Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of mbedtls by
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #if defined(MBEDTLS_ECP_C) 00045 #include "mbedtls/ecp.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_HAVE_TIME) 00049 #include "mbedtls/platform_time.h" 00050 #endif 00051 00052 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00053 /* Implementation that should never be optimized out by the compiler */ 00054 static void mbedtls_zeroize( void *v, size_t n ) { 00055 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00056 } 00057 #endif 00058 00059 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00060 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00061 const unsigned char *info, 00062 size_t ilen ) 00063 { 00064 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00065 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00066 00067 mbedtls_free( ssl->cli_id ); 00068 00069 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00070 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00071 00072 memcpy( ssl->cli_id, info, ilen ); 00073 ssl->cli_id_len = ilen; 00074 00075 return( 0 ); 00076 } 00077 00078 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00079 mbedtls_ssl_cookie_write_t *f_cookie_write, 00080 mbedtls_ssl_cookie_check_t *f_cookie_check, 00081 void *p_cookie ) 00082 { 00083 conf->f_cookie_write = f_cookie_write; 00084 conf->f_cookie_check = f_cookie_check; 00085 conf->p_cookie = p_cookie; 00086 } 00087 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00088 00089 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00090 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00091 const unsigned char *buf, 00092 size_t len ) 00093 { 00094 int ret; 00095 size_t servername_list_size, hostname_len; 00096 const unsigned char *p; 00097 00098 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00099 00100 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00101 if( servername_list_size + 2 != len ) 00102 { 00103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00104 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00105 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00107 } 00108 00109 p = buf + 2; 00110 while( servername_list_size > 0 ) 00111 { 00112 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00113 if( hostname_len + 3 > servername_list_size ) 00114 { 00115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00116 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00117 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00118 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00119 } 00120 00121 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00122 { 00123 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00124 ssl, p + 3, hostname_len ); 00125 if( ret != 0 ) 00126 { 00127 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00128 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00129 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00130 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00131 } 00132 return( 0 ); 00133 } 00134 00135 servername_list_size -= hostname_len + 3; 00136 p += hostname_len + 3; 00137 } 00138 00139 if( servername_list_size != 0 ) 00140 { 00141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00142 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00143 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00144 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00145 } 00146 00147 return( 0 ); 00148 } 00149 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00150 00151 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00152 const unsigned char *buf, 00153 size_t len ) 00154 { 00155 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00156 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00157 { 00158 /* Check verify-data in constant-time. The length OTOH is no secret */ 00159 if( len != 1 + ssl->verify_data_len || 00160 buf[0] != ssl->verify_data_len || 00161 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00162 ssl->verify_data_len ) != 0 ) 00163 { 00164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00165 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00166 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00168 } 00169 } 00170 else 00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00172 { 00173 if( len != 1 || buf[0] != 0x0 ) 00174 { 00175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00176 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00177 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00178 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00179 } 00180 00181 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00182 } 00183 00184 return( 0 ); 00185 } 00186 00187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00188 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00189 00190 /* 00191 * Status of the implementation of signature-algorithms extension: 00192 * 00193 * Currently, we are only considering the signature-algorithm extension 00194 * to pick a ciphersuite which allows us to send the ServerKeyExchange 00195 * message with a signature-hash combination that the user allows. 00196 * 00197 * We do *not* check whether all certificates in our certificate 00198 * chain are signed with an allowed signature-hash pair. 00199 * This needs to be done at a later stage. 00200 * 00201 */ 00202 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00203 const unsigned char *buf, 00204 size_t len ) 00205 { 00206 size_t sig_alg_list_size; 00207 00208 const unsigned char *p; 00209 const unsigned char *end = buf + len; 00210 00211 mbedtls_md_type_t md_cur; 00212 mbedtls_pk_type_t sig_cur; 00213 00214 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00215 if( sig_alg_list_size + 2 != len || 00216 sig_alg_list_size % 2 != 0 ) 00217 { 00218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00220 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00222 } 00223 00224 /* Currently we only guarantee signing the ServerKeyExchange message according 00225 * to the constraints specified in this extension (see above), so it suffices 00226 * to remember only one suitable hash for each possible signature algorithm. 00227 * 00228 * This will change when we also consider certificate signatures, 00229 * in which case we will need to remember the whole signature-hash 00230 * pair list from the extension. 00231 */ 00232 00233 for( p = buf + 2; p < end; p += 2 ) 00234 { 00235 /* Silently ignore unknown signature or hash algorithms. */ 00236 00237 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) 00238 { 00239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" 00240 " unknown sig alg encoding %d", p[1] ) ); 00241 continue; 00242 } 00243 00244 /* Check if we support the hash the user proposes */ 00245 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); 00246 if( md_cur == MBEDTLS_MD_NONE ) 00247 { 00248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00249 " unknown hash alg encoding %d", p[0] ) ); 00250 continue; 00251 } 00252 00253 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) 00254 { 00255 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); 00256 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00257 " match sig %d and hash %d", 00258 sig_cur, md_cur ) ); 00259 } 00260 else 00261 { 00262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " 00263 "hash alg %d not supported", md_cur ) ); 00264 } 00265 } 00266 00267 return( 0 ); 00268 } 00269 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00270 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00271 00272 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00273 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00274 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00275 const unsigned char *buf, 00276 size_t len ) 00277 { 00278 size_t list_size, our_size; 00279 const unsigned char *p; 00280 const mbedtls_ecp_curve_info *curve_info, **curves; 00281 00282 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00283 if( list_size + 2 != len || 00284 list_size % 2 != 0 ) 00285 { 00286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00287 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00288 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00289 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00290 } 00291 00292 /* Should never happen unless client duplicates the extension */ 00293 if( ssl->handshake->curves != NULL ) 00294 { 00295 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00296 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00297 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00298 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00299 } 00300 00301 /* Don't allow our peer to make us allocate too much memory, 00302 * and leave room for a final 0 */ 00303 our_size = list_size / 2 + 1; 00304 if( our_size > MBEDTLS_ECP_DP_MAX ) 00305 our_size = MBEDTLS_ECP_DP_MAX; 00306 00307 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00308 { 00309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00310 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 00311 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00312 } 00313 00314 ssl->handshake->curves = curves; 00315 00316 p = buf + 2; 00317 while( list_size > 0 && our_size > 1 ) 00318 { 00319 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00320 00321 if( curve_info != NULL ) 00322 { 00323 *curves++ = curve_info; 00324 our_size--; 00325 } 00326 00327 list_size -= 2; 00328 p += 2; 00329 } 00330 00331 return( 0 ); 00332 } 00333 00334 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00335 const unsigned char *buf, 00336 size_t len ) 00337 { 00338 size_t list_size; 00339 const unsigned char *p; 00340 00341 list_size = buf[0]; 00342 if( list_size + 1 != len ) 00343 { 00344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00345 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00346 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00347 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00348 } 00349 00350 p = buf + 1; 00351 while( list_size > 0 ) 00352 { 00353 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00354 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00355 { 00356 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00357 ssl->handshake->ecdh_ctx.point_format = p[0]; 00358 #endif 00359 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00360 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00361 #endif 00362 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00363 return( 0 ); 00364 } 00365 00366 list_size--; 00367 p++; 00368 } 00369 00370 return( 0 ); 00371 } 00372 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00373 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00374 00375 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00376 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00377 const unsigned char *buf, 00378 size_t len ) 00379 { 00380 int ret; 00381 00382 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00383 { 00384 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00385 return( 0 ); 00386 } 00387 00388 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00389 buf, len ) ) != 0 ) 00390 { 00391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00392 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00393 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00394 return( ret ); 00395 } 00396 00397 /* Only mark the extension as OK when we're sure it is */ 00398 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00399 00400 return( 0 ); 00401 } 00402 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00403 00404 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00405 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00406 const unsigned char *buf, 00407 size_t len ) 00408 { 00409 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00410 { 00411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00412 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00413 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00414 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00415 } 00416 00417 ssl->session_negotiate->mfl_code = buf[0]; 00418 00419 return( 0 ); 00420 } 00421 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00422 00423 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00424 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00425 const unsigned char *buf, 00426 size_t len ) 00427 { 00428 if( len != 0 ) 00429 { 00430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00431 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00432 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00433 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00434 } 00435 00436 ((void) buf); 00437 00438 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00439 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00440 00441 return( 0 ); 00442 } 00443 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00444 00445 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00446 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00447 const unsigned char *buf, 00448 size_t len ) 00449 { 00450 if( len != 0 ) 00451 { 00452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00453 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00454 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00455 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00456 } 00457 00458 ((void) buf); 00459 00460 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00461 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00462 { 00463 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00464 } 00465 00466 return( 0 ); 00467 } 00468 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00469 00470 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00471 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00472 const unsigned char *buf, 00473 size_t len ) 00474 { 00475 if( len != 0 ) 00476 { 00477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00479 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00480 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00481 } 00482 00483 ((void) buf); 00484 00485 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00486 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00487 { 00488 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00489 } 00490 00491 return( 0 ); 00492 } 00493 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00494 00495 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00496 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00497 unsigned char *buf, 00498 size_t len ) 00499 { 00500 int ret; 00501 mbedtls_ssl_session session; 00502 00503 mbedtls_ssl_session_init( &session ); 00504 00505 if( ssl->conf->f_ticket_parse == NULL || 00506 ssl->conf->f_ticket_write == NULL ) 00507 { 00508 return( 0 ); 00509 } 00510 00511 /* Remember the client asked us to send a new ticket */ 00512 ssl->handshake->new_session_ticket = 1; 00513 00514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00515 00516 if( len == 0 ) 00517 return( 0 ); 00518 00519 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00520 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00523 return( 0 ); 00524 } 00525 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00526 00527 /* 00528 * Failures are ok: just ignore the ticket and proceed. 00529 */ 00530 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00531 buf, len ) ) != 0 ) 00532 { 00533 mbedtls_ssl_session_free( &session ); 00534 00535 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00537 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00538 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00539 else 00540 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00541 00542 return( 0 ); 00543 } 00544 00545 /* 00546 * Keep the session ID sent by the client, since we MUST send it back to 00547 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00548 */ 00549 session.id_len = ssl->session_negotiate->id_len; 00550 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00551 00552 mbedtls_ssl_session_free( ssl->session_negotiate ); 00553 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00554 00555 /* Zeroize instead of free as we copied the content */ 00556 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00557 00558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00559 00560 ssl->handshake->resume = 1; 00561 00562 /* Don't send a new ticket after all, this one is OK */ 00563 ssl->handshake->new_session_ticket = 0; 00564 00565 return( 0 ); 00566 } 00567 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00568 00569 #if defined(MBEDTLS_SSL_ALPN) 00570 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00571 const unsigned char *buf, size_t len ) 00572 { 00573 size_t list_len, cur_len, ours_len; 00574 const unsigned char *theirs, *start, *end; 00575 const char **ours; 00576 00577 /* If ALPN not configured, just ignore the extension */ 00578 if( ssl->conf->alpn_list == NULL ) 00579 return( 0 ); 00580 00581 /* 00582 * opaque ProtocolName<1..2^8-1>; 00583 * 00584 * struct { 00585 * ProtocolName protocol_name_list<2..2^16-1> 00586 * } ProtocolNameList; 00587 */ 00588 00589 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00590 if( len < 4 ) 00591 { 00592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00593 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00594 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00595 } 00596 00597 list_len = ( buf[0] << 8 ) | buf[1]; 00598 if( list_len != len - 2 ) 00599 { 00600 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00601 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00602 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00603 } 00604 00605 /* 00606 * Use our order of preference 00607 */ 00608 start = buf + 2; 00609 end = buf + len; 00610 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00611 { 00612 ours_len = strlen( *ours ); 00613 for( theirs = start; theirs != end; theirs += cur_len ) 00614 { 00615 /* If the list is well formed, we should get equality first */ 00616 if( theirs > end ) 00617 { 00618 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00619 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00620 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00621 } 00622 00623 cur_len = *theirs++; 00624 00625 /* Empty strings MUST NOT be included */ 00626 if( cur_len == 0 ) 00627 { 00628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00629 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00630 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00631 } 00632 00633 if( cur_len == ours_len && 00634 memcmp( theirs, *ours, cur_len ) == 0 ) 00635 { 00636 ssl->alpn_chosen = *ours; 00637 return( 0 ); 00638 } 00639 } 00640 } 00641 00642 /* If we get there, no match was found */ 00643 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00644 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00645 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00646 } 00647 #endif /* MBEDTLS_SSL_ALPN */ 00648 00649 /* 00650 * Auxiliary functions for ServerHello parsing and related actions 00651 */ 00652 00653 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00654 /* 00655 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00656 */ 00657 #if defined(MBEDTLS_ECDSA_C) 00658 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00659 const mbedtls_ecp_curve_info **curves ) 00660 { 00661 const mbedtls_ecp_curve_info **crv = curves; 00662 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00663 00664 while( *crv != NULL ) 00665 { 00666 if( (*crv)->grp_id == grp_id ) 00667 return( 0 ); 00668 crv++; 00669 } 00670 00671 return( -1 ); 00672 } 00673 #endif /* MBEDTLS_ECDSA_C */ 00674 00675 /* 00676 * Try picking a certificate for this ciphersuite, 00677 * return 0 on success and -1 on failure. 00678 */ 00679 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00680 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00681 { 00682 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00683 mbedtls_pk_type_t pk_alg = 00684 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00685 uint32_t flags; 00686 00687 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00688 if( ssl->handshake->sni_key_cert != NULL ) 00689 list = ssl->handshake->sni_key_cert; 00690 else 00691 #endif 00692 list = ssl->conf->key_cert; 00693 00694 if( pk_alg == MBEDTLS_PK_NONE ) 00695 return( 0 ); 00696 00697 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00698 00699 if( list == NULL ) 00700 { 00701 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00702 return( -1 ); 00703 } 00704 00705 for( cur = list; cur != NULL; cur = cur->next ) 00706 { 00707 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00708 cur->cert ); 00709 00710 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) 00711 { 00712 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00713 continue; 00714 } 00715 00716 /* 00717 * This avoids sending the client a cert it'll reject based on 00718 * keyUsage or other extensions. 00719 * 00720 * It also allows the user to provision different certificates for 00721 * different uses based on keyUsage, eg if they want to avoid signing 00722 * and decrypting with the same RSA key. 00723 */ 00724 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00725 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00726 { 00727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00728 "(extended) key usage extension" ) ); 00729 continue; 00730 } 00731 00732 #if defined(MBEDTLS_ECDSA_C) 00733 if( pk_alg == MBEDTLS_PK_ECDSA && 00734 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00735 { 00736 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00737 continue; 00738 } 00739 #endif 00740 00741 /* 00742 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00743 * present them a SHA-higher cert rather than failing if it's the only 00744 * one we got that satisfies the other conditions. 00745 */ 00746 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00747 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00748 { 00749 if( fallback == NULL ) 00750 fallback = cur; 00751 { 00752 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00753 "sha-2 with pre-TLS 1.2 client" ) ); 00754 continue; 00755 } 00756 } 00757 00758 /* If we get there, we got a winner */ 00759 break; 00760 } 00761 00762 if( cur == NULL ) 00763 cur = fallback; 00764 00765 /* Do not update ssl->handshake->key_cert unless there is a match */ 00766 if( cur != NULL ) 00767 { 00768 ssl->handshake->key_cert = cur; 00769 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00770 ssl->handshake->key_cert->cert ); 00771 return( 0 ); 00772 } 00773 00774 return( -1 ); 00775 } 00776 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00777 00778 /* 00779 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00780 * Sets ciphersuite_info only if the suite matches. 00781 */ 00782 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00783 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00784 { 00785 const mbedtls_ssl_ciphersuite_t *suite_info; 00786 00787 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00788 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00789 mbedtls_pk_type_t sig_type; 00790 #endif 00791 00792 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00793 if( suite_info == NULL ) 00794 { 00795 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00796 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00797 } 00798 00799 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00800 00801 if( suite_info->min_minor_ver > ssl->minor_ver || 00802 suite_info->max_minor_ver < ssl->minor_ver ) 00803 { 00804 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00805 return( 0 ); 00806 } 00807 00808 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00809 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00810 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00811 return( 0 ); 00812 #endif 00813 00814 #if defined(MBEDTLS_ARC4_C) 00815 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00816 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00817 { 00818 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00819 return( 0 ); 00820 } 00821 #endif 00822 00823 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00824 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00825 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00826 { 00827 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00828 "not configured or ext missing" ) ); 00829 return( 0 ); 00830 } 00831 #endif 00832 00833 00834 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00835 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00836 ( ssl->handshake->curves == NULL || 00837 ssl->handshake->curves[0] == NULL ) ) 00838 { 00839 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00840 "no common elliptic curve" ) ); 00841 return( 0 ); 00842 } 00843 #endif 00844 00845 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00846 /* If the ciphersuite requires a pre-shared key and we don't 00847 * have one, skip it now rather than failing later */ 00848 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00849 ssl->conf->f_psk == NULL && 00850 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 00851 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 00852 { 00853 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00854 return( 0 ); 00855 } 00856 #endif 00857 00858 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00859 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00860 /* If the ciphersuite requires signing, check whether 00861 * a suitable hash algorithm is present. */ 00862 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00863 { 00864 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); 00865 if( sig_type != MBEDTLS_PK_NONE && 00866 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) 00867 { 00868 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " 00869 "for signature algorithm %d", sig_type ) ); 00870 return( 0 ); 00871 } 00872 } 00873 00874 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00875 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00876 00877 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00878 /* 00879 * Final check: if ciphersuite requires us to have a 00880 * certificate/key of a particular type: 00881 * - select the appropriate certificate if we have one, or 00882 * - try the next ciphersuite if we don't 00883 * This must be done last since we modify the key_cert list. 00884 */ 00885 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00886 { 00887 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00888 "no suitable certificate" ) ); 00889 return( 0 ); 00890 } 00891 #endif 00892 00893 *ciphersuite_info = suite_info; 00894 return( 0 ); 00895 } 00896 00897 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00898 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 00899 { 00900 int ret, got_common_suite; 00901 unsigned int i, j; 00902 size_t n; 00903 unsigned int ciph_len, sess_len, chal_len; 00904 unsigned char *buf, *p; 00905 const int *ciphersuites; 00906 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00907 00908 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00909 00910 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00911 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00912 { 00913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00914 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00915 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00916 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00917 } 00918 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00919 00920 buf = ssl->in_hdr; 00921 00922 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00923 00924 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00925 buf[2] ) ); 00926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00927 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00928 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00929 buf[3], buf[4] ) ); 00930 00931 /* 00932 * SSLv2 Client Hello 00933 * 00934 * Record layer: 00935 * 0 . 1 message length 00936 * 00937 * SSL layer: 00938 * 2 . 2 message type 00939 * 3 . 4 protocol version 00940 */ 00941 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 00942 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 00943 { 00944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00945 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00946 } 00947 00948 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00949 00950 if( n < 17 || n > 512 ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00953 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00954 } 00955 00956 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 00957 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 00958 ? buf[4] : ssl->conf->max_minor_ver; 00959 00960 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 00961 { 00962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00963 " [%d:%d] < [%d:%d]", 00964 ssl->major_ver, ssl->minor_ver, 00965 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 00966 00967 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00968 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 00969 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00970 } 00971 00972 ssl->handshake->max_major_ver = buf[3]; 00973 ssl->handshake->max_minor_ver = buf[4]; 00974 00975 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00976 { 00977 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 00978 return( ret ); 00979 } 00980 00981 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00982 00983 buf = ssl->in_msg; 00984 n = ssl->in_left - 5; 00985 00986 /* 00987 * 0 . 1 ciphersuitelist length 00988 * 2 . 3 session id length 00989 * 4 . 5 challenge length 00990 * 6 . .. ciphersuitelist 00991 * .. . .. session id 00992 * .. . .. challenge 00993 */ 00994 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 00995 00996 ciph_len = ( buf[0] << 8 ) | buf[1]; 00997 sess_len = ( buf[2] << 8 ) | buf[3]; 00998 chal_len = ( buf[4] << 8 ) | buf[5]; 00999 01000 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01001 ciph_len, sess_len, chal_len ) ); 01002 01003 /* 01004 * Make sure each parameter length is valid 01005 */ 01006 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01007 { 01008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01009 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01010 } 01011 01012 if( sess_len > 32 ) 01013 { 01014 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01015 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01016 } 01017 01018 if( chal_len < 8 || chal_len > 32 ) 01019 { 01020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01021 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01022 } 01023 01024 if( n != 6 + ciph_len + sess_len + chal_len ) 01025 { 01026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01027 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01028 } 01029 01030 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01031 buf + 6, ciph_len ); 01032 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 01033 buf + 6 + ciph_len, sess_len ); 01034 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 01035 buf + 6 + ciph_len + sess_len, chal_len ); 01036 01037 p = buf + 6 + ciph_len; 01038 ssl->session_negotiate->id_len = sess_len; 01039 memset( ssl->session_negotiate->id, 0, 01040 sizeof( ssl->session_negotiate->id ) ); 01041 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 01042 01043 p += sess_len; 01044 memset( ssl->handshake->randbytes, 0, 64 ); 01045 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01046 01047 /* 01048 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01049 */ 01050 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01051 { 01052 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01053 { 01054 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01055 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01056 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01057 { 01058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01059 "during renegotiation" ) ); 01060 01061 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01062 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01063 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01064 } 01065 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01066 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01067 break; 01068 } 01069 } 01070 01071 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01072 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01073 { 01074 if( p[0] == 0 && 01075 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01076 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01077 { 01078 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01079 01080 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01081 { 01082 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01083 01084 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01085 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01086 01087 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01088 } 01089 01090 break; 01091 } 01092 } 01093 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01094 01095 got_common_suite = 0; 01096 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01097 ciphersuite_info = NULL; 01098 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01099 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01100 for( i = 0; ciphersuites[i] != 0; i++ ) 01101 #else 01102 for( i = 0; ciphersuites[i] != 0; i++ ) 01103 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01104 #endif 01105 { 01106 if( p[0] != 0 || 01107 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01108 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01109 continue; 01110 01111 got_common_suite = 1; 01112 01113 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01114 &ciphersuite_info ) ) != 0 ) 01115 return( ret ); 01116 01117 if( ciphersuite_info != NULL ) 01118 goto have_ciphersuite_v2; 01119 } 01120 01121 if( got_common_suite ) 01122 { 01123 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01124 "but none of them usable" ) ); 01125 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01126 } 01127 else 01128 { 01129 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01130 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01131 } 01132 01133 have_ciphersuite_v2: 01134 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01135 01136 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01137 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01138 01139 /* 01140 * SSLv2 Client Hello relevant renegotiation security checks 01141 */ 01142 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01143 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01144 { 01145 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01146 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01147 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01148 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01149 } 01150 01151 ssl->in_left = 0; 01152 ssl->state++; 01153 01154 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01155 01156 return( 0 ); 01157 } 01158 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01159 01160 /* This function doesn't alert on errors that happen early during 01161 ClientHello parsing because they might indicate that the client is 01162 not talking SSL/TLS at all and would not understand our alert. */ 01163 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01164 { 01165 int ret, got_common_suite; 01166 size_t i, j; 01167 size_t ciph_offset, comp_offset, ext_offset; 01168 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01169 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01170 size_t cookie_offset, cookie_len; 01171 #endif 01172 unsigned char *buf, *p, *ext; 01173 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01174 int renegotiation_info_seen = 0; 01175 #endif 01176 int handshake_failure = 0; 01177 const int *ciphersuites; 01178 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01179 int major, minor; 01180 01181 /* If there is no signature-algorithm extension present, 01182 * we need to fall back to the default values for allowed 01183 * signature-hash pairs. */ 01184 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01185 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01186 int sig_hash_alg_ext_present = 0; 01187 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01188 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01189 01190 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01191 01192 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01193 read_record_header: 01194 #endif 01195 /* 01196 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01197 * otherwise read it ourselves manually in order to support SSLv2 01198 * ClientHello, which doesn't use the same record layer format. 01199 */ 01200 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01201 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01202 #endif 01203 { 01204 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01205 { 01206 /* No alert on a read error. */ 01207 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01208 return( ret ); 01209 } 01210 } 01211 01212 buf = ssl->in_hdr; 01213 01214 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01215 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01216 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01217 #endif 01218 if( ( buf[0] & 0x80 ) != 0 ) 01219 return( ssl_parse_client_hello_v2( ssl ) ); 01220 #endif 01221 01222 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); 01223 01224 /* 01225 * SSLv3/TLS Client Hello 01226 * 01227 * Record layer: 01228 * 0 . 0 message type 01229 * 1 . 2 protocol version 01230 * 3 . 11 DTLS: epoch + record sequence number 01231 * 3 . 4 message length 01232 */ 01233 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01234 buf[0] ) ); 01235 01236 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01237 { 01238 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01239 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01240 } 01241 01242 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01243 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01244 01245 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01246 buf[1], buf[2] ) ); 01247 01248 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01249 01250 /* According to RFC 5246 Appendix E.1, the version here is typically 01251 * "{03,00}, the lowest version number supported by the client, [or] the 01252 * value of ClientHello.client_version", so the only meaningful check here 01253 * is the major version shouldn't be less than 3 */ 01254 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01255 { 01256 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01257 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01258 } 01259 01260 /* For DTLS if this is the initial handshake, remember the client sequence 01261 * number to use it in our next message (RFC 6347 4.2.1) */ 01262 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01263 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01264 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01265 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01266 #endif 01267 ) 01268 { 01269 /* Epoch should be 0 for initial handshakes */ 01270 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01271 { 01272 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01273 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01274 } 01275 01276 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); 01277 01278 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01279 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01280 { 01281 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01282 ssl->next_record_offset = 0; 01283 ssl->in_left = 0; 01284 goto read_record_header; 01285 } 01286 01287 /* No MAC to check yet, so we can update right now */ 01288 mbedtls_ssl_dtls_replay_update( ssl ); 01289 #endif 01290 } 01291 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01292 01293 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01294 01295 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01296 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01297 { 01298 /* Set by mbedtls_ssl_read_record() */ 01299 msg_len = ssl->in_hslen; 01300 } 01301 else 01302 #endif 01303 { 01304 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01305 { 01306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01307 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01308 } 01309 01310 if( ( ret = mbedtls_ssl_fetch_input( ssl, 01311 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) 01312 { 01313 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01314 return( ret ); 01315 } 01316 01317 /* Done reading this record, get ready for the next one */ 01318 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01319 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01320 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); 01321 else 01322 #endif 01323 ssl->in_left = 0; 01324 } 01325 01326 buf = ssl->in_msg; 01327 01328 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01329 01330 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01331 01332 /* 01333 * Handshake layer: 01334 * 0 . 0 handshake type 01335 * 1 . 3 handshake length 01336 * 4 . 5 DTLS only: message seqence number 01337 * 6 . 8 DTLS only: fragment offset 01338 * 9 . 11 DTLS only: fragment length 01339 */ 01340 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01341 { 01342 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01343 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01344 } 01345 01346 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01347 01348 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01349 { 01350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01352 } 01353 01354 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01355 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01356 01357 /* We don't support fragmentation of ClientHello (yet?) */ 01358 if( buf[1] != 0 || 01359 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01360 { 01361 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01362 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01363 } 01364 01365 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01366 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01367 { 01368 /* 01369 * Copy the client's handshake message_seq on initial handshakes, 01370 * check sequence number on renego. 01371 */ 01372 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01373 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01374 { 01375 /* This couldn't be done in ssl_prepare_handshake_record() */ 01376 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01377 ssl->in_msg[5]; 01378 01379 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01380 { 01381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01382 "%d (expected %d)", cli_msg_seq, 01383 ssl->handshake->in_msg_seq ) ); 01384 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01385 } 01386 01387 ssl->handshake->in_msg_seq++; 01388 } 01389 else 01390 #endif 01391 { 01392 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01393 ssl->in_msg[5]; 01394 ssl->handshake->out_msg_seq = cli_msg_seq; 01395 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01396 } 01397 01398 /* 01399 * For now we don't support fragmentation, so make sure 01400 * fragment_offset == 0 and fragment_length == length 01401 */ 01402 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01403 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01404 { 01405 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01406 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01407 } 01408 } 01409 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01410 01411 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01412 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01413 01414 /* 01415 * ClientHello layer: 01416 * 0 . 1 protocol version 01417 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01418 * 34 . 35 session id length (1 byte) 01419 * 35 . 34+x session id 01420 * 35+x . 35+x DTLS only: cookie length (1 byte) 01421 * 36+x . .. DTLS only: cookie 01422 * .. . .. ciphersuite list length (2 bytes) 01423 * .. . .. ciphersuite list 01424 * .. . .. compression alg. list length (1 byte) 01425 * .. . .. compression alg. list 01426 * .. . .. extensions length (2 bytes, optional) 01427 * .. . .. extensions (optional) 01428 */ 01429 01430 /* 01431 * Minimal length (with everything empty and extensions ommitted) is 01432 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01433 * read at least up to session id length without worrying. 01434 */ 01435 if( msg_len < 38 ) 01436 { 01437 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01438 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01439 } 01440 01441 /* 01442 * Check and save the protocol version 01443 */ 01444 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01445 01446 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01447 ssl->conf->transport, buf ); 01448 01449 ssl->handshake->max_major_ver = ssl->major_ver; 01450 ssl->handshake->max_minor_ver = ssl->minor_ver; 01451 01452 if( ssl->major_ver < ssl->conf->min_major_ver || 01453 ssl->minor_ver < ssl->conf->min_minor_ver ) 01454 { 01455 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01456 " [%d:%d] < [%d:%d]", 01457 ssl->major_ver, ssl->minor_ver, 01458 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01459 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01460 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01461 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01462 } 01463 01464 if( ssl->major_ver > ssl->conf->max_major_ver ) 01465 { 01466 ssl->major_ver = ssl->conf->max_major_ver; 01467 ssl->minor_ver = ssl->conf->max_minor_ver; 01468 } 01469 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01470 ssl->minor_ver = ssl->conf->max_minor_ver; 01471 01472 /* 01473 * Save client random (inc. Unix time) 01474 */ 01475 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01476 01477 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01478 01479 /* 01480 * Check the session ID length and save session ID 01481 */ 01482 sess_len = buf[34]; 01483 01484 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01485 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01486 { 01487 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01488 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01489 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01490 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01491 } 01492 01493 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01494 01495 ssl->session_negotiate->id_len = sess_len; 01496 memset( ssl->session_negotiate->id, 0, 01497 sizeof( ssl->session_negotiate->id ) ); 01498 memcpy( ssl->session_negotiate->id, buf + 35, 01499 ssl->session_negotiate->id_len ); 01500 01501 /* 01502 * Check the cookie length and content 01503 */ 01504 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01505 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01506 { 01507 cookie_offset = 35 + sess_len; 01508 cookie_len = buf[cookie_offset]; 01509 01510 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01511 { 01512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01513 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01514 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01515 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01516 } 01517 01518 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01519 buf + cookie_offset + 1, cookie_len ); 01520 01521 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01522 if( ssl->conf->f_cookie_check != NULL 01523 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01524 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01525 #endif 01526 ) 01527 { 01528 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01529 buf + cookie_offset + 1, cookie_len, 01530 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01531 { 01532 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01533 ssl->handshake->verify_cookie_len = 1; 01534 } 01535 else 01536 { 01537 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01538 ssl->handshake->verify_cookie_len = 0; 01539 } 01540 } 01541 else 01542 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01543 { 01544 /* We know we didn't send a cookie, so it should be empty */ 01545 if( cookie_len != 0 ) 01546 { 01547 /* This may be an attacker's probe, so don't send an alert */ 01548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01549 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01550 } 01551 01552 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01553 } 01554 01555 /* 01556 * Check the ciphersuitelist length (will be parsed later) 01557 */ 01558 ciph_offset = cookie_offset + 1 + cookie_len; 01559 } 01560 else 01561 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01562 ciph_offset = 35 + sess_len; 01563 01564 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01565 | ( buf[ciph_offset + 1] ); 01566 01567 if( ciph_len < 2 || 01568 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01569 ( ciph_len % 2 ) != 0 ) 01570 { 01571 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01572 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01573 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01574 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01575 } 01576 01577 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01578 buf + ciph_offset + 2, ciph_len ); 01579 01580 /* 01581 * Check the compression algorithms length and pick one 01582 */ 01583 comp_offset = ciph_offset + 2 + ciph_len; 01584 01585 comp_len = buf[comp_offset]; 01586 01587 if( comp_len < 1 || 01588 comp_len > 16 || 01589 comp_len + comp_offset + 1 > msg_len ) 01590 { 01591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01593 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01594 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01595 } 01596 01597 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01598 buf + comp_offset + 1, comp_len ); 01599 01600 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01601 #if defined(MBEDTLS_ZLIB_SUPPORT) 01602 for( i = 0; i < comp_len; ++i ) 01603 { 01604 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01605 { 01606 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01607 break; 01608 } 01609 } 01610 #endif 01611 01612 /* See comments in ssl_write_client_hello() */ 01613 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01614 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01615 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01616 #endif 01617 01618 /* Do not parse the extensions if the protocol is SSLv3 */ 01619 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01620 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01621 { 01622 #endif 01623 /* 01624 * Check the extension length 01625 */ 01626 ext_offset = comp_offset + 1 + comp_len; 01627 if( msg_len > ext_offset ) 01628 { 01629 if( msg_len < ext_offset + 2 ) 01630 { 01631 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01632 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01633 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01634 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01635 } 01636 01637 ext_len = ( buf[ext_offset + 0] << 8 ) 01638 | ( buf[ext_offset + 1] ); 01639 01640 if( ( ext_len > 0 && ext_len < 4 ) || 01641 msg_len != ext_offset + 2 + ext_len ) 01642 { 01643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01644 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01645 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01646 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01647 } 01648 } 01649 else 01650 ext_len = 0; 01651 01652 ext = buf + ext_offset + 2; 01653 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01654 01655 while( ext_len != 0 ) 01656 { 01657 unsigned int ext_id = ( ( ext[0] << 8 ) 01658 | ( ext[1] ) ); 01659 unsigned int ext_size = ( ( ext[2] << 8 ) 01660 | ( ext[3] ) ); 01661 01662 if( ext_size + 4 > ext_len ) 01663 { 01664 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01665 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01666 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01667 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01668 } 01669 switch( ext_id ) 01670 { 01671 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01672 case MBEDTLS_TLS_EXT_SERVERNAME: 01673 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01674 if( ssl->conf->f_sni == NULL ) 01675 break; 01676 01677 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01678 if( ret != 0 ) 01679 return( ret ); 01680 break; 01681 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01682 01683 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01684 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01685 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01686 renegotiation_info_seen = 1; 01687 #endif 01688 01689 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01690 if( ret != 0 ) 01691 return( ret ); 01692 break; 01693 01694 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01695 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01696 case MBEDTLS_TLS_EXT_SIG_ALG: 01697 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01698 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01699 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01700 break; 01701 #endif 01702 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01703 if( ret != 0 ) 01704 return( ret ); 01705 01706 sig_hash_alg_ext_present = 1; 01707 break; 01708 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01709 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01710 01711 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01712 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01713 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01714 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01715 01716 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01717 if( ret != 0 ) 01718 return( ret ); 01719 break; 01720 01721 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01722 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01723 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01724 01725 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01726 if( ret != 0 ) 01727 return( ret ); 01728 break; 01729 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01730 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01731 01732 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01733 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01734 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01735 01736 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01737 if( ret != 0 ) 01738 return( ret ); 01739 break; 01740 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01741 01742 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01743 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01744 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01745 01746 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01747 if( ret != 0 ) 01748 return( ret ); 01749 break; 01750 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01751 01752 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01753 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01754 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01755 01756 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01757 if( ret != 0 ) 01758 return( ret ); 01759 break; 01760 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01761 01762 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01763 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01764 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01765 01766 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01767 if( ret != 0 ) 01768 return( ret ); 01769 break; 01770 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01771 01772 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01773 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01775 01776 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01777 if( ret != 0 ) 01778 return( ret ); 01779 break; 01780 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01781 01782 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01783 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01784 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01785 01786 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01787 if( ret != 0 ) 01788 return( ret ); 01789 break; 01790 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01791 01792 #if defined(MBEDTLS_SSL_ALPN) 01793 case MBEDTLS_TLS_EXT_ALPN: 01794 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01795 01796 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01797 if( ret != 0 ) 01798 return( ret ); 01799 break; 01800 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01801 01802 default: 01803 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01804 ext_id ) ); 01805 } 01806 01807 ext_len -= 4 + ext_size; 01808 ext += 4 + ext_size; 01809 01810 if( ext_len > 0 && ext_len < 4 ) 01811 { 01812 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01813 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01814 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01815 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01816 } 01817 } 01818 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01819 } 01820 #endif 01821 01822 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01823 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01824 { 01825 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01826 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01827 { 01828 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01829 01830 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01831 { 01832 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01833 01834 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01835 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01836 01837 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01838 } 01839 01840 break; 01841 } 01842 } 01843 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01844 01845 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01846 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01847 01848 /* 01849 * Try to fall back to default hash SHA1 if the client 01850 * hasn't provided any preferred signature-hash combinations. 01851 */ 01852 if( sig_hash_alg_ext_present == 0 ) 01853 { 01854 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; 01855 01856 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) 01857 md_default = MBEDTLS_MD_NONE; 01858 01859 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); 01860 } 01861 01862 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01863 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01864 01865 /* 01866 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01867 */ 01868 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01869 { 01870 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01871 { 01872 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01873 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01874 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01875 { 01876 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01877 "during renegotiation" ) ); 01878 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01879 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01880 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01881 } 01882 #endif 01883 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01884 break; 01885 } 01886 } 01887 01888 /* 01889 * Renegotiation security checks 01890 */ 01891 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 01892 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01893 { 01894 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01895 handshake_failure = 1; 01896 } 01897 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01898 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01899 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01900 renegotiation_info_seen == 0 ) 01901 { 01902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01903 handshake_failure = 1; 01904 } 01905 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01906 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01907 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01908 { 01909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01910 handshake_failure = 1; 01911 } 01912 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01913 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01914 renegotiation_info_seen == 1 ) 01915 { 01916 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01917 handshake_failure = 1; 01918 } 01919 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01920 01921 if( handshake_failure == 1 ) 01922 { 01923 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01924 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01925 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01926 } 01927 01928 /* 01929 * Search for a matching ciphersuite 01930 * (At the end because we need information from the EC-based extensions 01931 * and certificate from the SNI callback triggered by the SNI extension.) 01932 */ 01933 got_common_suite = 0; 01934 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01935 ciphersuite_info = NULL; 01936 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01937 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01938 for( i = 0; ciphersuites[i] != 0; i++ ) 01939 #else 01940 for( i = 0; ciphersuites[i] != 0; i++ ) 01941 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01942 #endif 01943 { 01944 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01945 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01946 continue; 01947 01948 got_common_suite = 1; 01949 01950 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01951 &ciphersuite_info ) ) != 0 ) 01952 return( ret ); 01953 01954 if( ciphersuite_info != NULL ) 01955 goto have_ciphersuite; 01956 } 01957 01958 if( got_common_suite ) 01959 { 01960 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01961 "but none of them usable" ) ); 01962 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01963 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01964 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01965 } 01966 else 01967 { 01968 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01969 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01970 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01971 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01972 } 01973 01974 have_ciphersuite: 01975 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01976 01977 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01978 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01979 01980 ssl->state++; 01981 01982 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01983 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01984 mbedtls_ssl_recv_flight_completed( ssl ); 01985 #endif 01986 01987 /* Debugging-only output for testsuite */ 01988 #if defined(MBEDTLS_DEBUG_C) && \ 01989 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01990 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01991 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 01992 { 01993 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); 01994 if( sig_alg != MBEDTLS_PK_NONE ) 01995 { 01996 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 01997 sig_alg ); 01998 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 01999 mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); 02000 } 02001 else 02002 { 02003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " 02004 "%d - should not happen", sig_alg ) ); 02005 } 02006 } 02007 #endif 02008 02009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 02010 02011 return( 0 ); 02012 } 02013 02014 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02015 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 02016 unsigned char *buf, 02017 size_t *olen ) 02018 { 02019 unsigned char *p = buf; 02020 02021 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 02022 { 02023 *olen = 0; 02024 return; 02025 } 02026 02027 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 02028 02029 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 02030 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 02031 02032 *p++ = 0x00; 02033 *p++ = 0x00; 02034 02035 *olen = 4; 02036 } 02037 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02038 02039 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02040 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 02041 unsigned char *buf, 02042 size_t *olen ) 02043 { 02044 unsigned char *p = buf; 02045 const mbedtls_ssl_ciphersuite_t *suite = NULL; 02046 const mbedtls_cipher_info_t *cipher = NULL; 02047 02048 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02049 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02050 { 02051 *olen = 0; 02052 return; 02053 } 02054 02055 /* 02056 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 02057 * from a client and then selects a stream or Authenticated Encryption 02058 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 02059 * encrypt-then-MAC response extension back to the client." 02060 */ 02061 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 02062 ssl->session_negotiate->ciphersuite ) ) == NULL || 02063 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 02064 cipher->mode != MBEDTLS_MODE_CBC ) 02065 { 02066 *olen = 0; 02067 return; 02068 } 02069 02070 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 02071 02072 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 02073 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 02074 02075 *p++ = 0x00; 02076 *p++ = 0x00; 02077 02078 *olen = 4; 02079 } 02080 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02081 02082 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02083 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 02084 unsigned char *buf, 02085 size_t *olen ) 02086 { 02087 unsigned char *p = buf; 02088 02089 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02090 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02091 { 02092 *olen = 0; 02093 return; 02094 } 02095 02096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 02097 "extension" ) ); 02098 02099 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 02100 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 02101 02102 *p++ = 0x00; 02103 *p++ = 0x00; 02104 02105 *olen = 4; 02106 } 02107 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02108 02109 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02110 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 02111 unsigned char *buf, 02112 size_t *olen ) 02113 { 02114 unsigned char *p = buf; 02115 02116 if( ssl->handshake->new_session_ticket == 0 ) 02117 { 02118 *olen = 0; 02119 return; 02120 } 02121 02122 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 02123 02124 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 02125 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 02126 02127 *p++ = 0x00; 02128 *p++ = 0x00; 02129 02130 *olen = 4; 02131 } 02132 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02133 02134 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 02135 unsigned char *buf, 02136 size_t *olen ) 02137 { 02138 unsigned char *p = buf; 02139 02140 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 02141 { 02142 *olen = 0; 02143 return; 02144 } 02145 02146 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 02147 02148 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 02149 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 02150 02151 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02152 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 02153 { 02154 *p++ = 0x00; 02155 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02156 *p++ = ssl->verify_data_len * 2 & 0xFF; 02157 02158 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02159 p += ssl->verify_data_len; 02160 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02161 p += ssl->verify_data_len; 02162 } 02163 else 02164 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02165 { 02166 *p++ = 0x00; 02167 *p++ = 0x01; 02168 *p++ = 0x00; 02169 } 02170 02171 *olen = p - buf; 02172 } 02173 02174 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02175 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02176 unsigned char *buf, 02177 size_t *olen ) 02178 { 02179 unsigned char *p = buf; 02180 02181 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02182 { 02183 *olen = 0; 02184 return; 02185 } 02186 02187 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02188 02189 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02190 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02191 02192 *p++ = 0x00; 02193 *p++ = 1; 02194 02195 *p++ = ssl->session_negotiate->mfl_code; 02196 02197 *olen = 5; 02198 } 02199 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02200 02201 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02202 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02203 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02204 unsigned char *buf, 02205 size_t *olen ) 02206 { 02207 unsigned char *p = buf; 02208 ((void) ssl); 02209 02210 if( ( ssl->handshake->cli_exts & 02211 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02212 { 02213 *olen = 0; 02214 return; 02215 } 02216 02217 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02218 02219 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02220 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02221 02222 *p++ = 0x00; 02223 *p++ = 2; 02224 02225 *p++ = 1; 02226 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02227 02228 *olen = 6; 02229 } 02230 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02231 02232 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02233 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02234 unsigned char *buf, 02235 size_t *olen ) 02236 { 02237 int ret; 02238 unsigned char *p = buf; 02239 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02240 size_t kkpp_len; 02241 02242 *olen = 0; 02243 02244 /* Skip costly computation if not needed */ 02245 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 02246 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02247 return; 02248 02249 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02250 02251 if( end - p < 4 ) 02252 { 02253 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02254 return; 02255 } 02256 02257 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02258 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02259 02260 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02261 p + 2, end - p - 2, &kkpp_len, 02262 ssl->conf->f_rng, ssl->conf->p_rng ); 02263 if( ret != 0 ) 02264 { 02265 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02266 return; 02267 } 02268 02269 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02270 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02271 02272 *olen = kkpp_len + 4; 02273 } 02274 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02275 02276 #if defined(MBEDTLS_SSL_ALPN ) 02277 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02278 unsigned char *buf, size_t *olen ) 02279 { 02280 if( ssl->alpn_chosen == NULL ) 02281 { 02282 *olen = 0; 02283 return; 02284 } 02285 02286 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02287 02288 /* 02289 * 0 . 1 ext identifier 02290 * 2 . 3 ext length 02291 * 4 . 5 protocol list length 02292 * 6 . 6 protocol name length 02293 * 7 . 7+n protocol name 02294 */ 02295 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02296 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02297 02298 *olen = 7 + strlen( ssl->alpn_chosen ); 02299 02300 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02301 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02302 02303 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02304 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02305 02306 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02307 02308 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02309 } 02310 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02311 02312 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02313 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02314 { 02315 int ret; 02316 unsigned char *p = ssl->out_msg + 4; 02317 unsigned char *cookie_len_byte; 02318 02319 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02320 02321 /* 02322 * struct { 02323 * ProtocolVersion server_version; 02324 * opaque cookie<0..2^8-1>; 02325 * } HelloVerifyRequest; 02326 */ 02327 02328 /* The RFC is not clear on this point, but sending the actual negotiated 02329 * version looks like the most interoperable thing to do. */ 02330 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02331 ssl->conf->transport, p ); 02332 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02333 p += 2; 02334 02335 /* If we get here, f_cookie_check is not null */ 02336 if( ssl->conf->f_cookie_write == NULL ) 02337 { 02338 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02339 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02340 } 02341 02342 /* Skip length byte until we know the length */ 02343 cookie_len_byte = p++; 02344 02345 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02346 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, 02347 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02348 { 02349 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02350 return( ret ); 02351 } 02352 02353 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02354 02355 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02356 02357 ssl->out_msglen = p - ssl->out_msg; 02358 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02359 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02360 02361 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02362 02363 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02364 { 02365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02366 return( ret ); 02367 } 02368 02369 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02370 02371 return( 0 ); 02372 } 02373 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02374 02375 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02376 { 02377 #if defined(MBEDTLS_HAVE_TIME) 02378 mbedtls_time_t t; 02379 #endif 02380 int ret; 02381 size_t olen, ext_len = 0, n; 02382 unsigned char *buf, *p; 02383 02384 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02385 02386 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02387 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02388 ssl->handshake->verify_cookie_len != 0 ) 02389 { 02390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02392 02393 return( ssl_write_hello_verify_request( ssl ) ); 02394 } 02395 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02396 02397 if( ssl->conf->f_rng == NULL ) 02398 { 02399 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02400 return( MBEDTLS_ERR_SSL_NO_RNG ); 02401 } 02402 02403 /* 02404 * 0 . 0 handshake type 02405 * 1 . 3 handshake length 02406 * 4 . 5 protocol version 02407 * 6 . 9 UNIX time() 02408 * 10 . 37 random bytes 02409 */ 02410 buf = ssl->out_msg; 02411 p = buf + 4; 02412 02413 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02414 ssl->conf->transport, p ); 02415 p += 2; 02416 02417 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02418 buf[4], buf[5] ) ); 02419 02420 #if defined(MBEDTLS_HAVE_TIME) 02421 t = mbedtls_time( NULL ); 02422 *p++ = (unsigned char)( t >> 24 ); 02423 *p++ = (unsigned char)( t >> 16 ); 02424 *p++ = (unsigned char)( t >> 8 ); 02425 *p++ = (unsigned char)( t ); 02426 02427 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02428 #else 02429 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02430 return( ret ); 02431 02432 p += 4; 02433 #endif /* MBEDTLS_HAVE_TIME */ 02434 02435 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02436 return( ret ); 02437 02438 p += 28; 02439 02440 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02441 02442 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02443 02444 /* 02445 * Resume is 0 by default, see ssl_handshake_init(). 02446 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02447 * If not, try looking up session ID in our cache. 02448 */ 02449 if( ssl->handshake->resume == 0 && 02450 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02451 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02452 #endif 02453 ssl->session_negotiate->id_len != 0 && 02454 ssl->conf->f_get_cache != NULL && 02455 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02456 { 02457 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02458 ssl->handshake->resume = 1; 02459 } 02460 02461 if( ssl->handshake->resume == 0 ) 02462 { 02463 /* 02464 * New session, create a new session id, 02465 * unless we're about to issue a session ticket 02466 */ 02467 ssl->state++; 02468 02469 #if defined(MBEDTLS_HAVE_TIME) 02470 ssl->session_negotiate->start = mbedtls_time( NULL ); 02471 #endif 02472 02473 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02474 if( ssl->handshake->new_session_ticket != 0 ) 02475 { 02476 ssl->session_negotiate->id_len = n = 0; 02477 memset( ssl->session_negotiate->id, 0, 32 ); 02478 } 02479 else 02480 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02481 { 02482 ssl->session_negotiate->id_len = n = 32; 02483 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02484 n ) ) != 0 ) 02485 return( ret ); 02486 } 02487 } 02488 else 02489 { 02490 /* 02491 * Resuming a session 02492 */ 02493 n = ssl->session_negotiate->id_len; 02494 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02495 02496 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02497 { 02498 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02499 return( ret ); 02500 } 02501 } 02502 02503 /* 02504 * 38 . 38 session id length 02505 * 39 . 38+n session id 02506 * 39+n . 40+n chosen ciphersuite 02507 * 41+n . 41+n chosen compression alg. 02508 * 42+n . 43+n extensions length 02509 * 44+n . 43+n+m extensions 02510 */ 02511 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02512 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02513 p += ssl->session_negotiate->id_len; 02514 02515 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02516 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02517 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02518 ssl->handshake->resume ? "a" : "no" ) ); 02519 02520 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02521 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02522 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02523 02524 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02525 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02526 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02527 ssl->session_negotiate->compression ) ); 02528 02529 /* Do not write the extensions if the protocol is SSLv3 */ 02530 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02531 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02532 { 02533 #endif 02534 02535 /* 02536 * First write extensions, then the total length 02537 */ 02538 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02539 ext_len += olen; 02540 02541 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02542 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02543 ext_len += olen; 02544 #endif 02545 02546 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02547 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02548 ext_len += olen; 02549 #endif 02550 02551 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02552 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02553 ext_len += olen; 02554 #endif 02555 02556 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02557 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02558 ext_len += olen; 02559 #endif 02560 02561 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02562 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02563 ext_len += olen; 02564 #endif 02565 02566 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02567 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02568 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02569 ext_len += olen; 02570 #endif 02571 02572 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02573 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02574 ext_len += olen; 02575 #endif 02576 02577 #if defined(MBEDTLS_SSL_ALPN) 02578 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02579 ext_len += olen; 02580 #endif 02581 02582 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02583 02584 if( ext_len > 0 ) 02585 { 02586 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02587 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02588 p += ext_len; 02589 } 02590 02591 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02592 } 02593 #endif 02594 02595 ssl->out_msglen = p - buf; 02596 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02597 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02598 02599 ret = mbedtls_ssl_write_record( ssl ); 02600 02601 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02602 02603 return( ret ); 02604 } 02605 02606 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02607 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02608 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02609 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02610 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02611 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02612 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02613 { 02614 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02615 ssl->transform_negotiate->ciphersuite_info; 02616 02617 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02618 02619 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02620 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02621 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02622 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02623 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02624 { 02625 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02626 ssl->state++; 02627 return( 0 ); 02628 } 02629 02630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02631 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02632 } 02633 #else 02634 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02635 { 02636 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02637 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02638 ssl->transform_negotiate->ciphersuite_info; 02639 size_t dn_size, total_dn_size; /* excluding length bytes */ 02640 size_t ct_len, sa_len; /* including length bytes */ 02641 unsigned char *buf, *p; 02642 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02643 const mbedtls_x509_crt *crt; 02644 int authmode; 02645 02646 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02647 02648 ssl->state++; 02649 02650 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02651 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02652 authmode = ssl->handshake->sni_authmode; 02653 else 02654 #endif 02655 authmode = ssl->conf->authmode; 02656 02657 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02658 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02659 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02660 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02661 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 02662 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02663 { 02664 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02665 return( 0 ); 02666 } 02667 02668 /* 02669 * 0 . 0 handshake type 02670 * 1 . 3 handshake length 02671 * 4 . 4 cert type count 02672 * 5 .. m-1 cert types 02673 * m .. m+1 sig alg length (TLS 1.2 only) 02674 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02675 * n .. n+1 length of all DNs 02676 * n+2 .. n+3 length of DN 1 02677 * n+4 .. ... Distinguished Name #1 02678 * ... .. ... length of DN 2, etc. 02679 */ 02680 buf = ssl->out_msg; 02681 p = buf + 4; 02682 02683 /* 02684 * Supported certificate types 02685 * 02686 * ClientCertificateType certificate_types<1..2^8-1>; 02687 * enum { (255) } ClientCertificateType; 02688 */ 02689 ct_len = 0; 02690 02691 #if defined(MBEDTLS_RSA_C) 02692 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02693 #endif 02694 #if defined(MBEDTLS_ECDSA_C) 02695 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02696 #endif 02697 02698 p[0] = (unsigned char) ct_len++; 02699 p += ct_len; 02700 02701 sa_len = 0; 02702 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02703 /* 02704 * Add signature_algorithms for verify (TLS 1.2) 02705 * 02706 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02707 * 02708 * struct { 02709 * HashAlgorithm hash; 02710 * SignatureAlgorithm signature; 02711 * } SignatureAndHashAlgorithm; 02712 * 02713 * enum { (255) } HashAlgorithm; 02714 * enum { (255) } SignatureAlgorithm; 02715 */ 02716 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02717 { 02718 const int *cur; 02719 02720 /* 02721 * Supported signature algorithms 02722 */ 02723 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 02724 { 02725 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); 02726 02727 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) 02728 continue; 02729 02730 #if defined(MBEDTLS_RSA_C) 02731 p[2 + sa_len++] = hash; 02732 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02733 #endif 02734 #if defined(MBEDTLS_ECDSA_C) 02735 p[2 + sa_len++] = hash; 02736 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02737 #endif 02738 } 02739 02740 p[0] = (unsigned char)( sa_len >> 8 ); 02741 p[1] = (unsigned char)( sa_len ); 02742 sa_len += 2; 02743 p += sa_len; 02744 } 02745 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02746 02747 /* 02748 * DistinguishedName certificate_authorities<0..2^16-1>; 02749 * opaque DistinguishedName<1..2^16-1>; 02750 */ 02751 p += 2; 02752 02753 total_dn_size = 0; 02754 02755 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) 02756 { 02757 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02758 if( ssl->handshake->sni_ca_chain != NULL ) 02759 crt = ssl->handshake->sni_ca_chain; 02760 else 02761 #endif 02762 crt = ssl->conf->ca_chain; 02763 02764 while( crt != NULL && crt->version != 0 ) 02765 { 02766 dn_size = crt->subject_raw.len; 02767 02768 if( end < p || 02769 (size_t)( end - p ) < dn_size || 02770 (size_t)( end - p ) < 2 + dn_size ) 02771 { 02772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02773 break; 02774 } 02775 02776 *p++ = (unsigned char)( dn_size >> 8 ); 02777 *p++ = (unsigned char)( dn_size ); 02778 memcpy( p, crt->subject_raw.p, dn_size ); 02779 p += dn_size; 02780 02781 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02782 02783 total_dn_size += 2 + dn_size; 02784 crt = crt->next; 02785 } 02786 } 02787 02788 ssl->out_msglen = p - buf; 02789 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02790 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02791 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02792 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02793 02794 ret = mbedtls_ssl_write_record( ssl ); 02795 02796 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02797 02798 return( ret ); 02799 } 02800 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02801 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02802 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02803 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02804 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02805 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02806 02807 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02808 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02809 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02810 { 02811 int ret; 02812 02813 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 02814 { 02815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02816 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02817 } 02818 02819 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 02820 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 02821 MBEDTLS_ECDH_OURS ) ) != 0 ) 02822 { 02823 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02824 return( ret ); 02825 } 02826 02827 return( 0 ); 02828 } 02829 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02830 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02831 02832 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 02833 { 02834 int ret; 02835 size_t n = 0; 02836 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02837 ssl->transform_negotiate->ciphersuite_info; 02838 02839 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) 02840 unsigned char *p = ssl->out_msg + 4; 02841 size_t len; 02842 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02843 unsigned char *dig_signed = p; 02844 size_t dig_signed_len = 0; 02845 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02846 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ 02847 02848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02849 02850 /* 02851 * 02852 * Part 1: Extract static ECDH parameters and abort 02853 * if ServerKeyExchange not needed. 02854 * 02855 */ 02856 02857 /* For suites involving ECDH, extract DH parameters 02858 * from certificate at this point. */ 02859 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) 02860 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) 02861 { 02862 ssl_get_ecdh_params_from_cert( ssl ); 02863 } 02864 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ 02865 02866 /* Key exchanges not involving ephemeral keys don't use 02867 * ServerKeyExchange, so end here. */ 02868 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 02869 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) 02870 { 02871 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02872 ssl->state++; 02873 return( 0 ); 02874 } 02875 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */ 02876 02877 /* 02878 * 02879 * Part 2: Provide key exchange parameters for chosen ciphersuite. 02880 * 02881 */ 02882 02883 /* 02884 * - ECJPAKE key exchanges 02885 */ 02886 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02887 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02888 { 02889 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02890 02891 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02892 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng ); 02893 if( ret != 0 ) 02894 { 02895 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02896 return( ret ); 02897 } 02898 02899 p += len; 02900 n += len; 02901 } 02902 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02903 02904 /* 02905 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 02906 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 02907 * we use empty support identity hints here. 02908 **/ 02909 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02910 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02911 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02912 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02913 { 02914 *(p++) = 0x00; 02915 *(p++) = 0x00; 02916 02917 n += 2; 02918 } 02919 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 02920 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02921 02922 /* 02923 * - DHE key exchanges 02924 */ 02925 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) 02926 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) 02927 { 02928 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 02929 { 02930 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 02931 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02932 } 02933 02934 /* 02935 * Ephemeral DH parameters: 02936 * 02937 * struct { 02938 * opaque dh_p<1..2^16-1>; 02939 * opaque dh_g<1..2^16-1>; 02940 * opaque dh_Ys<1..2^16-1>; 02941 * } ServerDHParams; 02942 */ 02943 if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || 02944 ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) 02945 { 02946 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); 02947 return( ret ); 02948 } 02949 02950 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, 02951 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02952 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02953 { 02954 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 02955 return( ret ); 02956 } 02957 02958 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02959 dig_signed = p; 02960 dig_signed_len = len; 02961 #endif 02962 02963 p += len; 02964 n += len; 02965 02966 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02967 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02968 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02969 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02970 } 02971 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ 02972 02973 /* 02974 * - ECDHE key exchanges 02975 */ 02976 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02977 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) 02978 { 02979 /* 02980 * Ephemeral ECDH parameters: 02981 * 02982 * struct { 02983 * ECParameters curve_params; 02984 * ECPoint public; 02985 * } ServerECDHParams; 02986 */ 02987 const mbedtls_ecp_curve_info **curve = NULL; 02988 const mbedtls_ecp_group_id *gid; 02989 02990 /* Match our preference list against the offered curves */ 02991 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 02992 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02993 if( (*curve)->grp_id == *gid ) 02994 goto curve_matching_done; 02995 02996 curve_matching_done: 02997 if( curve == NULL || *curve == NULL ) 02998 { 02999 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 03000 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 03001 } 03002 03003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 03004 03005 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, 03006 (*curve)->grp_id ) ) != 0 ) 03007 { 03008 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 03009 return( ret ); 03010 } 03011 03012 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 03013 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, 03014 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03015 { 03016 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 03017 return( ret ); 03018 } 03019 03020 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03021 dig_signed = p; 03022 dig_signed_len = len; 03023 #endif 03024 03025 p += len; 03026 n += len; 03027 03028 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 03029 } 03030 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 03031 03032 /* 03033 * 03034 * Part 3: For key exchanges involving the server signing the 03035 * exchange parameters, compute and add the signature here. 03036 * 03037 */ 03038 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03039 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 03040 { 03041 size_t signature_len = 0; 03042 unsigned int hashlen = 0; 03043 unsigned char hash[64]; 03044 03045 /* 03046 * 3.1: Choose hash algorithm: 03047 * A: For TLS 1.2, obey signature-hash-algorithm extension 03048 * to choose appropriate hash. 03049 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 03050 * (RFC 4492, Sec. 5.4) 03051 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) 03052 */ 03053 03054 mbedtls_md_type_t md_alg; 03055 03056 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03057 mbedtls_pk_type_t sig_alg = 03058 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 03059 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03060 { 03061 /* A: For TLS 1.2, obey signature-hash-algorithm extension 03062 * (RFC 5246, Sec. 7.4.1.4.1). */ 03063 if( sig_alg == MBEDTLS_PK_NONE || 03064 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 03065 sig_alg ) ) == MBEDTLS_MD_NONE ) 03066 { 03067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03068 /* (... because we choose a cipher suite 03069 * only if there is a matching hash.) */ 03070 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03071 } 03072 } 03073 else 03074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03075 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03076 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03077 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03078 { 03079 /* B: Default hash SHA1 */ 03080 md_alg = MBEDTLS_MD_SHA1; 03081 } 03082 else 03083 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03084 MBEDTLS_SSL_PROTO_TLS1_1 */ 03085 { 03086 /* C: MD5 + SHA1 */ 03087 md_alg = MBEDTLS_MD_NONE; 03088 } 03089 03090 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); 03091 03092 /* 03093 * 3.2: Compute the hash to be signed 03094 */ 03095 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03096 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03097 if( md_alg == MBEDTLS_MD_NONE ) 03098 { 03099 mbedtls_md5_context mbedtls_md5; 03100 mbedtls_sha1_context mbedtls_sha1; 03101 03102 mbedtls_md5_init( &mbedtls_md5 ); 03103 mbedtls_sha1_init( &mbedtls_sha1 ); 03104 03105 /* 03106 * digitally-signed struct { 03107 * opaque md5_hash[16]; 03108 * opaque sha_hash[20]; 03109 * }; 03110 * 03111 * md5_hash 03112 * MD5(ClientHello.random + ServerHello.random 03113 * + ServerParams); 03114 * sha_hash 03115 * SHA(ClientHello.random + ServerHello.random 03116 * + ServerParams); 03117 */ 03118 03119 mbedtls_md5_starts( &mbedtls_md5 ); 03120 mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); 03121 mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len ); 03122 mbedtls_md5_finish( &mbedtls_md5, hash ); 03123 03124 mbedtls_sha1_starts( &mbedtls_sha1 ); 03125 mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); 03126 mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len ); 03127 mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); 03128 03129 hashlen = 36; 03130 03131 mbedtls_md5_free( &mbedtls_md5 ); 03132 mbedtls_sha1_free( &mbedtls_sha1 ); 03133 } 03134 else 03135 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03136 MBEDTLS_SSL_PROTO_TLS1_1 */ 03137 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03138 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03139 if( md_alg != MBEDTLS_MD_NONE ) 03140 { 03141 mbedtls_md_context_t ctx; 03142 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 03143 03144 mbedtls_md_init( &ctx ); 03145 03146 /* Info from md_alg will be used instead */ 03147 hashlen = 0; 03148 03149 /* 03150 * digitally-signed struct { 03151 * opaque client_random[32]; 03152 * opaque server_random[32]; 03153 * ServerDHParams params; 03154 * }; 03155 */ 03156 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) 03157 { 03158 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 03159 return( ret ); 03160 } 03161 03162 mbedtls_md_starts( &ctx ); 03163 mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); 03164 mbedtls_md_update( &ctx, dig_signed, dig_signed_len ); 03165 mbedtls_md_finish( &ctx, hash ); 03166 mbedtls_md_free( &ctx ); 03167 } 03168 else 03169 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 03170 MBEDTLS_SSL_PROTO_TLS1_2 */ 03171 { 03172 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03173 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03174 } 03175 03176 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 03177 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 03178 03179 /* 03180 * 3.3: Compute and add the signature 03181 */ 03182 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03183 { 03184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 03185 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03186 } 03187 03188 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03189 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03190 { 03191 /* 03192 * For TLS 1.2, we need to specify signature and hash algorithm 03193 * explicitly through a prefix to the signature. 03194 * 03195 * struct { 03196 * HashAlgorithm hash; 03197 * SignatureAlgorithm signature; 03198 * } SignatureAndHashAlgorithm; 03199 * 03200 * struct { 03201 * SignatureAndHashAlgorithm algorithm; 03202 * opaque signature<0..2^16-1>; 03203 * } DigitallySigned; 03204 * 03205 */ 03206 03207 *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg ); 03208 *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg ); 03209 03210 n += 2; 03211 } 03212 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03213 03214 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, 03215 p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03216 { 03217 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03218 return( ret ); 03219 } 03220 03221 *(p++) = (unsigned char)( signature_len >> 8 ); 03222 *(p++) = (unsigned char)( signature_len ); 03223 n += 2; 03224 03225 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 03226 03227 n += signature_len; 03228 } 03229 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03230 03231 /* Done with actual work; add header and send. */ 03232 03233 ssl->out_msglen = 4 + n; 03234 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03235 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03236 03237 ssl->state++; 03238 03239 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03240 { 03241 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03242 return( ret ); 03243 } 03244 03245 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03246 03247 return( 0 ); 03248 } 03249 03250 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03251 { 03252 int ret; 03253 03254 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03255 03256 ssl->out_msglen = 4; 03257 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03258 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03259 03260 ssl->state++; 03261 03262 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03263 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03264 mbedtls_ssl_send_flight_completed( ssl ); 03265 #endif 03266 03267 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03268 { 03269 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03270 return( ret ); 03271 } 03272 03273 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03274 03275 return( 0 ); 03276 } 03277 03278 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03279 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03280 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03281 const unsigned char *end ) 03282 { 03283 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03284 size_t n; 03285 03286 /* 03287 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03288 */ 03289 if( *p + 2 > end ) 03290 { 03291 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03292 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03293 } 03294 03295 n = ( (*p)[0] << 8 ) | (*p)[1]; 03296 *p += 2; 03297 03298 if( *p + n > end ) 03299 { 03300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03301 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03302 } 03303 03304 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03305 { 03306 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03307 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03308 } 03309 03310 *p += n; 03311 03312 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03313 03314 return( ret ); 03315 } 03316 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03317 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03318 03319 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03320 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03321 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03322 const unsigned char *p, 03323 const unsigned char *end, 03324 size_t pms_offset ) 03325 { 03326 int ret; 03327 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); 03328 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03329 unsigned char ver[2]; 03330 unsigned char fake_pms[48], peer_pms[48]; 03331 unsigned char mask; 03332 size_t i, peer_pmslen; 03333 unsigned int diff; 03334 03335 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 03336 { 03337 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03338 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03339 } 03340 03341 /* 03342 * Decrypt the premaster using own private RSA key 03343 */ 03344 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03345 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03346 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03347 { 03348 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03349 *p++ != ( ( len ) & 0xFF ) ) 03350 { 03351 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03352 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03353 } 03354 } 03355 #endif 03356 03357 if( p + len != end ) 03358 { 03359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03360 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03361 } 03362 03363 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03364 ssl->handshake->max_minor_ver, 03365 ssl->conf->transport, ver ); 03366 03367 /* 03368 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03369 * must not cause the connection to end immediately; instead, send a 03370 * bad_record_mac later in the handshake. 03371 * Also, avoid data-dependant branches here to protect against 03372 * timing-based variants. 03373 */ 03374 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03375 if( ret != 0 ) 03376 return( ret ); 03377 03378 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, 03379 peer_pms, &peer_pmslen, 03380 sizeof( peer_pms ), 03381 ssl->conf->f_rng, ssl->conf->p_rng ); 03382 03383 diff = (unsigned int) ret; 03384 diff |= peer_pmslen ^ 48; 03385 diff |= peer_pms[0] ^ ver[0]; 03386 diff |= peer_pms[1] ^ ver[1]; 03387 03388 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03389 if( diff != 0 ) 03390 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03391 #endif 03392 03393 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03394 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03395 { 03396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03397 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03398 } 03399 ssl->handshake->pmslen = 48; 03400 03401 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03402 /* MSVC has a warning about unary minus on unsigned, but this is 03403 * well-defined and precisely what we want to do here */ 03404 #if defined(_MSC_VER) 03405 #pragma warning( push ) 03406 #pragma warning( disable : 4146 ) 03407 #endif 03408 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03409 #if defined(_MSC_VER) 03410 #pragma warning( pop ) 03411 #endif 03412 03413 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03414 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03415 03416 return( 0 ); 03417 } 03418 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03419 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03420 03421 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03422 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03423 const unsigned char *end ) 03424 { 03425 int ret = 0; 03426 size_t n; 03427 03428 if( ssl->conf->f_psk == NULL && 03429 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 03430 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 03431 { 03432 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03433 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03434 } 03435 03436 /* 03437 * Receive client pre-shared key identity name 03438 */ 03439 if( *p + 2 > end ) 03440 { 03441 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03442 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03443 } 03444 03445 n = ( (*p)[0] << 8 ) | (*p)[1]; 03446 *p += 2; 03447 03448 if( n < 1 || n > 65535 || *p + n > end ) 03449 { 03450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03451 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03452 } 03453 03454 if( ssl->conf->f_psk != NULL ) 03455 { 03456 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03457 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03458 } 03459 else 03460 { 03461 /* Identity is not a big secret since clients send it in the clear, 03462 * but treat it carefully anyway, just in case */ 03463 if( n != ssl->conf->psk_identity_len || 03464 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03465 { 03466 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03467 } 03468 } 03469 03470 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03471 { 03472 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03473 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03474 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); 03475 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03476 } 03477 03478 *p += n; 03479 03480 return( 0 ); 03481 } 03482 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03483 03484 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03485 { 03486 int ret; 03487 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03488 unsigned char *p, *end; 03489 03490 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03491 03492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03493 03494 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03495 { 03496 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03497 return( ret ); 03498 } 03499 03500 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03501 end = ssl->in_msg + ssl->in_hslen; 03502 03503 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03504 { 03505 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03506 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03507 } 03508 03509 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03510 { 03511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03512 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03513 } 03514 03515 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03516 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03517 { 03518 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03519 { 03520 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03521 return( ret ); 03522 } 03523 03524 if( p != end ) 03525 { 03526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03527 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03528 } 03529 03530 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03531 ssl->handshake->premaster, 03532 MBEDTLS_PREMASTER_SIZE, 03533 &ssl->handshake->pmslen, 03534 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03535 { 03536 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03537 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03538 } 03539 03540 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03541 } 03542 else 03543 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03544 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03545 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03546 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03547 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03548 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03549 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03550 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03551 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03552 { 03553 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03554 p, end - p) ) != 0 ) 03555 { 03556 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03557 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03558 } 03559 03560 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03561 03562 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03563 &ssl->handshake->pmslen, 03564 ssl->handshake->premaster, 03565 MBEDTLS_MPI_MAX_SIZE, 03566 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03567 { 03568 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03569 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03570 } 03571 03572 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03573 } 03574 else 03575 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03576 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03577 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03578 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03579 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03580 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03581 { 03582 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03583 { 03584 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03585 return( ret ); 03586 } 03587 03588 if( p != end ) 03589 { 03590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03591 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03592 } 03593 03594 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03595 ciphersuite_info->key_exchange ) ) != 0 ) 03596 { 03597 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03598 return( ret ); 03599 } 03600 } 03601 else 03602 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03603 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03604 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03605 { 03606 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03607 { 03608 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03609 return( ret ); 03610 } 03611 03612 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03613 { 03614 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03615 return( ret ); 03616 } 03617 03618 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03619 ciphersuite_info->key_exchange ) ) != 0 ) 03620 { 03621 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03622 return( ret ); 03623 } 03624 } 03625 else 03626 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03627 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03628 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03629 { 03630 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03631 { 03632 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03633 return( ret ); 03634 } 03635 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03636 { 03637 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03638 return( ret ); 03639 } 03640 03641 if( p != end ) 03642 { 03643 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03644 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03645 } 03646 03647 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03648 ciphersuite_info->key_exchange ) ) != 0 ) 03649 { 03650 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03651 return( ret ); 03652 } 03653 } 03654 else 03655 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03657 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03658 { 03659 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03660 { 03661 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03662 return( ret ); 03663 } 03664 03665 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03666 p, end - p ) ) != 0 ) 03667 { 03668 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03669 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03670 } 03671 03672 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03673 03674 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03675 ciphersuite_info->key_exchange ) ) != 0 ) 03676 { 03677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03678 return( ret ); 03679 } 03680 } 03681 else 03682 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03683 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03684 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03685 { 03686 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 03687 { 03688 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03689 return( ret ); 03690 } 03691 } 03692 else 03693 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03694 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03695 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03696 { 03697 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 03698 p, end - p ); 03699 if( ret != 0 ) 03700 { 03701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 03702 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 03703 } 03704 03705 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03706 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03707 ssl->conf->f_rng, ssl->conf->p_rng ); 03708 if( ret != 0 ) 03709 { 03710 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03711 return( ret ); 03712 } 03713 } 03714 else 03715 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03716 { 03717 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03718 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03719 } 03720 03721 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03722 { 03723 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03724 return( ret ); 03725 } 03726 03727 ssl->state++; 03728 03729 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03730 03731 return( 0 ); 03732 } 03733 03734 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03735 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03736 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03737 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03738 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03739 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03740 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03741 { 03742 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03743 ssl->transform_negotiate->ciphersuite_info; 03744 03745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03746 03747 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03748 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03749 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03750 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03751 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03752 { 03753 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03754 ssl->state++; 03755 return( 0 ); 03756 } 03757 03758 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03759 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03760 } 03761 #else 03762 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03763 { 03764 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03765 size_t i, sig_len; 03766 unsigned char hash[48]; 03767 unsigned char *hash_start = hash; 03768 size_t hashlen; 03769 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03770 mbedtls_pk_type_t pk_alg; 03771 #endif 03772 mbedtls_md_type_t md_alg; 03773 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03774 ssl->transform_negotiate->ciphersuite_info; 03775 03776 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03777 03778 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03779 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03780 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03781 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03782 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 03783 ssl->session_negotiate->peer_cert == NULL ) 03784 { 03785 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03786 ssl->state++; 03787 return( 0 ); 03788 } 03789 03790 /* Read the message without adding it to the checksum */ 03791 do { 03792 03793 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 ) 03794 { 03795 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03796 return( ret ); 03797 } 03798 03799 ret = mbedtls_ssl_handle_message_type( ssl ); 03800 03801 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ); 03802 03803 if( 0 != ret ) 03804 { 03805 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 03806 return( ret ); 03807 } 03808 03809 ssl->state++; 03810 03811 /* Process the message contents */ 03812 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 03813 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 03814 { 03815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03816 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03817 } 03818 03819 i = mbedtls_ssl_hs_hdr_len( ssl ); 03820 03821 /* 03822 * struct { 03823 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 03824 * opaque signature<0..2^16-1>; 03825 * } DigitallySigned; 03826 */ 03827 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03828 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03829 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03830 { 03831 md_alg = MBEDTLS_MD_NONE; 03832 hashlen = 36; 03833 03834 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03835 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03836 MBEDTLS_PK_ECDSA ) ) 03837 { 03838 hash_start += 16; 03839 hashlen -= 16; 03840 md_alg = MBEDTLS_MD_SHA1; 03841 } 03842 } 03843 else 03844 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 03845 MBEDTLS_SSL_PROTO_TLS1_1 */ 03846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03847 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03848 { 03849 if( i + 2 > ssl->in_hslen ) 03850 { 03851 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03852 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03853 } 03854 03855 /* 03856 * Hash 03857 */ 03858 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); 03859 03860 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) 03861 { 03862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03863 " for verify message" ) ); 03864 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03865 } 03866 03867 #if !defined(MBEDTLS_MD_SHA1) 03868 if( MBEDTLS_MD_SHA1 == md_alg ) 03869 hash_start += 16; 03870 #endif 03871 03872 /* Info from md_alg will be used instead */ 03873 hashlen = 0; 03874 03875 i++; 03876 03877 /* 03878 * Signature 03879 */ 03880 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 03881 == MBEDTLS_PK_NONE ) 03882 { 03883 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03884 " for verify message" ) ); 03885 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03886 } 03887 03888 /* 03889 * Check the certificate's key type matches the signature alg 03890 */ 03891 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03892 { 03893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03894 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03895 } 03896 03897 i++; 03898 } 03899 else 03900 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03901 { 03902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03904 } 03905 03906 if( i + 2 > ssl->in_hslen ) 03907 { 03908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03909 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03910 } 03911 03912 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 03913 i += 2; 03914 03915 if( i + sig_len != ssl->in_hslen ) 03916 { 03917 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03918 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03919 } 03920 03921 /* Calculate hash and verify signature */ 03922 ssl->handshake->calc_verify( ssl, hash ); 03923 03924 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 03925 md_alg, hash_start, hashlen, 03926 ssl->in_msg + i, sig_len ) ) != 0 ) 03927 { 03928 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 03929 return( ret ); 03930 } 03931 03932 mbedtls_ssl_update_handshake_status( ssl ); 03933 03934 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03935 03936 return( ret ); 03937 } 03938 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03939 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03940 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03941 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03942 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03943 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03944 03945 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03946 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 03947 { 03948 int ret; 03949 size_t tlen; 03950 uint32_t lifetime; 03951 03952 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03953 03954 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03955 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 03956 03957 /* 03958 * struct { 03959 * uint32 ticket_lifetime_hint; 03960 * opaque ticket<0..2^16-1>; 03961 * } NewSessionTicket; 03962 * 03963 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03964 * 8 . 9 ticket_len (n) 03965 * 10 . 9+n ticket content 03966 */ 03967 03968 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 03969 ssl->session_negotiate, 03970 ssl->out_msg + 10, 03971 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, 03972 &tlen, &lifetime ) ) != 0 ) 03973 { 03974 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 03975 tlen = 0; 03976 } 03977 03978 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03979 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03980 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03981 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03982 03983 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03984 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03985 03986 ssl->out_msglen = 10 + tlen; 03987 03988 /* 03989 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03990 * ChangeCipherSpec share the same state. 03991 */ 03992 ssl->handshake->new_session_ticket = 0; 03993 03994 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03995 { 03996 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03997 return( ret ); 03998 } 03999 04000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 04001 04002 return( 0 ); 04003 } 04004 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 04005 04006 /* 04007 * SSL handshake -- server side -- single step 04008 */ 04009 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 04010 { 04011 int ret = 0; 04012 04013 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 04014 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04015 04016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 04017 04018 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 04019 return( ret ); 04020 04021 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04022 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04023 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 04024 { 04025 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 04026 return( ret ); 04027 } 04028 #endif 04029 04030 switch( ssl->state ) 04031 { 04032 case MBEDTLS_SSL_HELLO_REQUEST: 04033 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 04034 break; 04035 04036 /* 04037 * <== ClientHello 04038 */ 04039 case MBEDTLS_SSL_CLIENT_HELLO: 04040 ret = ssl_parse_client_hello( ssl ); 04041 break; 04042 04043 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04044 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 04045 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 04046 #endif 04047 04048 /* 04049 * ==> ServerHello 04050 * Certificate 04051 * ( ServerKeyExchange ) 04052 * ( CertificateRequest ) 04053 * ServerHelloDone 04054 */ 04055 case MBEDTLS_SSL_SERVER_HELLO: 04056 ret = ssl_write_server_hello( ssl ); 04057 break; 04058 04059 case MBEDTLS_SSL_SERVER_CERTIFICATE: 04060 ret = mbedtls_ssl_write_certificate( ssl ); 04061 break; 04062 04063 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 04064 ret = ssl_write_server_key_exchange( ssl ); 04065 break; 04066 04067 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 04068 ret = ssl_write_certificate_request( ssl ); 04069 break; 04070 04071 case MBEDTLS_SSL_SERVER_HELLO_DONE: 04072 ret = ssl_write_server_hello_done( ssl ); 04073 break; 04074 04075 /* 04076 * <== ( Certificate/Alert ) 04077 * ClientKeyExchange 04078 * ( CertificateVerify ) 04079 * ChangeCipherSpec 04080 * Finished 04081 */ 04082 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 04083 ret = mbedtls_ssl_parse_certificate( ssl ); 04084 break; 04085 04086 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 04087 ret = ssl_parse_client_key_exchange( ssl ); 04088 break; 04089 04090 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 04091 ret = ssl_parse_certificate_verify( ssl ); 04092 break; 04093 04094 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 04095 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04096 break; 04097 04098 case MBEDTLS_SSL_CLIENT_FINISHED: 04099 ret = mbedtls_ssl_parse_finished( ssl ); 04100 break; 04101 04102 /* 04103 * ==> ( NewSessionTicket ) 04104 * ChangeCipherSpec 04105 * Finished 04106 */ 04107 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04108 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04109 if( ssl->handshake->new_session_ticket != 0 ) 04110 ret = ssl_write_new_session_ticket( ssl ); 04111 else 04112 #endif 04113 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04114 break; 04115 04116 case MBEDTLS_SSL_SERVER_FINISHED: 04117 ret = mbedtls_ssl_write_finished( ssl ); 04118 break; 04119 04120 case MBEDTLS_SSL_FLUSH_BUFFERS: 04121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04122 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04123 break; 04124 04125 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04126 mbedtls_ssl_handshake_wrapup( ssl ); 04127 break; 04128 04129 default: 04130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04131 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04132 } 04133 04134 return( ret ); 04135 } 04136 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Tue Jul 12 2022 17:25:43 by
