Lines Matching defs:ssl
14 #include "mbedtls/ssl.h"
51 static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
63 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
70 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
79 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
80 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
82 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
84 *olen = 5 + ssl->verify_data_len;
95 static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
101 (void) ssl; /* ssl used for debugging only */
128 static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
141 if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
145 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
163 if (ssl->handshake->ecjpake_cache == NULL ||
164 ssl->handshake->ecjpake_cache_len == 0) {
168 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
172 psa_destroy_key(ssl->handshake->psa_pake_password);
173 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
178 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
180 ssl->conf->f_rng, ssl->conf->p_rng);
188 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
189 if (ssl->handshake->ecjpake_cache == NULL) {
194 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
195 ssl->handshake->ecjpake_cache_len = kkpp_len;
199 kkpp_len = ssl->handshake->ecjpake_cache_len;
202 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
216 static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
231 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
232 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
237 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
239 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
244 ext_len = (size_t) ssl->own_cid_len + 1;
248 *p++ = (uint8_t) ssl->own_cid_len;
249 memcpy(p, ssl->own_cid, ssl->own_cid_len);
251 *olen = ssl->own_cid_len + 5;
259 static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
268 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
283 *p++ = ssl->conf->mfl_code;
293 static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
302 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) {
325 static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
334 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED) {
357 static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
363 size_t tlen = ssl->session_negotiate->ticket_len;
367 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
385 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
392 memcpy(p, ssl->session_negotiate->ticket, tlen);
402 static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
413 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
414 (ssl->conf->dtls_srtp_profile_list == NULL) ||
415 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
428 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
429 mki_len = ssl->dtls_srtp_info.mki_len;
432 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
435 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
451 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
456 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
460 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
463 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
466 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
480 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
489 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
494 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
495 ssl->dtls_srtp_info.mki_len);
512 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
522 (void) ssl;
533 if ((ret = ssl_write_renegotiation_ext(ssl, p, end, &ext_len)) != 0) {
544 if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
554 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p, end, &ext_len)) != 0) {
562 if ((ret = ssl_write_cid_ext(ssl, p, end, &ext_len)) != 0) {
570 if ((ret = ssl_write_max_fragment_length_ext(ssl, p, end,
579 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p, end, &ext_len)) != 0) {
587 if ((ret = ssl_write_extended_ms_ext(ssl, p, end, &ext_len)) != 0) {
595 if ((ret = ssl_write_use_srtp_ext(ssl, p, end, &ext_len)) != 0) {
603 if ((ret = ssl_write_session_ticket_ext(ssl, p, end, &ext_len)) != 0) {
616 static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
621 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
623 if (len != 1 + ssl->verify_data_len * 2 ||
624 buf[0] != ssl->verify_data_len * 2 ||
626 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
627 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
628 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
631 ssl,
643 ssl,
649 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
657 static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
665 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
667 buf[0] != ssl->conf->mfl_code) {
671 ssl,
683 static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
690 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
692 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
694 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
701 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
711 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
718 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
723 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
724 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
725 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
736 static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
740 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
745 ssl,
753 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
761 static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
765 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
770 ssl,
778 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
786 static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
790 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
795 ssl,
803 ssl->handshake->new_session_ticket = 1;
813 static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
822 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
834 ssl->handshake->ecdh_ctx.point_format = p[0];
838 mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
850 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
860 static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
866 if (ssl->handshake->ciphersuite_info->key_exchange !=
873 mbedtls_free(ssl->handshake->ecjpake_cache);
874 ssl->handshake->ecjpake_cache = NULL;
875 ssl->handshake->ecjpake_cache_len = 0;
879 &ssl->handshake->psa_pake_ctx, buf, len,
881 psa_destroy_key(ssl->handshake->psa_pake_password);
882 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
886 ssl,
894 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
898 ssl,
911 static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
918 if (ssl->conf->alpn_list == NULL) {
921 ssl,
939 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
946 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
953 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
959 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
962 ssl->alpn_chosen = *p;
968 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
976 static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
985 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
986 (ssl->conf->dtls_srtp_profile_list == NULL) ||
987 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
1002 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1003 mki_len = ssl->dtls_srtp_info.mki_len;
1037 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
1042 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1043 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
1044 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
1053 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1054 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1062 ssl->dtls_srtp_info.mki_len = 0;
1072 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1073 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1079 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1080 ssl->dtls_srtp_info.mki_len);
1092 static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
1095 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
1110 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1113 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1136 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1143 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1146 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1152 mbedtls_free(ssl->handshake->cookie);
1154 ssl->handshake->cookie = mbedtls_calloc(1, cookie_len);
1155 if (ssl->handshake->cookie == NULL) {
1160 memcpy(ssl->handshake->cookie, p, cookie_len);
1161 ssl->handshake->cookie_len = cookie_len;
1164 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1165 ret = mbedtls_ssl_reset_checksum(ssl);
1171 mbedtls_ssl_recv_flight_completed(ssl);
1180 static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
1195 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
1201 buf = ssl->in_msg;
1203 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
1205 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
1206 ssl->renego_records_seen++;
1208 if (ssl->conf->renego_max_records >= 0 &&
1209 ssl->renego_records_seen > ssl->conf->renego_max_records) {
1218 ssl->keep_current_message = 1;
1225 ssl,
1232 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1236 return ssl_parse_hello_verify_request(ssl);
1239 mbedtls_free(ssl->handshake->cookie);
1240 ssl->handshake->cookie = NULL;
1241 ssl->handshake->cookie_len = 0;
1246 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
1249 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1265 buf += mbedtls_ssl_hs_hdr_len(ssl);
1268 ssl->tls_version = (mbedtls_ssl_protocol_version) mbedtls_ssl_read_version(buf,
1269 ssl->conf->transport);
1270 ssl->session_negotiate->tls_version = ssl->tls_version;
1271 ssl->session_negotiate->endpoint = ssl->conf->endpoint;
1273 if (ssl->tls_version < ssl->conf->min_tls_version ||
1274 ssl->tls_version > ssl->conf->max_tls_version) {
1278 (unsigned) ssl->conf->min_tls_version,
1279 (unsigned) ssl->tls_version,
1280 (unsigned) ssl->conf->max_tls_version));
1282 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1294 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
1302 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1307 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
1311 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
1314 ssl,
1319 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
1323 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1340 ssl,
1349 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
1350 if (ssl->handshake->ciphersuite_info == NULL) {
1353 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1358 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
1366 if (ssl->handshake->resume == 0 || n == 0 ||
1368 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1370 ssl->session_negotiate->ciphersuite != i ||
1371 ssl->session_negotiate->id_len != n ||
1372 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
1373 ssl->state++;
1374 ssl->handshake->resume = 0;
1376 ssl->session_negotiate->start = mbedtls_time(NULL);
1378 ssl->session_negotiate->ciphersuite = i;
1379 ssl->session_negotiate->id_len = n;
1380 memcpy(ssl->session_negotiate->id, buf + 35, n);
1382 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
1386 ssl->handshake->resume ? "a" : "no"));
1397 if (ssl->conf->ciphersuite_list[i] == 0) {
1400 ssl,
1406 if (ssl->conf->ciphersuite_list[i++] ==
1407 ssl->session_negotiate->ciphersuite) {
1413 ssl->session_negotiate->ciphersuite);
1414 if (mbedtls_ssl_validate_ciphersuite(ssl, suite_info, ssl->tls_version,
1415 ssl->tls_version) != 0) {
1418 ssl,
1429 ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
1430 ssl->handshake->ecrs_enabled = 1;
1437 ssl,
1456 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1468 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
1480 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
1492 if ((ret = ssl_parse_cid_ext(ssl,
1505 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
1518 if ((ret = ssl_parse_extended_ms_ext(ssl,
1530 if ((ret = ssl_parse_session_ticket_ext(ssl,
1545 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
1559 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
1571 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
1582 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
1608 if (ssl->handshake->resume) {
1609 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
1612 ssl,
1622 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1623 ssl->conf->allow_legacy_renegotiation ==
1630 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1631 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
1636 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1637 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1638 ssl->conf->allow_legacy_renegotiation ==
1642 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
1643 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
1653 ssl,
1667 static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
1683 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
1689 dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
1690 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
1693 ssl->conf->dhm_min_bitlen));
1697 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
1698 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
1699 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
1711 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1717 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1746 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
1787 static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
1792 grp_id = ssl->handshake->ecdh_ctx.grp.id;
1794 grp_id = ssl->handshake->ecdh_ctx.grp_id;
1806 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
1810 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
1826 static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
1840 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
1851 if (ssl_check_server_ecdh_params(ssl) != 0) {
1865 static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
1871 ((void) ssl);
1910 static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
1916 unsigned char *p = ssl->handshake->premaster + pms_offset;
1931 mbedtls_ssl_write_version(p, ssl->conf->transport,
1934 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
1939 ssl->handshake->pmslen = 48;
1942 peer_pk = &ssl->handshake->peer_pubkey;
1944 if (ssl->session_negotiate->peer_cert == NULL) {
1949 peer_pk = &ssl->session_negotiate->peer_cert->pk;
1961 p, ssl->handshake->pmslen,
1962 ssl->out_msg + offset + len_bytes, olen,
1964 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
1970 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
1986 static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
1992 peer_pk = &ssl->handshake->peer_pubkey;
1994 if (ssl->session_negotiate->peer_cert == NULL) {
1999 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2018 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
2033 &ssl->handshake->xxdh_psa_bits);
2035 ssl->handshake->xxdh_psa_type = key_type;
2039 memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
2040 ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
2046 ssl->handshake->xxdh_psa_peerkey,
2047 sizeof(ssl->handshake->xxdh_psa_peerkey));
2053 ssl->handshake->xxdh_psa_peerkey_len = olen;
2056 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2062 if (ssl_check_server_ecdh_params(ssl) != 0) {
2080 static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
2084 ssl->handshake->ciphersuite_info;
2092 ssl->state++;
2103 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2106 ssl,
2113 ssl->state++;
2122 if (ssl->handshake->ecrs_enabled &&
2123 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
2128 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2133 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2136 ssl,
2146 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
2151 ssl->keep_current_message = 1;
2158 ssl,
2166 if (ssl->handshake->ecrs_enabled) {
2167 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
2172 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2173 end = ssl->in_msg + ssl->in_hslen;
2181 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
2184 ssl,
2204 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
2207 ssl,
2221 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
2224 ssl,
2260 &ssl->handshake->psa_pake_ctx, p, end - p,
2262 psa_destroy_key(ssl->handshake->psa_pake_password);
2263 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2267 ssl,
2273 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
2278 ssl,
2298 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
2306 peer_pk = &ssl->handshake->peer_pubkey;
2308 if (ssl->session_negotiate->peer_cert == NULL) {
2313 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2323 !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
2324 !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
2328 ssl,
2339 ssl,
2352 ssl,
2363 ssl,
2375 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
2394 ssl,
2401 if (ssl->handshake->ecrs_enabled) {
2402 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
2432 ssl,
2455 ssl->state++;
2464 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2467 ssl->handshake->ciphersuite_info;
2473 ssl->state++;
2482 static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
2489 ssl->handshake->ciphersuite_info;
2500 ssl->state++;
2504 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2509 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2512 ssl,
2518 ssl->state++;
2519 ssl->handshake->client_auth =
2520 (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
2523 ssl->handshake->client_auth ? "a" : "no"));
2525 if (ssl->handshake->client_auth == 0) {
2527 ssl->keep_current_message = 1;
2555 buf = ssl->in_msg;
2558 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
2560 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2564 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
2577 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
2579 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2585 sig_alg_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
2599 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 3 + n + sig_alg_len) {
2602 ssl,
2609 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
2620 dn_len = MBEDTLS_GET_UINT16_BE(buf, mbedtls_ssl_hs_hdr_len(ssl) + 1 + n);
2623 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
2625 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2631 dn = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n - dn_len;
2645 ssl,
2665 static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
2671 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2676 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2681 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
2682 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
2684 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2689 ssl->state++;
2692 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2693 mbedtls_ssl_recv_flight_completed(ssl);
2703 static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
2710 ssl->handshake->ciphersuite_info;
2719 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
2721 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
2724 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
2725 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
2726 &ssl->out_msg[header_len], content_len,
2727 ssl->conf->f_rng, ssl->conf->p_rng);
2733 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
2734 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
2736 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
2737 ssl->handshake->premaster,
2739 &ssl->handshake->pmslen,
2740 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2745 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
2761 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2794 unsigned char *own_pubkey = ssl->out_msg + header_len + 1;
2795 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2808 ssl->out_msg[header_len] = (unsigned char) own_pubkey_len;
2818 ssl->handshake->premaster,
2819 sizeof(ssl->handshake->premaster),
2820 &ssl->handshake->pmslen);
2835 if (ssl->handshake->ecrs_enabled) {
2836 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
2840 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
2844 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
2846 &ssl->out_msg[header_len], 1000,
2847 ssl->conf->f_rng, ssl->conf->p_rng);
2858 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2862 if (ssl->handshake->ecrs_enabled) {
2863 ssl->handshake->ecrs_n = content_len;
2864 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
2868 if (ssl->handshake->ecrs_enabled) {
2869 content_len = ssl->handshake->ecrs_n;
2872 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
2873 &ssl->handshake->pmslen,
2874 ssl->handshake->premaster,
2876 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2886 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2901 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2906 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
2918 if (header_len + content_len_size + ssl->conf->psk_identity_len
2925 unsigned char *p = ssl->out_msg + header_len;
2927 *p++ = MBEDTLS_BYTE_1(ssl->conf->psk_identity_len);
2928 *p++ = MBEDTLS_BYTE_0(ssl->conf->psk_identity_len);
2931 memcpy(p, ssl->conf->psk_identity,
2932 ssl->conf->psk_identity_len);
2933 p += ssl->conf->psk_identity_len;
2935 header_len += ssl->conf->psk_identity_len;
2967 unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
2989 unsigned char *pms = ssl->handshake->premaster;
2991 sizeof(ssl->handshake->premaster);
3025 if (mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
3033 content_len = ssl->conf->psk_identity_len;
3041 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3042 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3044 memcpy(ssl->out_msg + header_len,
3045 ssl->conf->psk_identity,
3046 ssl->conf->psk_identity_len);
3047 header_len += ssl->conf->psk_identity_len;
3056 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3067 content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
3076 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3077 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3079 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3080 (int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
3081 &ssl->out_msg[header_len], content_len,
3082 ssl->conf->f_rng, ssl->conf->p_rng);
3089 unsigned char *pms = ssl->handshake->premaster;
3090 unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
3094 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3096 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3103 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3113 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3115 &ssl->out_msg[header_len],
3117 ssl->conf->f_rng, ssl->conf->p_rng);
3123 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3133 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3146 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3157 unsigned char *out_p = ssl->out_msg + header_len;
3158 unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
3160 ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
3164 psa_destroy_key(ssl->handshake->psa_pake_password);
3165 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
3170 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3171 ssl->out_msg + header_len,
3174 ssl->conf->f_rng, ssl->conf->p_rng);
3180 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3181 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3182 ssl->conf->f_rng, ssl->conf->p_rng);
3196 ssl->out_msglen = header_len + content_len;
3197 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3198 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3200 ssl->state++;
3202 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3214 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3217 ssl->handshake->ciphersuite_info;
3222 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3229 ssl->state++;
3238 static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3242 ssl->handshake->ciphersuite_info;
3250 size_t out_buf_len = ssl->out_buf_len - (size_t) (ssl->out_msg - ssl->out_buf);
3252 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN - (size_t) (ssl->out_msg - ssl->out_buf);
3258 if (ssl->handshake->ecrs_enabled &&
3259 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
3264 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3271 ssl->state++;
3275 if (ssl->handshake->client_auth == 0 ||
3276 mbedtls_ssl_own_cert(ssl) == NULL) {
3278 ssl->state++;
3282 if (mbedtls_ssl_own_key(ssl) == NULL) {
3291 if (ssl->handshake->ecrs_enabled) {
3292 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
3298 ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
3320 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
3322 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
3325 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
3327 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
3334 if (ssl->handshake->ecrs_enabled) {
3335 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3339 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
3341 ssl->out_msg + 6 + offset,
3344 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
3354 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
3356 ssl->out_msglen = 6 + n + offset;
3357 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3358 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
3360 ssl->state++;
3362 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3375 static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
3385 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3390 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3393 ssl,
3409 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
3410 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
3412 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3417 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3423 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
3425 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3433 ssl->handshake->new_session_ticket = 0;
3434 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
3444 if (ssl->session != NULL && ssl->session->ticket != NULL) {
3445 mbedtls_zeroize_and_free(ssl->session->ticket,
3446 ssl->session->ticket_len);
3447 ssl->session->ticket = NULL;
3448 ssl->session->ticket_len = 0;
3451 mbedtls_zeroize_and_free(ssl->session_negotiate->ticket,
3452 ssl->session_negotiate->ticket_len);
3453 ssl->session_negotiate->ticket = NULL;
3454 ssl->session_negotiate->ticket_len = 0;
3458 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3465 ssl->session_negotiate->ticket = ticket;
3466 ssl->session_negotiate->ticket_len = ticket_len;
3467 ssl->session_negotiate->ticket_lifetime = lifetime;
3475 ssl->session_negotiate->id_len = 0;
3486 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
3493 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
3494 ssl->handshake->new_session_ticket != 0) {
3495 ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
3499 switch (ssl->state) {
3501 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3508 ret = mbedtls_ssl_write_client_hello(ssl);
3519 ret = ssl_parse_server_hello(ssl);
3523 ret = mbedtls_ssl_parse_certificate(ssl);
3527 ret = ssl_parse_server_key_exchange(ssl);
3531 ret = ssl_parse_certificate_request(ssl);
3535 ret = ssl_parse_server_hello_done(ssl);
3546 ret = mbedtls_ssl_write_certificate(ssl);
3550 ret = ssl_write_client_key_exchange(ssl);
3554 ret = ssl_write_certificate_verify(ssl);
3558 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
3562 ret = mbedtls_ssl_write_finished(ssl);
3572 ret = ssl_parse_new_session_ticket(ssl);
3577 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
3581 ret = mbedtls_ssl_parse_finished(ssl);
3586 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
3590 mbedtls_ssl_handshake_wrapup(ssl);
3594 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));