h:135
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
Definition: ssl_internal.h:136
static mbedtls_pk_context * mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:746
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
void mbedtls_ssl_write_version(int major, int minor, int transport, unsigned char ver[2])
#define MBEDTLS_SSL_RETRANS_SENDING
Definition: ssl_internal.h:149
void mbedtls_ssl_read_version(int *major, int *minor, int transport, const unsigned char ver[2])
int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl, mbedtls_md_type_t md)
int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN
Definition: ssl_internal.h:232
int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
static size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:801
int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
static mbedtls_x509_crt * mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:758
unsigned char mbedtls_ssl_hash_from_md_alg(int md)
int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, unsigned update_hs_digest)
Update record layer.
int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, mbedtls_md_type_t md_alg)
int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl, unsigned char *output, unsigned char *data, size_t data_len)
void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl)
#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need)
This macro checks if the remaining size in a buffer is greater or equal than a needed space....
Definition: ssl_internal.h:315
int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN
Definition: ssl_internal.h:229
Definition: _hash_fun.h:40
mbedtls_mpi X
Definition: dhm.h:132
mbedtls_mpi K
Definition: dhm.h:135
mbedtls_mpi G
Definition: dhm.h:131
mbedtls_mpi GY
Definition: dhm.h:134
mbedtls_mpi P
Definition: dhm.h:130
size_t len
Definition: dhm.h:129
mbedtls_mpi GX
Definition: dhm.h:133
mbedtls_ecp_group grp
Definition: ecdh.h:138
const char * name
Definition: ecp.h:135
mbedtls_ecp_group_id id
Definition: ecp.h:234
size_t nbits
Definition: ecp.h:243
The ECP key-pair structure.
Definition: ecp.h:398
This structure is used for storing ciphersuite information.
mbedtls_key_exchange_type_t key_exchange
mbedtls_cipher_type_t cipher
int renego_max_records
Definition: ssl.h:987
unsigned char max_major_ver
Definition: ssl.h:1000
const int * ciphersuite_list[4]
Definition: ssl.h:864
unsigned int session_tickets
Definition: ssl.h:1039
void * p_rng
Definition: ssl.h:872
unsigned int trunc_hmac
Definition: ssl.h:1036
const mbedtls_ecp_group_id * curve_list
Definition: ssl.h:946
unsigned char max_minor_ver
Definition: ssl.h:1001
unsigned char min_minor_ver
Definition: ssl.h:1003
unsigned int transport
Definition: ssl.h:1010
unsigned int mfl_code
Definition: ssl.h:1018
unsigned int arc4_disabled
Definition: ssl.h:1015
const int * sig_hashes
Definition: ssl.h:942
unsigned int encrypt_then_mac
Definition: ssl.h:1021
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:871
unsigned int dhm_min_bitlen
Definition: ssl.h:997
const char ** alpn_list
Definition: ssl.h:970
unsigned int extended_ms
Definition: ssl.h:1024
unsigned char min_major_ver
Definition: ssl.h:1002
unsigned int allow_legacy_renegotiation
Definition: ssl.h:1013
size_t verify_data_len
Definition: ssl.h:1204
char * hostname
Definition: ssl.h:1181
char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]
Definition: ssl.h:1205
unsigned char * out_msg
Definition: ssl.h:1153
mbedtls_ssl_session * session_negotiate
Definition: ssl.h:1086
char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]
Definition: ssl.h:1206
const char * alpn_chosen
Definition: ssl.h:1186
size_t in_hslen
Definition: ssl.h:1133
unsigned char * in_msg
Definition: ssl.h:1117
size_t out_msglen
Definition: ssl.h:1156
int renego_records_seen
Definition: ssl.h:1061
mbedtls_ssl_handshake_params * handshake
Definition: ssl.h:1088
int secure_renegotiation
Definition: ssl.h:1201
mbedtls_ssl_transform * transform_negotiate
Definition: ssl.h:1097
size_t in_msglen
Definition: ssl.h:1121
const mbedtls_ssl_config * conf
Definition: ssl.h:1053
int keep_current_message
Definition: ssl.h:1137
unsigned char premaster[MBEDTLS_PREMASTER_SIZE]
Definition: ssl_internal.h:477
unsigned char randbytes[64]
Definition: ssl_internal.h:476
mbedtls_dhm_context dhm_ctx
Definition: ssl_internal.h:359
mbedtls_ecdh_context ecdh_ctx
Definition: ssl_internal.h:362
void(* calc_verify)(mbedtls_ssl_context *, unsigned char *)
Definition: ssl_internal.h:468
uint32_t ticket_lifetime
Definition: ssl.h:837
mbedtls_x509_crt * peer_cert
Definition: ssl.h:830
size_t ticket_len
Definition: ssl.h:836
unsigned char id[32]
Definition: ssl.h:826
int encrypt_then_mac
Definition: ssl.h:849
size_t id_len
Definition: ssl.h:825
unsigned char * ticket
Definition: ssl.h:835
const mbedtls_ssl_ciphersuite_t * ciphersuite_info
Definition: ssl_internal.h:517
int ret