Arcola
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Mark Radbourne
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * struct { 00084 * NameType name_type; 00085 * select (name_type) { 00086 * case host_name: HostName; 00087 * } name; 00088 * } ServerName; 00089 * 00090 * enum { 00091 * host_name(0), (255) 00092 * } NameType; 00093 * 00094 * opaque HostName<1..2^16-1>; 00095 * 00096 * struct { 00097 * ServerName server_name_list<1..2^16-1> 00098 * } ServerNameList; 00099 */ 00100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00101 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00102 00103 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00104 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00105 00106 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00107 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00108 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00110 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00111 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00112 00113 memcpy( p, ssl->hostname, hostname_len ); 00114 00115 *olen = hostname_len + 9; 00116 } 00117 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00118 00119 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00120 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00121 unsigned char *buf, 00122 size_t *olen ) 00123 { 00124 unsigned char *p = buf; 00125 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00126 00127 *olen = 0; 00128 00129 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00130 return; 00131 00132 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00133 00134 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00135 { 00136 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00137 return; 00138 } 00139 00140 /* 00141 * Secure renegotiation 00142 */ 00143 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00144 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00145 00146 *p++ = 0x00; 00147 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00148 *p++ = ssl->verify_data_len & 0xFF; 00149 00150 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00151 00152 *olen = 5 + ssl->verify_data_len; 00153 } 00154 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00155 00156 /* 00157 * Only if we handle at least one key exchange that needs signatures. 00158 */ 00159 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00160 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00161 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00162 unsigned char *buf, 00163 size_t *olen ) 00164 { 00165 unsigned char *p = buf; 00166 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00167 size_t sig_alg_len = 0; 00168 const int *md; 00169 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00170 unsigned char *sig_alg_list = buf + 6; 00171 #endif 00172 00173 *olen = 0; 00174 00175 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00176 return; 00177 00178 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00179 00180 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00181 { 00182 #if defined(MBEDTLS_ECDSA_C) 00183 sig_alg_len += 2; 00184 #endif 00185 #if defined(MBEDTLS_RSA_C) 00186 sig_alg_len += 2; 00187 #endif 00188 } 00189 00190 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00191 { 00192 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00193 return; 00194 } 00195 00196 /* 00197 * Prepare signature_algorithms extension (TLS 1.2) 00198 */ 00199 sig_alg_len = 0; 00200 00201 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00202 { 00203 #if defined(MBEDTLS_ECDSA_C) 00204 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00205 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00206 #endif 00207 #if defined(MBEDTLS_RSA_C) 00208 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00209 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00210 #endif 00211 } 00212 00213 /* 00214 * enum { 00215 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00216 * sha512(6), (255) 00217 * } HashAlgorithm; 00218 * 00219 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00220 * SignatureAlgorithm; 00221 * 00222 * struct { 00223 * HashAlgorithm hash; 00224 * SignatureAlgorithm signature; 00225 * } SignatureAndHashAlgorithm; 00226 * 00227 * SignatureAndHashAlgorithm 00228 * supported_signature_algorithms<2..2^16-2>; 00229 */ 00230 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00231 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00232 00233 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00234 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00235 00236 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00237 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00238 00239 *olen = 6 + sig_alg_len; 00240 } 00241 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00242 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00243 00244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00245 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00246 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00247 unsigned char *buf, 00248 size_t *olen ) 00249 { 00250 unsigned char *p = buf; 00251 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00252 unsigned char *elliptic_curve_list = p + 6; 00253 size_t elliptic_curve_len = 0; 00254 const mbedtls_ecp_curve_info *info; 00255 #if defined(MBEDTLS_ECP_C) 00256 const mbedtls_ecp_group_id *grp_id; 00257 #else 00258 ((void) ssl); 00259 #endif 00260 00261 *olen = 0; 00262 00263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00264 00265 #if defined(MBEDTLS_ECP_C) 00266 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00267 #else 00268 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00269 #endif 00270 { 00271 #if defined(MBEDTLS_ECP_C) 00272 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00273 #endif 00274 if( info == NULL ) 00275 { 00276 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00277 return; 00278 } 00279 00280 elliptic_curve_len += 2; 00281 } 00282 00283 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00284 { 00285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00286 return; 00287 } 00288 00289 elliptic_curve_len = 0; 00290 00291 #if defined(MBEDTLS_ECP_C) 00292 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00293 #else 00294 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00295 #endif 00296 { 00297 #if defined(MBEDTLS_ECP_C) 00298 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00299 #endif 00300 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00301 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00302 } 00303 00304 if( elliptic_curve_len == 0 ) 00305 return; 00306 00307 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00308 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00309 00310 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00311 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00312 00313 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00314 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00315 00316 *olen = 6 + elliptic_curve_len; 00317 } 00318 00319 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00320 unsigned char *buf, 00321 size_t *olen ) 00322 { 00323 unsigned char *p = buf; 00324 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00325 00326 *olen = 0; 00327 00328 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00329 00330 if( end < p || (size_t)( end - p ) < 6 ) 00331 { 00332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00333 return; 00334 } 00335 00336 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00337 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00338 00339 *p++ = 0x00; 00340 *p++ = 2; 00341 00342 *p++ = 1; 00343 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00344 00345 *olen = 6; 00346 } 00347 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00348 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00349 00350 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00351 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00352 unsigned char *buf, 00353 size_t *olen ) 00354 { 00355 int ret; 00356 unsigned char *p = buf; 00357 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00358 size_t kkpp_len; 00359 00360 *olen = 0; 00361 00362 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00363 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00364 return; 00365 00366 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00367 00368 if( end - p < 4 ) 00369 { 00370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00371 return; 00372 } 00373 00374 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00375 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00376 00377 /* 00378 * We may need to send ClientHello multiple times for Hello verification. 00379 * We don't want to compute fresh values every time (both for performance 00380 * and consistency reasons), so cache the extension content. 00381 */ 00382 if( ssl->handshake->ecjpake_cache == NULL || 00383 ssl->handshake->ecjpake_cache_len == 0 ) 00384 { 00385 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00386 00387 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00388 p + 2, end - p - 2, &kkpp_len, 00389 ssl->conf->f_rng, ssl->conf->p_rng ); 00390 if( ret != 0 ) 00391 { 00392 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00393 return; 00394 } 00395 00396 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00397 if( ssl->handshake->ecjpake_cache == NULL ) 00398 { 00399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00400 return; 00401 } 00402 00403 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00404 ssl->handshake->ecjpake_cache_len = kkpp_len; 00405 } 00406 else 00407 { 00408 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00409 00410 kkpp_len = ssl->handshake->ecjpake_cache_len; 00411 00412 if( (size_t)( end - p - 2 ) < kkpp_len ) 00413 { 00414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00415 return; 00416 } 00417 00418 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00419 } 00420 00421 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00422 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00423 00424 *olen = kkpp_len + 4; 00425 } 00426 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00427 00428 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00429 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00430 unsigned char *buf, 00431 size_t *olen ) 00432 { 00433 unsigned char *p = buf; 00434 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00435 00436 *olen = 0; 00437 00438 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00439 return; 00440 } 00441 00442 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00443 00444 if( end < p || (size_t)( end - p ) < 5 ) 00445 { 00446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00447 return; 00448 } 00449 00450 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00451 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00452 00453 *p++ = 0x00; 00454 *p++ = 1; 00455 00456 *p++ = ssl->conf->mfl_code; 00457 00458 *olen = 5; 00459 } 00460 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00461 00462 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00463 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00464 unsigned char *buf, size_t *olen ) 00465 { 00466 unsigned char *p = buf; 00467 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00468 00469 *olen = 0; 00470 00471 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00472 { 00473 return; 00474 } 00475 00476 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00477 00478 if( end < p || (size_t)( end - p ) < 4 ) 00479 { 00480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00481 return; 00482 } 00483 00484 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00485 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00486 00487 *p++ = 0x00; 00488 *p++ = 0x00; 00489 00490 *olen = 4; 00491 } 00492 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00493 00494 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00495 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00496 unsigned char *buf, size_t *olen ) 00497 { 00498 unsigned char *p = buf; 00499 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00500 00501 *olen = 0; 00502 00503 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00504 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00505 { 00506 return; 00507 } 00508 00509 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00510 "extension" ) ); 00511 00512 if( end < p || (size_t)( end - p ) < 4 ) 00513 { 00514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00515 return; 00516 } 00517 00518 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00519 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00520 00521 *p++ = 0x00; 00522 *p++ = 0x00; 00523 00524 *olen = 4; 00525 } 00526 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00527 00528 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00529 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00530 unsigned char *buf, size_t *olen ) 00531 { 00532 unsigned char *p = buf; 00533 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00534 00535 *olen = 0; 00536 00537 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00538 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00539 { 00540 return; 00541 } 00542 00543 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00544 "extension" ) ); 00545 00546 if( end < p || (size_t)( end - p ) < 4 ) 00547 { 00548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00549 return; 00550 } 00551 00552 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00553 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00554 00555 *p++ = 0x00; 00556 *p++ = 0x00; 00557 00558 *olen = 4; 00559 } 00560 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00561 00562 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00563 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00564 unsigned char *buf, size_t *olen ) 00565 { 00566 unsigned char *p = buf; 00567 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00568 size_t tlen = ssl->session_negotiate->ticket_len; 00569 00570 *olen = 0; 00571 00572 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00573 { 00574 return; 00575 } 00576 00577 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00578 00579 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00580 { 00581 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00582 return; 00583 } 00584 00585 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00586 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00587 00588 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00589 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00590 00591 *olen = 4; 00592 00593 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00594 { 00595 return; 00596 } 00597 00598 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00599 00600 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00601 00602 *olen += tlen; 00603 } 00604 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00605 00606 #if defined(MBEDTLS_SSL_ALPN) 00607 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00608 unsigned char *buf, size_t *olen ) 00609 { 00610 unsigned char *p = buf; 00611 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00612 size_t alpnlen = 0; 00613 const char **cur; 00614 00615 *olen = 0; 00616 00617 if( ssl->conf->alpn_list == NULL ) 00618 { 00619 return; 00620 } 00621 00622 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00623 00624 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00625 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00626 00627 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00628 { 00629 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00630 return; 00631 } 00632 00633 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00634 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00635 00636 /* 00637 * opaque ProtocolName<1..2^8-1>; 00638 * 00639 * struct { 00640 * ProtocolName protocol_name_list<2..2^16-1> 00641 * } ProtocolNameList; 00642 */ 00643 00644 /* Skip writing extension and list length for now */ 00645 p += 4; 00646 00647 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00648 { 00649 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00650 memcpy( p + 1, *cur, *p ); 00651 p += 1 + *p; 00652 } 00653 00654 *olen = p - buf; 00655 00656 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00657 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00658 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00659 00660 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00661 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00662 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00663 } 00664 #endif /* MBEDTLS_SSL_ALPN */ 00665 00666 /* 00667 * Generate random bytes for ClientHello 00668 */ 00669 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00670 { 00671 int ret; 00672 unsigned char *p = ssl->handshake->randbytes; 00673 #if defined(MBEDTLS_HAVE_TIME) 00674 mbedtls_time_t t; 00675 #endif 00676 00677 /* 00678 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00679 */ 00680 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00681 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00682 ssl->handshake->verify_cookie != NULL ) 00683 { 00684 return( 0 ); 00685 } 00686 #endif 00687 00688 #if defined(MBEDTLS_HAVE_TIME) 00689 t = mbedtls_time( NULL ); 00690 *p++ = (unsigned char)( t >> 24 ); 00691 *p++ = (unsigned char)( t >> 16 ); 00692 *p++ = (unsigned char)( t >> 8 ); 00693 *p++ = (unsigned char)( t ); 00694 00695 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00696 #else 00697 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00698 return( ret ); 00699 00700 p += 4; 00701 #endif /* MBEDTLS_HAVE_TIME */ 00702 00703 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00704 return( ret ); 00705 00706 return( 0 ); 00707 } 00708 00709 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00710 { 00711 int ret; 00712 size_t i, n, olen, ext_len = 0; 00713 unsigned char *buf; 00714 unsigned char *p, *q; 00715 unsigned char offer_compress; 00716 const int *ciphersuites; 00717 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00718 00719 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00720 00721 if( ssl->conf->f_rng == NULL ) 00722 { 00723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00724 return( MBEDTLS_ERR_SSL_NO_RNG ); 00725 } 00726 00727 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00728 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00729 #endif 00730 { 00731 ssl->major_ver = ssl->conf->min_major_ver; 00732 ssl->minor_ver = ssl->conf->min_minor_ver; 00733 } 00734 00735 if( ssl->conf->max_major_ver == 0 ) 00736 { 00737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00738 "consider using mbedtls_ssl_config_defaults()" ) ); 00739 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00740 } 00741 00742 /* 00743 * 0 . 0 handshake type 00744 * 1 . 3 handshake length 00745 * 4 . 5 highest version supported 00746 * 6 . 9 current UNIX time 00747 * 10 . 37 random bytes 00748 */ 00749 buf = ssl->out_msg; 00750 p = buf + 4; 00751 00752 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00753 ssl->conf->transport, p ); 00754 p += 2; 00755 00756 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00757 buf[4], buf[5] ) ); 00758 00759 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00760 { 00761 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00762 return( ret ); 00763 } 00764 00765 memcpy( p, ssl->handshake->randbytes, 32 ); 00766 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00767 p += 32; 00768 00769 /* 00770 * 38 . 38 session id length 00771 * 39 . 39+n session id 00772 * 39+n . 39+n DTLS only: cookie length (1 byte) 00773 * 40+n . .. DTSL only: cookie 00774 * .. . .. ciphersuitelist length (2 bytes) 00775 * .. . .. ciphersuitelist 00776 * .. . .. compression methods length (1 byte) 00777 * .. . .. compression methods 00778 * .. . .. extensions length (2 bytes) 00779 * .. . .. extensions 00780 */ 00781 n = ssl->session_negotiate->id_len; 00782 00783 if( n < 16 || n > 32 || 00784 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00785 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00786 #endif 00787 ssl->handshake->resume == 0 ) 00788 { 00789 n = 0; 00790 } 00791 00792 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00793 /* 00794 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00795 * generate and include a Session ID in the TLS ClientHello." 00796 */ 00797 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00798 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00799 #endif 00800 { 00801 if( ssl->session_negotiate->ticket != NULL && 00802 ssl->session_negotiate->ticket_len != 0 ) 00803 { 00804 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00805 00806 if( ret != 0 ) 00807 return( ret ); 00808 00809 ssl->session_negotiate->id_len = n = 32; 00810 } 00811 } 00812 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00813 00814 *p++ = (unsigned char) n; 00815 00816 for( i = 0; i < n; i++ ) 00817 *p++ = ssl->session_negotiate->id[i]; 00818 00819 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00820 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00821 00822 /* 00823 * DTLS cookie 00824 */ 00825 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00826 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00827 { 00828 if( ssl->handshake->verify_cookie == NULL ) 00829 { 00830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00831 *p++ = 0; 00832 } 00833 else 00834 { 00835 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00836 ssl->handshake->verify_cookie, 00837 ssl->handshake->verify_cookie_len ); 00838 00839 *p++ = ssl->handshake->verify_cookie_len; 00840 memcpy( p, ssl->handshake->verify_cookie, 00841 ssl->handshake->verify_cookie_len ); 00842 p += ssl->handshake->verify_cookie_len; 00843 } 00844 } 00845 #endif 00846 00847 /* 00848 * Ciphersuite list 00849 */ 00850 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00851 00852 /* Skip writing ciphersuite length for now */ 00853 n = 0; 00854 q = p; 00855 p += 2; 00856 00857 for( i = 0; ciphersuites[i] != 0; i++ ) 00858 { 00859 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00860 00861 if( ciphersuite_info == NULL ) 00862 continue; 00863 00864 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00865 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00866 continue; 00867 00868 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00869 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00870 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00871 continue; 00872 #endif 00873 00874 #if defined(MBEDTLS_ARC4_C) 00875 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00876 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00877 continue; 00878 #endif 00879 00880 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00881 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00882 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00883 continue; 00884 #endif 00885 00886 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00887 ciphersuites[i] ) ); 00888 00889 n++; 00890 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00891 *p++ = (unsigned char)( ciphersuites[i] ); 00892 } 00893 00894 /* 00895 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00896 */ 00897 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00898 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00899 #endif 00900 { 00901 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00902 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00903 n++; 00904 } 00905 00906 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00907 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00908 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00909 { 00910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00911 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00912 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00913 n++; 00914 } 00915 #endif 00916 00917 *q++ = (unsigned char)( n >> 7 ); 00918 *q++ = (unsigned char)( n << 1 ); 00919 00920 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00921 00922 #if defined(MBEDTLS_ZLIB_SUPPORT) 00923 offer_compress = 1; 00924 #else 00925 offer_compress = 0; 00926 #endif 00927 00928 /* 00929 * We don't support compression with DTLS right now: is many records come 00930 * in the same datagram, uncompressing one could overwrite the next one. 00931 * We don't want to add complexity for handling that case unless there is 00932 * an actual need for it. 00933 */ 00934 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00935 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00936 offer_compress = 0; 00937 #endif 00938 00939 if( offer_compress ) 00940 { 00941 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00942 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00943 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00944 00945 *p++ = 2; 00946 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00947 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00948 } 00949 else 00950 { 00951 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00952 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00953 MBEDTLS_SSL_COMPRESS_NULL ) ); 00954 00955 *p++ = 1; 00956 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00957 } 00958 00959 // First write extensions, then the total length 00960 // 00961 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00962 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00963 ext_len += olen; 00964 #endif 00965 00966 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00967 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00968 ext_len += olen; 00969 #endif 00970 00971 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00972 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00973 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00974 ext_len += olen; 00975 #endif 00976 00977 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00978 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00979 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00980 ext_len += olen; 00981 00982 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00983 ext_len += olen; 00984 #endif 00985 00986 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00987 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 00988 ext_len += olen; 00989 #endif 00990 00991 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00992 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 00993 ext_len += olen; 00994 #endif 00995 00996 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00997 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 00998 ext_len += olen; 00999 #endif 01000 01001 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01002 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01003 ext_len += olen; 01004 #endif 01005 01006 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01007 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01008 ext_len += olen; 01009 #endif 01010 01011 #if defined(MBEDTLS_SSL_ALPN) 01012 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01013 ext_len += olen; 01014 #endif 01015 01016 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01017 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01018 ext_len += olen; 01019 #endif 01020 01021 /* olen unused if all extensions are disabled */ 01022 ((void) olen); 01023 01024 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01025 ext_len ) ); 01026 01027 if( ext_len > 0 ) 01028 { 01029 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01030 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01031 p += ext_len; 01032 } 01033 01034 ssl->out_msglen = p - buf; 01035 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01036 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01037 01038 ssl->state++; 01039 01040 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01041 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01042 mbedtls_ssl_send_flight_completed( ssl ); 01043 #endif 01044 01045 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01046 { 01047 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01048 return( ret ); 01049 } 01050 01051 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01052 01053 return( 0 ); 01054 } 01055 01056 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01057 const unsigned char *buf, 01058 size_t len ) 01059 { 01060 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01061 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01062 { 01063 /* Check verify-data in constant-time. The length OTOH is no secret */ 01064 if( len != 1 + ssl->verify_data_len * 2 || 01065 buf[0] != ssl->verify_data_len * 2 || 01066 mbedtls_ssl_safer_memcmp( buf + 1, 01067 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01068 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01069 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01070 { 01071 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01072 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01073 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01074 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01075 } 01076 } 01077 else 01078 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01079 { 01080 if( len != 1 || buf[0] != 0x00 ) 01081 { 01082 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01083 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01084 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01085 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01086 } 01087 01088 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01089 } 01090 01091 return( 0 ); 01092 } 01093 01094 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01095 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01096 const unsigned char *buf, 01097 size_t len ) 01098 { 01099 /* 01100 * server should use the extension only if we did, 01101 * and if so the server's value should match ours (and len is always 1) 01102 */ 01103 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01104 len != 1 || 01105 buf[0] != ssl->conf->mfl_code ) 01106 { 01107 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01108 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01109 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01110 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01111 } 01112 01113 return( 0 ); 01114 } 01115 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01116 01117 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01118 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01119 const unsigned char *buf, 01120 size_t len ) 01121 { 01122 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01123 len != 0 ) 01124 { 01125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01126 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01127 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01128 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01129 } 01130 01131 ((void) buf); 01132 01133 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01134 01135 return( 0 ); 01136 } 01137 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01138 01139 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01140 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01141 const unsigned char *buf, 01142 size_t len ) 01143 { 01144 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01145 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01146 len != 0 ) 01147 { 01148 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01149 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01150 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01151 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01152 } 01153 01154 ((void) buf); 01155 01156 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01157 01158 return( 0 ); 01159 } 01160 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01161 01162 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01163 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01164 const unsigned char *buf, 01165 size_t len ) 01166 { 01167 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01168 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01169 len != 0 ) 01170 { 01171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01172 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01173 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01174 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01175 } 01176 01177 ((void) buf); 01178 01179 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01180 01181 return( 0 ); 01182 } 01183 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01184 01185 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01186 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01187 const unsigned char *buf, 01188 size_t len ) 01189 { 01190 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01191 len != 0 ) 01192 { 01193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01194 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01195 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01196 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01197 } 01198 01199 ((void) buf); 01200 01201 ssl->handshake->new_session_ticket = 1; 01202 01203 return( 0 ); 01204 } 01205 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01206 01207 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01208 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01209 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01210 const unsigned char *buf, 01211 size_t len ) 01212 { 01213 size_t list_size; 01214 const unsigned char *p; 01215 01216 list_size = buf[0]; 01217 if( list_size + 1 != len ) 01218 { 01219 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01220 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01221 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01222 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01223 } 01224 01225 p = buf + 1; 01226 while( list_size > 0 ) 01227 { 01228 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01229 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01230 { 01231 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01232 ssl->handshake->ecdh_ctx.point_format = p[0]; 01233 #endif 01234 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01235 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01236 #endif 01237 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01238 return( 0 ); 01239 } 01240 01241 list_size--; 01242 p++; 01243 } 01244 01245 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01246 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01247 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01248 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01249 } 01250 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01251 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01252 01253 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01254 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01255 const unsigned char *buf, 01256 size_t len ) 01257 { 01258 int ret; 01259 01260 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01261 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01262 { 01263 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01264 return( 0 ); 01265 } 01266 01267 /* If we got here, we no longer need our cached extension */ 01268 mbedtls_free( ssl->handshake->ecjpake_cache ); 01269 ssl->handshake->ecjpake_cache = NULL; 01270 ssl->handshake->ecjpake_cache_len = 0; 01271 01272 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01273 buf, len ) ) != 0 ) 01274 { 01275 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01276 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01277 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01278 return( ret ); 01279 } 01280 01281 return( 0 ); 01282 } 01283 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01284 01285 #if defined(MBEDTLS_SSL_ALPN) 01286 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01287 const unsigned char *buf, size_t len ) 01288 { 01289 size_t list_len, name_len; 01290 const char **p; 01291 01292 /* If we didn't send it, the server shouldn't send it */ 01293 if( ssl->conf->alpn_list == NULL ) 01294 { 01295 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01296 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01297 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01298 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01299 } 01300 01301 /* 01302 * opaque ProtocolName<1..2^8-1>; 01303 * 01304 * struct { 01305 * ProtocolName protocol_name_list<2..2^16-1> 01306 * } ProtocolNameList; 01307 * 01308 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01309 */ 01310 01311 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01312 if( len < 4 ) 01313 { 01314 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01315 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01316 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01317 } 01318 01319 list_len = ( buf[0] << 8 ) | buf[1]; 01320 if( list_len != len - 2 ) 01321 { 01322 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01323 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01324 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01325 } 01326 01327 name_len = buf[2]; 01328 if( name_len != list_len - 1 ) 01329 { 01330 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01331 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01332 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01333 } 01334 01335 /* Check that the server chosen protocol was in our list and save it */ 01336 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01337 { 01338 if( name_len == strlen( *p ) && 01339 memcmp( buf + 3, *p, name_len ) == 0 ) 01340 { 01341 ssl->alpn_chosen = *p; 01342 return( 0 ); 01343 } 01344 } 01345 01346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01347 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01348 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01349 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01350 } 01351 #endif /* MBEDTLS_SSL_ALPN */ 01352 01353 /* 01354 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01355 */ 01356 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01357 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01358 { 01359 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01360 int major_ver, minor_ver; 01361 unsigned char cookie_len; 01362 01363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01364 01365 /* 01366 * struct { 01367 * ProtocolVersion server_version; 01368 * opaque cookie<0..2^8-1>; 01369 * } HelloVerifyRequest; 01370 */ 01371 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01372 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01373 p += 2; 01374 01375 /* 01376 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01377 * even is lower than our min version. 01378 */ 01379 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01380 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01381 major_ver > ssl->conf->max_major_ver || 01382 minor_ver > ssl->conf->max_minor_ver ) 01383 { 01384 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01385 01386 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01387 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01388 01389 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01390 } 01391 01392 cookie_len = *p++; 01393 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01394 01395 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01396 { 01397 MBEDTLS_SSL_DEBUG_MSG( 1, 01398 ( "cookie length does not match incoming message size" ) ); 01399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01400 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01401 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01402 } 01403 01404 mbedtls_free( ssl->handshake->verify_cookie ); 01405 01406 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01407 if( ssl->handshake->verify_cookie == NULL ) 01408 { 01409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01410 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01411 } 01412 01413 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01414 ssl->handshake->verify_cookie_len = cookie_len; 01415 01416 /* Start over at ClientHello */ 01417 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01418 mbedtls_ssl_reset_checksum( ssl ); 01419 01420 mbedtls_ssl_recv_flight_completed( ssl ); 01421 01422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01423 01424 return( 0 ); 01425 } 01426 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01427 01428 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01429 { 01430 int ret, i; 01431 size_t n; 01432 size_t ext_len; 01433 unsigned char *buf, *ext; 01434 unsigned char comp; 01435 #if defined(MBEDTLS_ZLIB_SUPPORT) 01436 int accept_comp; 01437 #endif 01438 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01439 int renegotiation_info_seen = 0; 01440 #endif 01441 int handshake_failure = 0; 01442 const mbedtls_ssl_ciphersuite_t *suite_info; 01443 #if defined(MBEDTLS_DEBUG_C) 01444 uint32_t t; 01445 #endif 01446 01447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01448 01449 buf = ssl->in_msg; 01450 01451 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01452 { 01453 /* No alert on a read error. */ 01454 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01455 return( ret ); 01456 } 01457 01458 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01459 { 01460 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01461 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01462 { 01463 ssl->renego_records_seen++; 01464 01465 if( ssl->conf->renego_max_records >= 0 && 01466 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01467 { 01468 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01469 "but not honored by server" ) ); 01470 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01471 } 01472 01473 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01474 01475 ssl->keep_current_message = 1; 01476 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01477 } 01478 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01479 01480 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01481 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01482 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01483 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01484 } 01485 01486 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01487 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01488 { 01489 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01490 { 01491 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01493 return( ssl_parse_hello_verify_request( ssl ) ); 01494 } 01495 else 01496 { 01497 /* We made it through the verification process */ 01498 mbedtls_free( ssl->handshake->verify_cookie ); 01499 ssl->handshake->verify_cookie = NULL; 01500 ssl->handshake->verify_cookie_len = 0; 01501 } 01502 } 01503 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01504 01505 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01506 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01507 { 01508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01509 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01510 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01511 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01512 } 01513 01514 /* 01515 * 0 . 1 server_version 01516 * 2 . 33 random (maybe including 4 bytes of Unix time) 01517 * 34 . 34 session_id length = n 01518 * 35 . 34+n session_id 01519 * 35+n . 36+n cipher_suite 01520 * 37+n . 37+n compression_method 01521 * 01522 * 38+n . 39+n extensions length (optional) 01523 * 40+n . .. extensions 01524 */ 01525 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01526 01527 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01528 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01529 ssl->conf->transport, buf + 0 ); 01530 01531 if( ssl->major_ver < ssl->conf->min_major_ver || 01532 ssl->minor_ver < ssl->conf->min_minor_ver || 01533 ssl->major_ver > ssl->conf->max_major_ver || 01534 ssl->minor_ver > ssl->conf->max_minor_ver ) 01535 { 01536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01537 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01538 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01539 ssl->major_ver, ssl->minor_ver, 01540 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01541 01542 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01543 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01544 01545 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01546 } 01547 01548 #if defined(MBEDTLS_DEBUG_C) 01549 t = ( (uint32_t) buf[2] << 24 ) 01550 | ( (uint32_t) buf[3] << 16 ) 01551 | ( (uint32_t) buf[4] << 8 ) 01552 | ( (uint32_t) buf[5] ); 01553 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 01554 #endif 01555 01556 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01557 01558 n = buf[34]; 01559 01560 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01561 01562 if( n > 32 ) 01563 { 01564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01565 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01566 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01567 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01568 } 01569 01570 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01571 { 01572 ext_len = ( ( buf[38 + n] << 8 ) 01573 | ( buf[39 + n] ) ); 01574 01575 if( ( ext_len > 0 && ext_len < 4 ) || 01576 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01577 { 01578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01579 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01580 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01581 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01582 } 01583 } 01584 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01585 { 01586 ext_len = 0; 01587 } 01588 else 01589 { 01590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01591 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01592 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01593 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01594 } 01595 01596 /* ciphersuite (used later) */ 01597 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01598 01599 /* 01600 * Read and check compression 01601 */ 01602 comp = buf[37 + n]; 01603 01604 #if defined(MBEDTLS_ZLIB_SUPPORT) 01605 /* See comments in ssl_write_client_hello() */ 01606 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01607 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01608 accept_comp = 0; 01609 else 01610 #endif 01611 accept_comp = 1; 01612 01613 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01614 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01615 #else /* MBEDTLS_ZLIB_SUPPORT */ 01616 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01617 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01618 { 01619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01620 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01621 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01622 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01623 } 01624 01625 /* 01626 * Initialize update checksum functions 01627 */ 01628 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01629 01630 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01631 { 01632 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01633 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01634 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01635 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01636 } 01637 01638 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01639 01640 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01641 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01642 01643 /* 01644 * Check if the session can be resumed 01645 */ 01646 if( ssl->handshake->resume == 0 || n == 0 || 01647 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01648 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01649 #endif 01650 ssl->session_negotiate->ciphersuite != i || 01651 ssl->session_negotiate->compression != comp || 01652 ssl->session_negotiate->id_len != n || 01653 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01654 { 01655 ssl->state++; 01656 ssl->handshake->resume = 0; 01657 #if defined(MBEDTLS_HAVE_TIME) 01658 ssl->session_negotiate->start = mbedtls_time( NULL ); 01659 #endif 01660 ssl->session_negotiate->ciphersuite = i; 01661 ssl->session_negotiate->compression = comp; 01662 ssl->session_negotiate->id_len = n; 01663 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01664 } 01665 else 01666 { 01667 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01668 01669 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01670 { 01671 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01672 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01673 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01674 return( ret ); 01675 } 01676 } 01677 01678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01679 ssl->handshake->resume ? "a" : "no" ) ); 01680 01681 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01682 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01683 01684 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01685 if( suite_info == NULL 01686 #if defined(MBEDTLS_ARC4_C) 01687 || ( ssl->conf->arc4_disabled && 01688 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01689 #endif 01690 ) 01691 { 01692 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01693 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01694 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01695 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01696 } 01697 01698 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01699 01700 i = 0; 01701 while( 1 ) 01702 { 01703 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01704 { 01705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01706 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01707 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01708 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01709 } 01710 01711 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01712 ssl->session_negotiate->ciphersuite ) 01713 { 01714 break; 01715 } 01716 } 01717 01718 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01719 #if defined(MBEDTLS_ZLIB_SUPPORT) 01720 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01721 #endif 01722 ) 01723 { 01724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01725 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01726 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01727 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01728 } 01729 ssl->session_negotiate->compression = comp; 01730 01731 ext = buf + 40 + n; 01732 01733 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01734 01735 while( ext_len ) 01736 { 01737 unsigned int ext_id = ( ( ext[0] << 8 ) 01738 | ( ext[1] ) ); 01739 unsigned int ext_size = ( ( ext[2] << 8 ) 01740 | ( ext[3] ) ); 01741 01742 if( ext_size + 4 > ext_len ) 01743 { 01744 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01745 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01746 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01747 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01748 } 01749 01750 switch( ext_id ) 01751 { 01752 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01753 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01754 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01755 renegotiation_info_seen = 1; 01756 #endif 01757 01758 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01759 ext_size ) ) != 0 ) 01760 return( ret ); 01761 01762 break; 01763 01764 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01765 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01766 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01767 01768 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01769 ext + 4, ext_size ) ) != 0 ) 01770 { 01771 return( ret ); 01772 } 01773 01774 break; 01775 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01776 01777 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01778 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01780 01781 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01782 ext + 4, ext_size ) ) != 0 ) 01783 { 01784 return( ret ); 01785 } 01786 01787 break; 01788 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01789 01790 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01791 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01792 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01793 01794 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01795 ext + 4, ext_size ) ) != 0 ) 01796 { 01797 return( ret ); 01798 } 01799 01800 break; 01801 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01802 01803 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01804 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01805 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01806 01807 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01808 ext + 4, ext_size ) ) != 0 ) 01809 { 01810 return( ret ); 01811 } 01812 01813 break; 01814 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01815 01816 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01817 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01818 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01819 01820 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01821 ext + 4, ext_size ) ) != 0 ) 01822 { 01823 return( ret ); 01824 } 01825 01826 break; 01827 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01828 01829 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01830 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01831 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01832 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01833 01834 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01835 ext + 4, ext_size ) ) != 0 ) 01836 { 01837 return( ret ); 01838 } 01839 01840 break; 01841 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01842 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01843 01844 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01845 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01846 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01847 01848 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01849 ext + 4, ext_size ) ) != 0 ) 01850 { 01851 return( ret ); 01852 } 01853 01854 break; 01855 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01856 01857 #if defined(MBEDTLS_SSL_ALPN) 01858 case MBEDTLS_TLS_EXT_ALPN: 01859 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01860 01861 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01862 return( ret ); 01863 01864 break; 01865 #endif /* MBEDTLS_SSL_ALPN */ 01866 01867 default: 01868 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01869 ext_id ) ); 01870 } 01871 01872 ext_len -= 4 + ext_size; 01873 ext += 4 + ext_size; 01874 01875 if( ext_len > 0 && ext_len < 4 ) 01876 { 01877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01878 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01879 } 01880 } 01881 01882 /* 01883 * Renegotiation security checks 01884 */ 01885 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01886 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01887 { 01888 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01889 handshake_failure = 1; 01890 } 01891 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01892 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01893 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01894 renegotiation_info_seen == 0 ) 01895 { 01896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01897 handshake_failure = 1; 01898 } 01899 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01900 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01901 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01902 { 01903 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01904 handshake_failure = 1; 01905 } 01906 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01907 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01908 renegotiation_info_seen == 1 ) 01909 { 01910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01911 handshake_failure = 1; 01912 } 01913 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01914 01915 if( handshake_failure == 1 ) 01916 { 01917 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01918 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01919 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01920 } 01921 01922 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01923 01924 return( 0 ); 01925 } 01926 01927 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01928 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01929 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01930 unsigned char *end ) 01931 { 01932 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01933 01934 /* 01935 * Ephemeral DH parameters: 01936 * 01937 * struct { 01938 * opaque dh_p<1..2^16-1>; 01939 * opaque dh_g<1..2^16-1>; 01940 * opaque dh_Ys<1..2^16-1>; 01941 * } ServerDHParams; 01942 */ 01943 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01944 { 01945 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01946 return( ret ); 01947 } 01948 01949 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01950 { 01951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01952 ssl->handshake->dhm_ctx.len * 8, 01953 ssl->conf->dhm_min_bitlen ) ); 01954 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01955 } 01956 01957 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01958 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01959 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01960 01961 return( ret ); 01962 } 01963 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01964 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01965 01966 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01967 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01968 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01969 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01970 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01971 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01972 { 01973 const mbedtls_ecp_curve_info *curve_info; 01974 01975 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01976 if( curve_info == NULL ) 01977 { 01978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01979 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01980 } 01981 01982 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01983 01984 #if defined(MBEDTLS_ECP_C) 01985 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01986 #else 01987 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01988 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01989 #endif 01990 return( -1 ); 01991 01992 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 01993 01994 return( 0 ); 01995 } 01996 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 01997 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 01998 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 01999 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02000 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02001 02002 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02003 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02004 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02005 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02006 unsigned char **p, 02007 unsigned char *end ) 02008 { 02009 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02010 02011 /* 02012 * Ephemeral ECDH parameters: 02013 * 02014 * struct { 02015 * ECParameters curve_params; 02016 * ECPoint public; 02017 * } ServerECDHParams; 02018 */ 02019 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02020 (const unsigned char **) p, end ) ) != 0 ) 02021 { 02022 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02023 return( ret ); 02024 } 02025 02026 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02027 { 02028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02029 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02030 } 02031 02032 return( ret ); 02033 } 02034 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02035 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02036 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02037 02038 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02039 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02040 unsigned char **p, 02041 unsigned char *end ) 02042 { 02043 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02044 size_t len; 02045 ((void) ssl); 02046 02047 /* 02048 * PSK parameters: 02049 * 02050 * opaque psk_identity_hint<0..2^16-1>; 02051 */ 02052 len = (*p)[0] << 8 | (*p)[1]; 02053 *p += 2; 02054 02055 if( (*p) + len > end ) 02056 { 02057 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02058 "(psk_identity_hint length)" ) ); 02059 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02060 } 02061 02062 /* 02063 * Note: we currently ignore the PKS identity hint, as we only allow one 02064 * PSK to be provisionned on the client. This could be changed later if 02065 * someone needs that feature. 02066 */ 02067 *p += len; 02068 ret = 0; 02069 02070 return( ret ); 02071 } 02072 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02073 02074 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02075 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02076 /* 02077 * Generate a pre-master secret and encrypt it with the server's RSA key 02078 */ 02079 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02080 size_t offset, size_t *olen, 02081 size_t pms_offset ) 02082 { 02083 int ret; 02084 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02085 unsigned char *p = ssl->handshake->premaster + pms_offset; 02086 02087 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02088 { 02089 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02090 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02091 } 02092 02093 /* 02094 * Generate (part of) the pre-master as 02095 * struct { 02096 * ProtocolVersion client_version; 02097 * opaque random[46]; 02098 * } PreMasterSecret; 02099 */ 02100 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02101 ssl->conf->transport, p ); 02102 02103 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02104 { 02105 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02106 return( ret ); 02107 } 02108 02109 ssl->handshake->pmslen = 48; 02110 02111 if( ssl->session_negotiate->peer_cert == NULL ) 02112 { 02113 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02114 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02115 } 02116 02117 /* 02118 * Now write it out, encrypted 02119 */ 02120 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02121 MBEDTLS_PK_RSA ) ) 02122 { 02123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02124 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02125 } 02126 02127 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02128 p, ssl->handshake->pmslen, 02129 ssl->out_msg + offset + len_bytes, olen, 02130 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02131 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02132 { 02133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02134 return( ret ); 02135 } 02136 02137 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02138 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02139 if( len_bytes == 2 ) 02140 { 02141 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02142 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02143 *olen += 2; 02144 } 02145 #endif 02146 02147 return( 0 ); 02148 } 02149 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02150 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02151 02152 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02153 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02154 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02155 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02156 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02157 unsigned char **p, 02158 unsigned char *end, 02159 mbedtls_md_type_t *md_alg, 02160 mbedtls_pk_type_t *pk_alg ) 02161 { 02162 ((void) ssl); 02163 *md_alg = MBEDTLS_MD_NONE; 02164 *pk_alg = MBEDTLS_PK_NONE; 02165 02166 /* Only in TLS 1.2 */ 02167 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02168 { 02169 return( 0 ); 02170 } 02171 02172 if( (*p) + 2 > end ) 02173 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02174 02175 /* 02176 * Get hash algorithm 02177 */ 02178 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02179 { 02180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02181 "HashAlgorithm %d", *(p)[0] ) ); 02182 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02183 } 02184 02185 /* 02186 * Get signature algorithm 02187 */ 02188 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02189 { 02190 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02191 "SignatureAlgorithm %d", (*p)[1] ) ); 02192 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02193 } 02194 02195 /* 02196 * Check if the hash is acceptable 02197 */ 02198 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02199 { 02200 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02201 *(p)[0] ) ); 02202 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02203 } 02204 02205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02206 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02207 *p += 2; 02208 02209 return( 0 ); 02210 } 02211 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02212 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02213 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02214 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02215 02216 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02217 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02218 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02219 { 02220 int ret; 02221 const mbedtls_ecp_keypair *peer_key; 02222 02223 if( ssl->session_negotiate->peer_cert == NULL ) 02224 { 02225 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02226 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02227 } 02228 02229 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02230 MBEDTLS_PK_ECKEY ) ) 02231 { 02232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02233 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02234 } 02235 02236 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02237 02238 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02239 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02240 { 02241 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02242 return( ret ); 02243 } 02244 02245 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02246 { 02247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02248 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02249 } 02250 02251 return( ret ); 02252 } 02253 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02254 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02255 02256 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02257 { 02258 int ret; 02259 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02260 ssl->transform_negotiate->ciphersuite_info; 02261 unsigned char *p, *end; 02262 02263 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02264 02265 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02266 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02267 { 02268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02269 ssl->state++; 02270 return( 0 ); 02271 } 02272 ((void) p); 02273 ((void) end); 02274 #endif 02275 02276 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02277 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02278 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02279 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02280 { 02281 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02282 { 02283 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02284 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02285 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02286 return( ret ); 02287 } 02288 02289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02290 ssl->state++; 02291 return( 0 ); 02292 } 02293 ((void) p); 02294 ((void) end); 02295 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02296 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02297 02298 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02299 { 02300 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02301 return( ret ); 02302 } 02303 02304 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02305 { 02306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02307 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02308 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02309 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02310 } 02311 02312 /* 02313 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02314 * doesn't use a psk_identity_hint 02315 */ 02316 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02317 { 02318 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02319 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02320 { 02321 /* Current message is probably either 02322 * CertificateRequest or ServerHelloDone */ 02323 ssl->keep_current_message = 1; 02324 goto exit; 02325 } 02326 02327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02328 "not be skipped" ) ); 02329 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02330 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02331 02332 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02333 } 02334 02335 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02336 end = ssl->in_msg + ssl->in_hslen; 02337 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02338 02339 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02340 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02341 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02342 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02343 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02344 { 02345 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02346 { 02347 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02348 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02349 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02350 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02351 } 02352 } /* FALLTROUGH */ 02353 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02354 02355 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02356 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02357 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02358 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02359 ; /* nothing more to do */ 02360 else 02361 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02362 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02363 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02364 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02365 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02366 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02367 { 02368 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02369 { 02370 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02371 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02372 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02373 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02374 } 02375 } 02376 else 02377 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02378 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02379 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02380 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02381 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02382 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02383 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02384 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02385 { 02386 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02387 { 02388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02389 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02390 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02391 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02392 } 02393 } 02394 else 02395 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02396 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02397 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02398 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02399 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02400 { 02401 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02402 p, end - p ); 02403 if( ret != 0 ) 02404 { 02405 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02406 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02407 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02408 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02409 } 02410 } 02411 else 02412 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02413 { 02414 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02415 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02416 } 02417 02418 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02419 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02420 { 02421 size_t sig_len, hashlen; 02422 unsigned char hash[64]; 02423 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02424 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02425 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02426 size_t params_len = p - params; 02427 02428 /* 02429 * Handle the digitally-signed structure 02430 */ 02431 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02432 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02433 { 02434 if( ssl_parse_signature_algorithm( ssl, &p, end, 02435 &md_alg, &pk_alg ) != 0 ) 02436 { 02437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02438 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02439 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02440 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02441 } 02442 02443 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02444 { 02445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02446 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02447 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02448 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02449 } 02450 } 02451 else 02452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02453 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02454 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02455 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02456 { 02457 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02458 02459 /* Default hash for ECDSA is SHA-1 */ 02460 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02461 md_alg = MBEDTLS_MD_SHA1; 02462 } 02463 else 02464 #endif 02465 { 02466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02467 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02468 } 02469 02470 /* 02471 * Read signature 02472 */ 02473 sig_len = ( p[0] << 8 ) | p[1]; 02474 p += 2; 02475 02476 if( end != p + sig_len ) 02477 { 02478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02479 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02480 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02481 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02482 } 02483 02484 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02485 02486 /* 02487 * Compute the hash that has been signed 02488 */ 02489 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02490 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02491 if( md_alg == MBEDTLS_MD_NONE ) 02492 { 02493 mbedtls_md5_context mbedtls_md5; 02494 mbedtls_sha1_context mbedtls_sha1; 02495 02496 mbedtls_md5_init( &mbedtls_md5 ); 02497 mbedtls_sha1_init( &mbedtls_sha1 ); 02498 02499 hashlen = 36; 02500 02501 /* 02502 * digitally-signed struct { 02503 * opaque md5_hash[16]; 02504 * opaque sha_hash[20]; 02505 * }; 02506 * 02507 * md5_hash 02508 * MD5(ClientHello.random + ServerHello.random 02509 * + ServerParams); 02510 * sha_hash 02511 * SHA(ClientHello.random + ServerHello.random 02512 * + ServerParams); 02513 */ 02514 mbedtls_md5_starts( &mbedtls_md5 ); 02515 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 02516 mbedtls_md5_update( &mbedtls_md5, params, params_len ); 02517 mbedtls_md5_finish( &mbedtls_md5, hash ); 02518 02519 mbedtls_sha1_starts( &mbedtls_sha1 ); 02520 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 02521 mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); 02522 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 02523 02524 mbedtls_md5_free( &mbedtls_md5 ); 02525 mbedtls_sha1_free( &mbedtls_sha1 ); 02526 } 02527 else 02528 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02529 MBEDTLS_SSL_PROTO_TLS1_1 */ 02530 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02531 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02532 if( md_alg != MBEDTLS_MD_NONE ) 02533 { 02534 mbedtls_md_context_t ctx; 02535 02536 mbedtls_md_init( &ctx ); 02537 02538 /* Info from md_alg will be used instead */ 02539 hashlen = 0; 02540 02541 /* 02542 * digitally-signed struct { 02543 * opaque client_random[32]; 02544 * opaque server_random[32]; 02545 * ServerDHParams params; 02546 * }; 02547 */ 02548 if( ( ret = mbedtls_md_setup( &ctx, 02549 mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) 02550 { 02551 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 02552 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02553 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 02554 return( ret ); 02555 } 02556 02557 mbedtls_md_starts( &ctx ); 02558 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 02559 mbedtls_md_update( &ctx, params, params_len ); 02560 mbedtls_md_finish( &ctx, hash ); 02561 mbedtls_md_free( &ctx ); 02562 } 02563 else 02564 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02565 MBEDTLS_SSL_PROTO_TLS1_2 */ 02566 { 02567 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02568 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02569 } 02570 02571 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02572 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02573 02574 if( ssl->session_negotiate->peer_cert == NULL ) 02575 { 02576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02577 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02578 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02579 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02580 } 02581 02582 /* 02583 * Verify signature 02584 */ 02585 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02586 { 02587 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02588 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02589 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02590 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02591 } 02592 02593 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02594 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02595 { 02596 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02597 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02598 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02599 return( ret ); 02600 } 02601 } 02602 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02603 02604 exit: 02605 ssl->state++; 02606 02607 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02608 02609 return( 0 ); 02610 } 02611 02612 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02613 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02614 { 02615 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02616 ssl->transform_negotiate->ciphersuite_info; 02617 02618 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02619 02620 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02621 { 02622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02623 ssl->state++; 02624 return( 0 ); 02625 } 02626 02627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02628 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02629 } 02630 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02631 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02632 { 02633 int ret; 02634 unsigned char *buf; 02635 size_t n = 0; 02636 size_t cert_type_len = 0, dn_len = 0; 02637 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02638 ssl->transform_negotiate->ciphersuite_info; 02639 02640 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02641 02642 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02643 { 02644 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02645 ssl->state++; 02646 return( 0 ); 02647 } 02648 02649 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02650 { 02651 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02652 return( ret ); 02653 } 02654 02655 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02656 { 02657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02658 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02659 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02660 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02661 } 02662 02663 ssl->state++; 02664 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 02665 02666 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02667 ssl->client_auth ? "a" : "no" ) ); 02668 02669 if( ssl->client_auth == 0 ) 02670 { 02671 /* Current message is probably the ServerHelloDone */ 02672 ssl->keep_current_message = 1; 02673 goto exit; 02674 } 02675 02676 /* 02677 * struct { 02678 * ClientCertificateType certificate_types<1..2^8-1>; 02679 * SignatureAndHashAlgorithm 02680 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02681 * DistinguishedName certificate_authorities<0..2^16-1>; 02682 * } CertificateRequest; 02683 * 02684 * Since we only support a single certificate on clients, let's just 02685 * ignore all the information that's supposed to help us pick a 02686 * certificate. 02687 * 02688 * We could check that our certificate matches the request, and bail out 02689 * if it doesn't, but it's simpler to just send the certificate anyway, 02690 * and give the server the opportunity to decide if it should terminate 02691 * the connection when it doesn't like our certificate. 02692 * 02693 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02694 * point we only have one hash available (see comments in 02695 * write_certificate_verify), so let's just use what we have. 02696 * 02697 * However, we still minimally parse the message to check it is at least 02698 * superficially sane. 02699 */ 02700 buf = ssl->in_msg; 02701 02702 /* certificate_types */ 02703 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02704 n = cert_type_len; 02705 02706 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02707 { 02708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02710 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02711 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02712 } 02713 02714 /* supported_signature_algorithms */ 02715 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02716 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02717 { 02718 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02719 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02720 #if defined(MBEDTLS_DEBUG_C) 02721 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02722 size_t i; 02723 02724 for( i = 0; i < sig_alg_len; i += 2 ) 02725 { 02726 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 02727 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 02728 } 02729 #endif 02730 02731 n += 2 + sig_alg_len; 02732 02733 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02734 { 02735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02736 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02737 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02738 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02739 } 02740 } 02741 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02742 02743 /* certificate_authorities */ 02744 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02745 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02746 02747 n += dn_len; 02748 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02749 { 02750 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02751 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02752 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02753 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02754 } 02755 02756 exit: 02757 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02758 02759 return( 0 ); 02760 } 02761 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02762 02763 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02764 { 02765 int ret; 02766 02767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02768 02769 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02770 { 02771 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02772 return( ret ); 02773 } 02774 02775 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02776 { 02777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02778 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02779 } 02780 02781 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02782 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02783 { 02784 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02785 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02786 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02787 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02788 } 02789 02790 ssl->state++; 02791 02792 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02793 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02794 mbedtls_ssl_recv_flight_completed( ssl ); 02795 #endif 02796 02797 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02798 02799 return( 0 ); 02800 } 02801 02802 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02803 { 02804 int ret; 02805 size_t i, n; 02806 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02807 ssl->transform_negotiate->ciphersuite_info; 02808 02809 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02810 02811 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02812 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02813 { 02814 /* 02815 * DHM key exchange -- send G^X mod P 02816 */ 02817 n = ssl->handshake->dhm_ctx.len; 02818 02819 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02820 ssl->out_msg[5] = (unsigned char)( n ); 02821 i = 6; 02822 02823 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02824 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02825 &ssl->out_msg[i], n, 02826 ssl->conf->f_rng, ssl->conf->p_rng ); 02827 if( ret != 0 ) 02828 { 02829 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02830 return( ret ); 02831 } 02832 02833 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02834 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02835 02836 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02837 ssl->handshake->premaster, 02838 MBEDTLS_PREMASTER_SIZE, 02839 &ssl->handshake->pmslen, 02840 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02841 { 02842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02843 return( ret ); 02844 } 02845 02846 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02847 } 02848 else 02849 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02850 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02851 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02852 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02853 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02854 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02855 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02856 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02857 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02858 { 02859 /* 02860 * ECDH key exchange -- send client public value 02861 */ 02862 i = 4; 02863 02864 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02865 &n, 02866 &ssl->out_msg[i], 1000, 02867 ssl->conf->f_rng, ssl->conf->p_rng ); 02868 if( ret != 0 ) 02869 { 02870 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02871 return( ret ); 02872 } 02873 02874 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02875 02876 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02877 &ssl->handshake->pmslen, 02878 ssl->handshake->premaster, 02879 MBEDTLS_MPI_MAX_SIZE, 02880 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02881 { 02882 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02883 return( ret ); 02884 } 02885 02886 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02887 } 02888 else 02889 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02890 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02891 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02892 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02893 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02894 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 02895 { 02896 /* 02897 * opaque psk_identity<0..2^16-1>; 02898 */ 02899 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02900 { 02901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02902 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02903 } 02904 02905 i = 4; 02906 n = ssl->conf->psk_identity_len; 02907 02908 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02909 { 02910 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02911 "SSL buffer too short" ) ); 02912 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02913 } 02914 02915 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02916 ssl->out_msg[i++] = (unsigned char)( n ); 02917 02918 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02919 i += ssl->conf->psk_identity_len; 02920 02921 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02922 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02923 { 02924 n = 0; 02925 } 02926 else 02927 #endif 02928 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02929 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02930 { 02931 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02932 return( ret ); 02933 } 02934 else 02935 #endif 02936 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02937 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02938 { 02939 /* 02940 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02941 */ 02942 n = ssl->handshake->dhm_ctx.len; 02943 02944 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02945 { 02946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02947 " or SSL buffer too short" ) ); 02948 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02949 } 02950 02951 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02952 ssl->out_msg[i++] = (unsigned char)( n ); 02953 02954 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02955 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02956 &ssl->out_msg[i], n, 02957 ssl->conf->f_rng, ssl->conf->p_rng ); 02958 if( ret != 0 ) 02959 { 02960 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02961 return( ret ); 02962 } 02963 } 02964 else 02965 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02966 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02967 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02968 { 02969 /* 02970 * ClientECDiffieHellmanPublic public; 02971 */ 02972 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02973 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02974 ssl->conf->f_rng, ssl->conf->p_rng ); 02975 if( ret != 0 ) 02976 { 02977 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02978 return( ret ); 02979 } 02980 02981 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02982 } 02983 else 02984 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02985 { 02986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02987 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02988 } 02989 02990 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02991 ciphersuite_info->key_exchange ) ) != 0 ) 02992 { 02993 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02994 return( ret ); 02995 } 02996 } 02997 else 02998 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02999 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03000 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03001 { 03002 i = 4; 03003 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 03004 return( ret ); 03005 } 03006 else 03007 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03008 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03009 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03010 { 03011 i = 4; 03012 03013 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 03014 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 03015 ssl->conf->f_rng, ssl->conf->p_rng ); 03016 if( ret != 0 ) 03017 { 03018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 03019 return( ret ); 03020 } 03021 03022 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03023 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03024 ssl->conf->f_rng, ssl->conf->p_rng ); 03025 if( ret != 0 ) 03026 { 03027 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03028 return( ret ); 03029 } 03030 } 03031 else 03032 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03033 { 03034 ((void) ciphersuite_info); 03035 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03036 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03037 } 03038 03039 ssl->out_msglen = i + n; 03040 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03041 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03042 03043 ssl->state++; 03044 03045 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03046 { 03047 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03048 return( ret ); 03049 } 03050 03051 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03052 03053 return( 0 ); 03054 } 03055 03056 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03057 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03058 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03059 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03060 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03061 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03062 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03063 { 03064 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03065 ssl->transform_negotiate->ciphersuite_info; 03066 int ret; 03067 03068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03069 03070 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03071 { 03072 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03073 return( ret ); 03074 } 03075 03076 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03077 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03078 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03079 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03080 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03081 { 03082 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03083 ssl->state++; 03084 return( 0 ); 03085 } 03086 03087 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03088 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03089 } 03090 #else 03091 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03092 { 03093 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03094 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03095 ssl->transform_negotiate->ciphersuite_info; 03096 size_t n = 0, offset = 0; 03097 unsigned char hash[48]; 03098 unsigned char *hash_start = hash; 03099 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03100 unsigned int hashlen; 03101 03102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03103 03104 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03105 { 03106 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03107 return( ret ); 03108 } 03109 03110 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03111 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03112 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03113 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03114 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03115 { 03116 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03117 ssl->state++; 03118 return( 0 ); 03119 } 03120 03121 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03122 { 03123 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03124 ssl->state++; 03125 return( 0 ); 03126 } 03127 03128 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03129 { 03130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03131 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03132 } 03133 03134 /* 03135 * Make an RSA signature of the handshake digests 03136 */ 03137 ssl->handshake->calc_verify( ssl, hash ); 03138 03139 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03140 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03141 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03142 { 03143 /* 03144 * digitally-signed struct { 03145 * opaque md5_hash[16]; 03146 * opaque sha_hash[20]; 03147 * }; 03148 * 03149 * md5_hash 03150 * MD5(handshake_messages); 03151 * 03152 * sha_hash 03153 * SHA(handshake_messages); 03154 */ 03155 hashlen = 36; 03156 md_alg = MBEDTLS_MD_NONE; 03157 03158 /* 03159 * For ECDSA, default hash is SHA-1 only 03160 */ 03161 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03162 { 03163 hash_start += 16; 03164 hashlen -= 16; 03165 md_alg = MBEDTLS_MD_SHA1; 03166 } 03167 } 03168 else 03169 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03170 MBEDTLS_SSL_PROTO_TLS1_1 */ 03171 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03172 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03173 { 03174 /* 03175 * digitally-signed struct { 03176 * opaque handshake_messages[handshake_messages_length]; 03177 * }; 03178 * 03179 * Taking shortcut here. We assume that the server always allows the 03180 * PRF Hash function and has sent it in the allowed signature 03181 * algorithms list received in the Certificate Request message. 03182 * 03183 * Until we encounter a server that does not, we will take this 03184 * shortcut. 03185 * 03186 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03187 * in order to satisfy 'weird' needs from the server side. 03188 */ 03189 if( ssl->transform_negotiate->ciphersuite_info->mac == 03190 MBEDTLS_MD_SHA384 ) 03191 { 03192 md_alg = MBEDTLS_MD_SHA384; 03193 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03194 } 03195 else 03196 { 03197 md_alg = MBEDTLS_MD_SHA256; 03198 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03199 } 03200 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03201 03202 /* Info from md_alg will be used instead */ 03203 hashlen = 0; 03204 offset = 2; 03205 } 03206 else 03207 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03208 { 03209 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03210 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03211 } 03212 03213 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03214 ssl->out_msg + 6 + offset, &n, 03215 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03216 { 03217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03218 return( ret ); 03219 } 03220 03221 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03222 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03223 03224 ssl->out_msglen = 6 + n + offset; 03225 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03226 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03227 03228 ssl->state++; 03229 03230 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03231 { 03232 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03233 return( ret ); 03234 } 03235 03236 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03237 03238 return( ret ); 03239 } 03240 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03241 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03242 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03243 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03244 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03245 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03246 03247 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03248 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03249 { 03250 int ret; 03251 uint32_t lifetime; 03252 size_t ticket_len; 03253 unsigned char *ticket; 03254 const unsigned char *msg; 03255 03256 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03257 03258 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03259 { 03260 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03261 return( ret ); 03262 } 03263 03264 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03265 { 03266 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03267 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03268 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03269 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03270 } 03271 03272 /* 03273 * struct { 03274 * uint32 ticket_lifetime_hint; 03275 * opaque ticket<0..2^16-1>; 03276 * } NewSessionTicket; 03277 * 03278 * 0 . 3 ticket_lifetime_hint 03279 * 4 . 5 ticket_len (n) 03280 * 6 . 5+n ticket content 03281 */ 03282 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03283 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03284 { 03285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03286 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03287 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03288 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03289 } 03290 03291 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03292 03293 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03294 ( msg[2] << 8 ) | ( msg[3] ); 03295 03296 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03297 03298 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03299 { 03300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03301 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03302 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03303 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03304 } 03305 03306 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03307 03308 /* We're not waiting for a NewSessionTicket message any more */ 03309 ssl->handshake->new_session_ticket = 0; 03310 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03311 03312 /* 03313 * Zero-length ticket means the server changed his mind and doesn't want 03314 * to send a ticket after all, so just forget it 03315 */ 03316 if( ticket_len == 0 ) 03317 return( 0 ); 03318 03319 mbedtls_zeroize( ssl->session_negotiate->ticket, 03320 ssl->session_negotiate->ticket_len ); 03321 mbedtls_free( ssl->session_negotiate->ticket ); 03322 ssl->session_negotiate->ticket = NULL; 03323 ssl->session_negotiate->ticket_len = 0; 03324 03325 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03326 { 03327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03328 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03329 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03330 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03331 } 03332 03333 memcpy( ticket, msg + 6, ticket_len ); 03334 03335 ssl->session_negotiate->ticket = ticket; 03336 ssl->session_negotiate->ticket_len = ticket_len; 03337 ssl->session_negotiate->ticket_lifetime = lifetime; 03338 03339 /* 03340 * RFC 5077 section 3.4: 03341 * "If the client receives a session ticket from the server, then it 03342 * discards any Session ID that was sent in the ServerHello." 03343 */ 03344 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03345 ssl->session_negotiate->id_len = 0; 03346 03347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03348 03349 return( 0 ); 03350 } 03351 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03352 03353 /* 03354 * SSL handshake -- client side -- single step 03355 */ 03356 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03357 { 03358 int ret = 0; 03359 03360 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03361 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03362 03363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03364 03365 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03366 return( ret ); 03367 03368 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03369 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03370 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03371 { 03372 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03373 return( ret ); 03374 } 03375 #endif 03376 03377 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03378 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03379 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03380 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03381 ssl->handshake->new_session_ticket != 0 ) 03382 { 03383 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03384 } 03385 #endif 03386 03387 switch( ssl->state ) 03388 { 03389 case MBEDTLS_SSL_HELLO_REQUEST: 03390 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03391 break; 03392 03393 /* 03394 * ==> ClientHello 03395 */ 03396 case MBEDTLS_SSL_CLIENT_HELLO: 03397 ret = ssl_write_client_hello( ssl ); 03398 break; 03399 03400 /* 03401 * <== ServerHello 03402 * Certificate 03403 * ( ServerKeyExchange ) 03404 * ( CertificateRequest ) 03405 * ServerHelloDone 03406 */ 03407 case MBEDTLS_SSL_SERVER_HELLO: 03408 ret = ssl_parse_server_hello( ssl ); 03409 break; 03410 03411 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03412 ret = mbedtls_ssl_parse_certificate( ssl ); 03413 break; 03414 03415 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03416 ret = ssl_parse_server_key_exchange( ssl ); 03417 break; 03418 03419 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03420 ret = ssl_parse_certificate_request( ssl ); 03421 break; 03422 03423 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03424 ret = ssl_parse_server_hello_done( ssl ); 03425 break; 03426 03427 /* 03428 * ==> ( Certificate/Alert ) 03429 * ClientKeyExchange 03430 * ( CertificateVerify ) 03431 * ChangeCipherSpec 03432 * Finished 03433 */ 03434 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03435 ret = mbedtls_ssl_write_certificate( ssl ); 03436 break; 03437 03438 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03439 ret = ssl_write_client_key_exchange( ssl ); 03440 break; 03441 03442 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03443 ret = ssl_write_certificate_verify( ssl ); 03444 break; 03445 03446 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03447 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03448 break; 03449 03450 case MBEDTLS_SSL_CLIENT_FINISHED: 03451 ret = mbedtls_ssl_write_finished( ssl ); 03452 break; 03453 03454 /* 03455 * <== ( NewSessionTicket ) 03456 * ChangeCipherSpec 03457 * Finished 03458 */ 03459 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03460 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03461 ret = ssl_parse_new_session_ticket( ssl ); 03462 break; 03463 #endif 03464 03465 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03466 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03467 break; 03468 03469 case MBEDTLS_SSL_SERVER_FINISHED: 03470 ret = mbedtls_ssl_parse_finished( ssl ); 03471 break; 03472 03473 case MBEDTLS_SSL_FLUSH_BUFFERS: 03474 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03475 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03476 break; 03477 03478 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03479 mbedtls_ssl_handshake_wrapup( ssl ); 03480 break; 03481 03482 default: 03483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03484 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03485 } 03486 03487 return( ret ); 03488 } 03489 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Tue Jul 12 2022 17:25:43 by
1.7.2