Arcola
/
mbedtls
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
mbedtls
by 
Mark Radbourne
Embed:
(wiki syntax)
Show/hide line numbers
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #if defined(MBEDTLS_PLATFORM_C) 00039 #include "mbedtls/platform.h" 00040 #else 00041 #include <stdlib.h> 00042 #define mbedtls_calloc calloc 00043 #define mbedtls_free free 00044 #endif 00045 00046 #include "mbedtls/debug.h" 00047 #include "mbedtls/ssl.h" 00048 #include "mbedtls/ssl_internal.h" 00049 00050 #include <string.h> 00051 00052 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00053 #include "mbedtls/oid.h" 00054 #endif 00055 00056 /* Implementation that should never be optimized out by the compiler */ 00057 static void mbedtls_zeroize( void *v, size_t n ) { 00058 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00059 } 00060 00061 /* Length of the "epoch" field in the record header */ 00062 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00063 { 00064 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00065 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00066 return( 2 ); 00067 #else 00068 ((void) ssl); 00069 #endif 00070 return( 0 ); 00071 } 00072 00073 /* 00074 * Start a timer. 00075 * Passing millisecs = 0 cancels a running timer. 00076 */ 00077 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00078 { 00079 if( ssl->f_set_timer == NULL ) 00080 return; 00081 00082 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00083 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00084 } 00085 00086 /* 00087 * Return -1 is timer is expired, 0 if it isn't. 00088 */ 00089 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00090 { 00091 if( ssl->f_get_timer == NULL ) 00092 return( 0 ); 00093 00094 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00095 { 00096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00097 return( -1 ); 00098 } 00099 00100 return( 0 ); 00101 } 00102 00103 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00104 /* 00105 * Double the retransmit timeout value, within the allowed range, 00106 * returning -1 if the maximum value has already been reached. 00107 */ 00108 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00109 { 00110 uint32_t new_timeout; 00111 00112 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00113 return( -1 ); 00114 00115 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00116 00117 /* Avoid arithmetic overflow and range overflow */ 00118 if( new_timeout < ssl->handshake->retransmit_timeout || 00119 new_timeout > ssl->conf->hs_timeout_max ) 00120 { 00121 new_timeout = ssl->conf->hs_timeout_max; 00122 } 00123 00124 ssl->handshake->retransmit_timeout = new_timeout; 00125 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00126 ssl->handshake->retransmit_timeout ) ); 00127 00128 return( 0 ); 00129 } 00130 00131 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00132 { 00133 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00134 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00135 ssl->handshake->retransmit_timeout ) ); 00136 } 00137 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00138 00139 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00140 /* 00141 * Convert max_fragment_length codes to length. 00142 * RFC 6066 says: 00143 * enum{ 00144 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00145 * } MaxFragmentLength; 00146 * and we add 0 -> extension unused 00147 */ 00148 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00149 { 00150 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00151 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00152 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00153 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00154 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00155 }; 00156 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00157 00158 #if defined(MBEDTLS_SSL_CLI_C) 00159 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00160 { 00161 mbedtls_ssl_session_free( dst ); 00162 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00163 00164 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00165 if( src->peer_cert != NULL ) 00166 { 00167 int ret; 00168 00169 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00170 if( dst->peer_cert == NULL ) 00171 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00172 00173 mbedtls_x509_crt_init( dst->peer_cert ); 00174 00175 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00176 src->peer_cert->raw.len ) ) != 0 ) 00177 { 00178 mbedtls_free( dst->peer_cert ); 00179 dst->peer_cert = NULL; 00180 return( ret ); 00181 } 00182 } 00183 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00184 00185 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00186 if( src->ticket != NULL ) 00187 { 00188 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00189 if( dst->ticket == NULL ) 00190 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00191 00192 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00193 } 00194 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00195 00196 return( 0 ); 00197 } 00198 #endif /* MBEDTLS_SSL_CLI_C */ 00199 00200 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00201 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00202 const unsigned char *key_enc, const unsigned char *key_dec, 00203 size_t keylen, 00204 const unsigned char *iv_enc, const unsigned char *iv_dec, 00205 size_t ivlen, 00206 const unsigned char *mac_enc, const unsigned char *mac_dec, 00207 size_t maclen ) = NULL; 00208 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00209 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00210 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00211 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00212 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00213 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00214 00215 /* 00216 * Key material generation 00217 */ 00218 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00219 static int ssl3_prf( const unsigned char *secret, size_t slen, 00220 const char *label, 00221 const unsigned char *random, size_t rlen, 00222 unsigned char *dstbuf, size_t dlen ) 00223 { 00224 size_t i; 00225 mbedtls_md5_context md5; 00226 mbedtls_sha1_context sha1; 00227 unsigned char padding[16]; 00228 unsigned char sha1sum[20]; 00229 ((void)label); 00230 00231 mbedtls_md5_init( &md5 ); 00232 mbedtls_sha1_init( &sha1 ); 00233 00234 /* 00235 * SSLv3: 00236 * block = 00237 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00238 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00239 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00240 * ... 00241 */ 00242 for( i = 0; i < dlen / 16; i++ ) 00243 { 00244 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00245 00246 mbedtls_sha1_starts( &sha1 ); 00247 mbedtls_sha1_update( &sha1, padding, 1 + i ); 00248 mbedtls_sha1_update( &sha1, secret, slen ); 00249 mbedtls_sha1_update( &sha1, random, rlen ); 00250 mbedtls_sha1_finish( &sha1, sha1sum ); 00251 00252 mbedtls_md5_starts( &md5 ); 00253 mbedtls_md5_update( &md5, secret, slen ); 00254 mbedtls_md5_update( &md5, sha1sum, 20 ); 00255 mbedtls_md5_finish( &md5, dstbuf + i * 16 ); 00256 } 00257 00258 mbedtls_md5_free( &md5 ); 00259 mbedtls_sha1_free( &sha1 ); 00260 00261 mbedtls_zeroize( padding, sizeof( padding ) ); 00262 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 00263 00264 return( 0 ); 00265 } 00266 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00267 00268 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00269 static int tls1_prf( const unsigned char *secret, size_t slen, 00270 const char *label, 00271 const unsigned char *random, size_t rlen, 00272 unsigned char *dstbuf, size_t dlen ) 00273 { 00274 size_t nb, hs; 00275 size_t i, j, k; 00276 const unsigned char *S1, *S2; 00277 unsigned char tmp[128]; 00278 unsigned char h_i[20]; 00279 const mbedtls_md_info_t *md_info; 00280 mbedtls_md_context_t md_ctx; 00281 int ret; 00282 00283 mbedtls_md_init( &md_ctx ); 00284 00285 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00286 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00287 00288 hs = ( slen + 1 ) / 2; 00289 S1 = secret; 00290 S2 = secret + slen - hs; 00291 00292 nb = strlen( label ); 00293 memcpy( tmp + 20, label, nb ); 00294 memcpy( tmp + 20 + nb, random, rlen ); 00295 nb += rlen; 00296 00297 /* 00298 * First compute P_md5(secret,label+random)[0..dlen] 00299 */ 00300 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00301 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00302 00303 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00304 return( ret ); 00305 00306 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00307 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00308 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00309 00310 for( i = 0; i < dlen; i += 16 ) 00311 { 00312 mbedtls_md_hmac_reset ( &md_ctx ); 00313 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00314 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00315 00316 mbedtls_md_hmac_reset ( &md_ctx ); 00317 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00318 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00319 00320 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00321 00322 for( j = 0; j < k; j++ ) 00323 dstbuf[i + j] = h_i[j]; 00324 } 00325 00326 mbedtls_md_free( &md_ctx ); 00327 00328 /* 00329 * XOR out with P_sha1(secret,label+random)[0..dlen] 00330 */ 00331 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00332 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00333 00334 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00335 return( ret ); 00336 00337 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00338 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00339 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00340 00341 for( i = 0; i < dlen; i += 20 ) 00342 { 00343 mbedtls_md_hmac_reset ( &md_ctx ); 00344 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00345 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00346 00347 mbedtls_md_hmac_reset ( &md_ctx ); 00348 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00349 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00350 00351 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00352 00353 for( j = 0; j < k; j++ ) 00354 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00355 } 00356 00357 mbedtls_md_free( &md_ctx ); 00358 00359 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00360 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00361 00362 return( 0 ); 00363 } 00364 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00365 00366 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00367 static int tls_prf_generic( mbedtls_md_type_t md_type, 00368 const unsigned char *secret, size_t slen, 00369 const char *label, 00370 const unsigned char *random, size_t rlen, 00371 unsigned char *dstbuf, size_t dlen ) 00372 { 00373 size_t nb; 00374 size_t i, j, k, md_len; 00375 unsigned char tmp[128]; 00376 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00377 const mbedtls_md_info_t *md_info; 00378 mbedtls_md_context_t md_ctx; 00379 int ret; 00380 00381 mbedtls_md_init( &md_ctx ); 00382 00383 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00384 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00385 00386 md_len = mbedtls_md_get_size( md_info ); 00387 00388 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00389 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00390 00391 nb = strlen( label ); 00392 memcpy( tmp + md_len, label, nb ); 00393 memcpy( tmp + md_len + nb, random, rlen ); 00394 nb += rlen; 00395 00396 /* 00397 * Compute P_<hash>(secret, label + random)[0..dlen] 00398 */ 00399 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00400 return( ret ); 00401 00402 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00403 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00404 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00405 00406 for( i = 0; i < dlen; i += md_len ) 00407 { 00408 mbedtls_md_hmac_reset ( &md_ctx ); 00409 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00410 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00411 00412 mbedtls_md_hmac_reset ( &md_ctx ); 00413 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00414 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00415 00416 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00417 00418 for( j = 0; j < k; j++ ) 00419 dstbuf[i + j] = h_i[j]; 00420 } 00421 00422 mbedtls_md_free( &md_ctx ); 00423 00424 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00425 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00426 00427 return( 0 ); 00428 } 00429 00430 #if defined(MBEDTLS_SHA256_C) 00431 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00432 const char *label, 00433 const unsigned char *random, size_t rlen, 00434 unsigned char *dstbuf, size_t dlen ) 00435 { 00436 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00437 label, random, rlen, dstbuf, dlen ) ); 00438 } 00439 #endif /* MBEDTLS_SHA256_C */ 00440 00441 #if defined(MBEDTLS_SHA512_C) 00442 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00443 const char *label, 00444 const unsigned char *random, size_t rlen, 00445 unsigned char *dstbuf, size_t dlen ) 00446 { 00447 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00448 label, random, rlen, dstbuf, dlen ) ); 00449 } 00450 #endif /* MBEDTLS_SHA512_C */ 00451 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00452 00453 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00454 00455 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00456 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00457 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00458 #endif 00459 00460 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00461 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00462 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00463 #endif 00464 00465 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00466 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00467 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00468 #endif 00469 00470 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00471 #if defined(MBEDTLS_SHA256_C) 00472 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00473 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00474 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00475 #endif 00476 00477 #if defined(MBEDTLS_SHA512_C) 00478 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00479 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00480 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00481 #endif 00482 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00483 00484 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00485 { 00486 int ret = 0; 00487 unsigned char tmp[64]; 00488 unsigned char keyblk[256]; 00489 unsigned char *key1; 00490 unsigned char *key2; 00491 unsigned char *mac_enc; 00492 unsigned char *mac_dec; 00493 size_t iv_copy_len; 00494 const mbedtls_cipher_info_t *cipher_info; 00495 const mbedtls_md_info_t *md_info; 00496 00497 mbedtls_ssl_session *session = ssl->session_negotiate; 00498 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00499 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00500 00501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00502 00503 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00504 if( cipher_info == NULL ) 00505 { 00506 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00507 transform->ciphersuite_info->cipher ) ); 00508 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00509 } 00510 00511 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00512 if( md_info == NULL ) 00513 { 00514 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00515 transform->ciphersuite_info->mac ) ); 00516 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00517 } 00518 00519 /* 00520 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00521 */ 00522 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00523 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00524 { 00525 handshake->tls_prf = ssl3_prf; 00526 handshake->calc_verify = ssl_calc_verify_ssl; 00527 handshake->calc_finished = ssl_calc_finished_ssl; 00528 } 00529 else 00530 #endif 00531 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00532 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00533 { 00534 handshake->tls_prf = tls1_prf; 00535 handshake->calc_verify = ssl_calc_verify_tls; 00536 handshake->calc_finished = ssl_calc_finished_tls; 00537 } 00538 else 00539 #endif 00540 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00541 #if defined(MBEDTLS_SHA512_C) 00542 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00543 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00544 { 00545 handshake->tls_prf = tls_prf_sha384; 00546 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00547 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00548 } 00549 else 00550 #endif 00551 #if defined(MBEDTLS_SHA256_C) 00552 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00553 { 00554 handshake->tls_prf = tls_prf_sha256; 00555 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00556 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00557 } 00558 else 00559 #endif 00560 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00561 { 00562 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00563 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00564 } 00565 00566 /* 00567 * SSLv3: 00568 * master = 00569 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00570 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00571 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00572 * 00573 * TLSv1+: 00574 * master = PRF( premaster, "master secret", randbytes )[0..47] 00575 */ 00576 if( handshake->resume == 0 ) 00577 { 00578 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00579 handshake->pmslen ); 00580 00581 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00582 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00583 { 00584 unsigned char session_hash[48]; 00585 size_t hash_len; 00586 00587 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00588 00589 ssl->handshake->calc_verify( ssl, session_hash ); 00590 00591 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00592 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00593 { 00594 #if defined(MBEDTLS_SHA512_C) 00595 if( ssl->transform_negotiate->ciphersuite_info->mac == 00596 MBEDTLS_MD_SHA384 ) 00597 { 00598 hash_len = 48; 00599 } 00600 else 00601 #endif 00602 hash_len = 32; 00603 } 00604 else 00605 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00606 hash_len = 36; 00607 00608 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00609 00610 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00611 "extended master secret", 00612 session_hash, hash_len, 00613 session->master, 48 ); 00614 if( ret != 0 ) 00615 { 00616 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00617 return( ret ); 00618 } 00619 00620 } 00621 else 00622 #endif 00623 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00624 "master secret", 00625 handshake->randbytes, 64, 00626 session->master, 48 ); 00627 if( ret != 0 ) 00628 { 00629 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00630 return( ret ); 00631 } 00632 00633 mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) ); 00634 } 00635 else 00636 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00637 00638 /* 00639 * Swap the client and server random values. 00640 */ 00641 memcpy( tmp, handshake->randbytes, 64 ); 00642 memcpy( handshake->randbytes, tmp + 32, 32 ); 00643 memcpy( handshake->randbytes + 32, tmp, 32 ); 00644 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00645 00646 /* 00647 * SSLv3: 00648 * key block = 00649 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00650 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00651 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00652 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00653 * ... 00654 * 00655 * TLSv1: 00656 * key block = PRF( master, "key expansion", randbytes ) 00657 */ 00658 ret = handshake->tls_prf( session->master, 48, "key expansion", 00659 handshake->randbytes, 64, keyblk, 256 ); 00660 if( ret != 0 ) 00661 { 00662 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00663 return( ret ); 00664 } 00665 00666 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00667 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00668 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00669 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00670 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00671 00672 mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); 00673 00674 /* 00675 * Determine the appropriate key, IV and MAC length. 00676 */ 00677 00678 transform->keylen = cipher_info->key_bitlen / 8; 00679 00680 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00681 cipher_info->mode == MBEDTLS_MODE_CCM ) 00682 { 00683 transform->maclen = 0; 00684 00685 transform->ivlen = 12; 00686 transform->fixed_ivlen = 4; 00687 00688 /* Minimum length is expicit IV + tag */ 00689 transform->minlen = transform->ivlen - transform->fixed_ivlen 00690 + ( transform->ciphersuite_info->flags & 00691 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00692 } 00693 else 00694 { 00695 /* Initialize HMAC contexts */ 00696 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00697 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00698 { 00699 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00700 return( ret ); 00701 } 00702 00703 /* Get MAC length */ 00704 transform->maclen = mbedtls_md_get_size( md_info ); 00705 00706 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00707 /* 00708 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00709 * (rfc 6066 page 13 or rfc 2104 section 4), 00710 * so we only need to adjust the length here. 00711 */ 00712 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00713 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00714 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00715 00716 /* IV length */ 00717 transform->ivlen = cipher_info->iv_size; 00718 00719 /* Minimum length */ 00720 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00721 transform->minlen = transform->maclen; 00722 else 00723 { 00724 /* 00725 * GenericBlockCipher: 00726 * 1. if EtM is in use: one block plus MAC 00727 * otherwise: * first multiple of blocklen greater than maclen 00728 * 2. IV except for SSL3 and TLS 1.0 00729 */ 00730 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00731 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00732 { 00733 transform->minlen = transform->maclen 00734 + cipher_info->block_size; 00735 } 00736 else 00737 #endif 00738 { 00739 transform->minlen = transform->maclen 00740 + cipher_info->block_size 00741 - transform->maclen % cipher_info->block_size; 00742 } 00743 00744 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00745 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00746 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00747 ; /* No need to adjust minlen */ 00748 else 00749 #endif 00750 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00751 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00752 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00753 { 00754 transform->minlen += transform->ivlen; 00755 } 00756 else 00757 #endif 00758 { 00759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00760 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00761 } 00762 } 00763 } 00764 00765 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00766 transform->keylen, transform->minlen, transform->ivlen, 00767 transform->maclen ) ); 00768 00769 /* 00770 * Finally setup the cipher contexts, IVs and MAC secrets. 00771 */ 00772 #if defined(MBEDTLS_SSL_CLI_C) 00773 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00774 { 00775 key1 = keyblk + transform->maclen * 2; 00776 key2 = keyblk + transform->maclen * 2 + transform->keylen; 00777 00778 mac_enc = keyblk; 00779 mac_dec = keyblk + transform->maclen; 00780 00781 /* 00782 * This is not used in TLS v1.1. 00783 */ 00784 iv_copy_len = ( transform->fixed_ivlen ) ? 00785 transform->fixed_ivlen : transform->ivlen; 00786 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00787 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00788 iv_copy_len ); 00789 } 00790 else 00791 #endif /* MBEDTLS_SSL_CLI_C */ 00792 #if defined(MBEDTLS_SSL_SRV_C) 00793 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00794 { 00795 key1 = keyblk + transform->maclen * 2 + transform->keylen; 00796 key2 = keyblk + transform->maclen * 2; 00797 00798 mac_enc = keyblk + transform->maclen; 00799 mac_dec = keyblk; 00800 00801 /* 00802 * This is not used in TLS v1.1. 00803 */ 00804 iv_copy_len = ( transform->fixed_ivlen ) ? 00805 transform->fixed_ivlen : transform->ivlen; 00806 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00807 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00808 iv_copy_len ); 00809 } 00810 else 00811 #endif /* MBEDTLS_SSL_SRV_C */ 00812 { 00813 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00814 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00815 } 00816 00817 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00818 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00819 { 00820 if( transform->maclen > sizeof transform->mac_enc ) 00821 { 00822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00823 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00824 } 00825 00826 memcpy( transform->mac_enc, mac_enc, transform->maclen ); 00827 memcpy( transform->mac_dec, mac_dec, transform->maclen ); 00828 } 00829 else 00830 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00831 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00832 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00833 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00834 { 00835 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); 00836 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); 00837 } 00838 else 00839 #endif 00840 { 00841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00842 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00843 } 00844 00845 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00846 if( mbedtls_ssl_hw_record_init != NULL ) 00847 { 00848 int ret = 0; 00849 00850 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00851 00852 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00853 transform->iv_enc, transform->iv_dec, 00854 iv_copy_len, 00855 mac_enc, mac_dec, 00856 transform->maclen ) ) != 0 ) 00857 { 00858 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00859 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00860 } 00861 } 00862 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00863 00864 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00865 if( ssl->conf->f_export_keys != NULL ) 00866 { 00867 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00868 session->master, keyblk, 00869 transform->maclen, transform->keylen, 00870 iv_copy_len ); 00871 } 00872 #endif 00873 00874 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00875 cipher_info ) ) != 0 ) 00876 { 00877 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00878 return( ret ); 00879 } 00880 00881 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00882 cipher_info ) ) != 0 ) 00883 { 00884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00885 return( ret ); 00886 } 00887 00888 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00889 cipher_info->key_bitlen, 00890 MBEDTLS_ENCRYPT ) ) != 0 ) 00891 { 00892 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00893 return( ret ); 00894 } 00895 00896 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00897 cipher_info->key_bitlen, 00898 MBEDTLS_DECRYPT ) ) != 0 ) 00899 { 00900 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00901 return( ret ); 00902 } 00903 00904 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00905 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00906 { 00907 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00908 MBEDTLS_PADDING_NONE ) ) != 0 ) 00909 { 00910 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00911 return( ret ); 00912 } 00913 00914 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00915 MBEDTLS_PADDING_NONE ) ) != 0 ) 00916 { 00917 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00918 return( ret ); 00919 } 00920 } 00921 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00922 00923 mbedtls_zeroize( keyblk, sizeof( keyblk ) ); 00924 00925 #if defined(MBEDTLS_ZLIB_SUPPORT) 00926 // Initialize compression 00927 // 00928 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00929 { 00930 if( ssl->compress_buf == NULL ) 00931 { 00932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00933 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00934 if( ssl->compress_buf == NULL ) 00935 { 00936 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00937 MBEDTLS_SSL_BUFFER_LEN ) ); 00938 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00939 } 00940 } 00941 00942 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00943 00944 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00945 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00946 00947 if( deflateInit( &transform->ctx_deflate, 00948 Z_DEFAULT_COMPRESSION ) != Z_OK || 00949 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00950 { 00951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00952 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00953 } 00954 } 00955 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00956 00957 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00958 00959 return( 0 ); 00960 } 00961 00962 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00963 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00964 { 00965 mbedtls_md5_context md5; 00966 mbedtls_sha1_context sha1; 00967 unsigned char pad_1[48]; 00968 unsigned char pad_2[48]; 00969 00970 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00971 00972 mbedtls_md5_init( &md5 ); 00973 mbedtls_sha1_init( &sha1 ); 00974 00975 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 00976 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 00977 00978 memset( pad_1, 0x36, 48 ); 00979 memset( pad_2, 0x5C, 48 ); 00980 00981 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00982 mbedtls_md5_update( &md5, pad_1, 48 ); 00983 mbedtls_md5_finish( &md5, hash ); 00984 00985 mbedtls_md5_starts( &md5 ); 00986 mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); 00987 mbedtls_md5_update( &md5, pad_2, 48 ); 00988 mbedtls_md5_update( &md5, hash, 16 ); 00989 mbedtls_md5_finish( &md5, hash ); 00990 00991 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00992 mbedtls_sha1_update( &sha1, pad_1, 40 ); 00993 mbedtls_sha1_finish( &sha1, hash + 16 ); 00994 00995 mbedtls_sha1_starts( &sha1 ); 00996 mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); 00997 mbedtls_sha1_update( &sha1, pad_2, 40 ); 00998 mbedtls_sha1_update( &sha1, hash + 16, 20 ); 00999 mbedtls_sha1_finish( &sha1, hash + 16 ); 01000 01001 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01003 01004 mbedtls_md5_free( &md5 ); 01005 mbedtls_sha1_free( &sha1 ); 01006 01007 return; 01008 } 01009 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01010 01011 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01012 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01013 { 01014 mbedtls_md5_context md5; 01015 mbedtls_sha1_context sha1; 01016 01017 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01018 01019 mbedtls_md5_init( &md5 ); 01020 mbedtls_sha1_init( &sha1 ); 01021 01022 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01023 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01024 01025 mbedtls_md5_finish( &md5, hash ); 01026 mbedtls_sha1_finish( &sha1, hash + 16 ); 01027 01028 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01029 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01030 01031 mbedtls_md5_free( &md5 ); 01032 mbedtls_sha1_free( &sha1 ); 01033 01034 return; 01035 } 01036 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01037 01038 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01039 #if defined(MBEDTLS_SHA256_C) 01040 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01041 { 01042 mbedtls_sha256_context sha256; 01043 01044 mbedtls_sha256_init( &sha256 ); 01045 01046 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01047 01048 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01049 mbedtls_sha256_finish( &sha256, hash ); 01050 01051 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01053 01054 mbedtls_sha256_free( &sha256 ); 01055 01056 return; 01057 } 01058 #endif /* MBEDTLS_SHA256_C */ 01059 01060 #if defined(MBEDTLS_SHA512_C) 01061 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01062 { 01063 mbedtls_sha512_context sha512; 01064 01065 mbedtls_sha512_init( &sha512 ); 01066 01067 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01068 01069 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01070 mbedtls_sha512_finish( &sha512, hash ); 01071 01072 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01073 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01074 01075 mbedtls_sha512_free( &sha512 ); 01076 01077 return; 01078 } 01079 #endif /* MBEDTLS_SHA512_C */ 01080 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01081 01082 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01083 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01084 { 01085 unsigned char *p = ssl->handshake->premaster; 01086 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01087 const unsigned char *psk = ssl->conf->psk; 01088 size_t psk_len = ssl->conf->psk_len; 01089 01090 /* If the psk callback was called, use its result */ 01091 if( ssl->handshake->psk != NULL ) 01092 { 01093 psk = ssl->handshake->psk; 01094 psk_len = ssl->handshake->psk_len; 01095 } 01096 01097 /* 01098 * PMS = struct { 01099 * opaque other_secret<0..2^16-1>; 01100 * opaque psk<0..2^16-1>; 01101 * }; 01102 * with "other_secret" depending on the particular key exchange 01103 */ 01104 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01105 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01106 { 01107 if( end - p < 2 ) 01108 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01109 01110 *(p++) = (unsigned char)( psk_len >> 8 ); 01111 *(p++) = (unsigned char)( psk_len ); 01112 01113 if( end < p || (size_t)( end - p ) < psk_len ) 01114 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01115 01116 memset( p, 0, psk_len ); 01117 p += psk_len; 01118 } 01119 else 01120 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01121 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01122 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01123 { 01124 /* 01125 * other_secret already set by the ClientKeyExchange message, 01126 * and is 48 bytes long 01127 */ 01128 *p++ = 0; 01129 *p++ = 48; 01130 p += 48; 01131 } 01132 else 01133 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01134 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01135 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01136 { 01137 int ret; 01138 size_t len; 01139 01140 /* Write length only when we know the actual value */ 01141 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01142 p + 2, end - ( p + 2 ), &len, 01143 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01144 { 01145 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01146 return( ret ); 01147 } 01148 *(p++) = (unsigned char)( len >> 8 ); 01149 *(p++) = (unsigned char)( len ); 01150 p += len; 01151 01152 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01153 } 01154 else 01155 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01156 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01157 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01158 { 01159 int ret; 01160 size_t zlen; 01161 01162 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01163 p + 2, end - ( p + 2 ), 01164 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01165 { 01166 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01167 return( ret ); 01168 } 01169 01170 *(p++) = (unsigned char)( zlen >> 8 ); 01171 *(p++) = (unsigned char)( zlen ); 01172 p += zlen; 01173 01174 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01175 } 01176 else 01177 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01178 { 01179 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01180 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01181 } 01182 01183 /* opaque psk<0..2^16-1>; */ 01184 if( end - p < 2 ) 01185 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01186 01187 *(p++) = (unsigned char)( psk_len >> 8 ); 01188 *(p++) = (unsigned char)( psk_len ); 01189 01190 if( end < p || (size_t)( end - p ) < psk_len ) 01191 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01192 01193 memcpy( p, psk, psk_len ); 01194 p += psk_len; 01195 01196 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01197 01198 return( 0 ); 01199 } 01200 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01201 01202 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01203 /* 01204 * SSLv3.0 MAC functions 01205 */ 01206 static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, 01207 unsigned char *buf, size_t len, 01208 unsigned char *ctr, int type ) 01209 { 01210 unsigned char header[11]; 01211 unsigned char padding[48]; 01212 int padlen; 01213 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01214 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01215 01216 /* Only MD5 and SHA-1 supported */ 01217 if( md_type == MBEDTLS_MD_MD5 ) 01218 padlen = 48; 01219 else 01220 padlen = 40; 01221 01222 memcpy( header, ctr, 8 ); 01223 header[ 8] = (unsigned char) type; 01224 header[ 9] = (unsigned char)( len >> 8 ); 01225 header[10] = (unsigned char)( len ); 01226 01227 memset( padding, 0x36, padlen ); 01228 mbedtls_md_starts( md_ctx ); 01229 mbedtls_md_update( md_ctx, secret, md_size ); 01230 mbedtls_md_update( md_ctx, padding, padlen ); 01231 mbedtls_md_update( md_ctx, header, 11 ); 01232 mbedtls_md_update( md_ctx, buf, len ); 01233 mbedtls_md_finish( md_ctx, buf + len ); 01234 01235 memset( padding, 0x5C, padlen ); 01236 mbedtls_md_starts( md_ctx ); 01237 mbedtls_md_update( md_ctx, secret, md_size ); 01238 mbedtls_md_update( md_ctx, padding, padlen ); 01239 mbedtls_md_update( md_ctx, buf + len, md_size ); 01240 mbedtls_md_finish( md_ctx, buf + len ); 01241 } 01242 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01243 01244 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01245 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01246 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) 01247 #define SSL_SOME_MODES_USE_MAC 01248 #endif 01249 01250 /* 01251 * Encryption/decryption functions 01252 */ 01253 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01254 { 01255 mbedtls_cipher_mode_t mode; 01256 int auth_done = 0; 01257 01258 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01259 01260 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01261 { 01262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01263 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01264 } 01265 01266 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01267 01268 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01269 ssl->out_msg, ssl->out_msglen ); 01270 01271 /* 01272 * Add MAC before if needed 01273 */ 01274 #if defined(SSL_SOME_MODES_USE_MAC) 01275 if( mode == MBEDTLS_MODE_STREAM || 01276 ( mode == MBEDTLS_MODE_CBC 01277 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01278 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01279 #endif 01280 ) ) 01281 { 01282 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01283 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01284 { 01285 ssl_mac( &ssl->transform_out->md_ctx_enc, 01286 ssl->transform_out->mac_enc, 01287 ssl->out_msg, ssl->out_msglen, 01288 ssl->out_ctr, ssl->out_msgtype ); 01289 } 01290 else 01291 #endif 01292 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01293 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01294 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01295 { 01296 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01297 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01298 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01299 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01300 ssl->out_msg, ssl->out_msglen ); 01301 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01302 ssl->out_msg + ssl->out_msglen ); 01303 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01304 } 01305 else 01306 #endif 01307 { 01308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01309 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01310 } 01311 01312 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01313 ssl->out_msg + ssl->out_msglen, 01314 ssl->transform_out->maclen ); 01315 01316 ssl->out_msglen += ssl->transform_out->maclen; 01317 auth_done++; 01318 } 01319 #endif /* AEAD not the only option */ 01320 01321 /* 01322 * Encrypt 01323 */ 01324 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01325 if( mode == MBEDTLS_MODE_STREAM ) 01326 { 01327 int ret; 01328 size_t olen = 0; 01329 01330 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01331 "including %d bytes of padding", 01332 ssl->out_msglen, 0 ) ); 01333 01334 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01335 ssl->transform_out->iv_enc, 01336 ssl->transform_out->ivlen, 01337 ssl->out_msg, ssl->out_msglen, 01338 ssl->out_msg, &olen ) ) != 0 ) 01339 { 01340 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01341 return( ret ); 01342 } 01343 01344 if( ssl->out_msglen != olen ) 01345 { 01346 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01347 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01348 } 01349 } 01350 else 01351 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01352 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01353 if( mode == MBEDTLS_MODE_GCM || 01354 mode == MBEDTLS_MODE_CCM ) 01355 { 01356 int ret; 01357 size_t enc_msglen, olen; 01358 unsigned char *enc_msg; 01359 unsigned char add_data[13]; 01360 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01361 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01362 01363 memcpy( add_data, ssl->out_ctr, 8 ); 01364 add_data[8] = ssl->out_msgtype; 01365 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01366 ssl->conf->transport, add_data + 9 ); 01367 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01368 add_data[12] = ssl->out_msglen & 0xFF; 01369 01370 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01371 add_data, 13 ); 01372 01373 /* 01374 * Generate IV 01375 */ 01376 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01377 { 01378 /* Reminder if we ever add an AEAD mode with a different size */ 01379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01380 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01381 } 01382 01383 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01384 ssl->out_ctr, 8 ); 01385 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01386 01387 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01388 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01389 01390 /* 01391 * Fix pointer positions and message length with added IV 01392 */ 01393 enc_msg = ssl->out_msg; 01394 enc_msglen = ssl->out_msglen; 01395 ssl->out_msglen += ssl->transform_out->ivlen - 01396 ssl->transform_out->fixed_ivlen; 01397 01398 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01399 "including %d bytes of padding", 01400 ssl->out_msglen, 0 ) ); 01401 01402 /* 01403 * Encrypt and authenticate 01404 */ 01405 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01406 ssl->transform_out->iv_enc, 01407 ssl->transform_out->ivlen, 01408 add_data, 13, 01409 enc_msg, enc_msglen, 01410 enc_msg, &olen, 01411 enc_msg + enc_msglen, taglen ) ) != 0 ) 01412 { 01413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01414 return( ret ); 01415 } 01416 01417 if( olen != enc_msglen ) 01418 { 01419 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01420 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01421 } 01422 01423 ssl->out_msglen += taglen; 01424 auth_done++; 01425 01426 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01427 } 01428 else 01429 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01430 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01431 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01432 if( mode == MBEDTLS_MODE_CBC ) 01433 { 01434 int ret; 01435 unsigned char *enc_msg; 01436 size_t enc_msglen, padlen, olen = 0, i; 01437 01438 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01439 ssl->transform_out->ivlen; 01440 if( padlen == ssl->transform_out->ivlen ) 01441 padlen = 0; 01442 01443 for( i = 0; i <= padlen; i++ ) 01444 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01445 01446 ssl->out_msglen += padlen + 1; 01447 01448 enc_msglen = ssl->out_msglen; 01449 enc_msg = ssl->out_msg; 01450 01451 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01452 /* 01453 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01454 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01455 */ 01456 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01457 { 01458 /* 01459 * Generate IV 01460 */ 01461 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01462 ssl->transform_out->ivlen ); 01463 if( ret != 0 ) 01464 return( ret ); 01465 01466 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01467 ssl->transform_out->ivlen ); 01468 01469 /* 01470 * Fix pointer positions and message length with added IV 01471 */ 01472 enc_msg = ssl->out_msg; 01473 enc_msglen = ssl->out_msglen; 01474 ssl->out_msglen += ssl->transform_out->ivlen; 01475 } 01476 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01477 01478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01479 "including %d bytes of IV and %d bytes of padding", 01480 ssl->out_msglen, ssl->transform_out->ivlen, 01481 padlen + 1 ) ); 01482 01483 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01484 ssl->transform_out->iv_enc, 01485 ssl->transform_out->ivlen, 01486 enc_msg, enc_msglen, 01487 enc_msg, &olen ) ) != 0 ) 01488 { 01489 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01490 return( ret ); 01491 } 01492 01493 if( enc_msglen != olen ) 01494 { 01495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01496 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01497 } 01498 01499 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01500 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01501 { 01502 /* 01503 * Save IV in SSL3 and TLS1 01504 */ 01505 memcpy( ssl->transform_out->iv_enc, 01506 ssl->transform_out->cipher_ctx_enc.iv, 01507 ssl->transform_out->ivlen ); 01508 } 01509 #endif 01510 01511 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01512 if( auth_done == 0 ) 01513 { 01514 /* 01515 * MAC(MAC_write_key, seq_num + 01516 * TLSCipherText.type + 01517 * TLSCipherText.version + 01518 * length_of( (IV +) ENC(...) ) + 01519 * IV + // except for TLS 1.0 01520 * ENC(content + padding + padding_length)); 01521 */ 01522 unsigned char pseudo_hdr[13]; 01523 01524 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01525 01526 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01527 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01528 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01529 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01530 01531 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01532 01533 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01534 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01535 ssl->out_iv, ssl->out_msglen ); 01536 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01537 ssl->out_iv + ssl->out_msglen ); 01538 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01539 01540 ssl->out_msglen += ssl->transform_out->maclen; 01541 auth_done++; 01542 } 01543 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01544 } 01545 else 01546 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01547 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01548 { 01549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01550 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01551 } 01552 01553 /* Make extra sure authentication was performed, exactly once */ 01554 if( auth_done != 1 ) 01555 { 01556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01557 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01558 } 01559 01560 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01561 01562 return( 0 ); 01563 } 01564 01565 #define SSL_MAX_MAC_SIZE 48 01566 01567 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01568 { 01569 size_t i; 01570 mbedtls_cipher_mode_t mode; 01571 int auth_done = 0; 01572 #if defined(SSL_SOME_MODES_USE_MAC) 01573 size_t padlen = 0, correct = 1; 01574 #endif 01575 01576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01577 01578 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01579 { 01580 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01581 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01582 } 01583 01584 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01585 01586 if( ssl->in_msglen < ssl->transform_in->minlen ) 01587 { 01588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01589 ssl->in_msglen, ssl->transform_in->minlen ) ); 01590 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01591 } 01592 01593 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01594 if( mode == MBEDTLS_MODE_STREAM ) 01595 { 01596 int ret; 01597 size_t olen = 0; 01598 01599 padlen = 0; 01600 01601 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01602 ssl->transform_in->iv_dec, 01603 ssl->transform_in->ivlen, 01604 ssl->in_msg, ssl->in_msglen, 01605 ssl->in_msg, &olen ) ) != 0 ) 01606 { 01607 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01608 return( ret ); 01609 } 01610 01611 if( ssl->in_msglen != olen ) 01612 { 01613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01614 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01615 } 01616 } 01617 else 01618 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01619 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01620 if( mode == MBEDTLS_MODE_GCM || 01621 mode == MBEDTLS_MODE_CCM ) 01622 { 01623 int ret; 01624 size_t dec_msglen, olen; 01625 unsigned char *dec_msg; 01626 unsigned char *dec_msg_result; 01627 unsigned char add_data[13]; 01628 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01629 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01630 size_t explicit_iv_len = ssl->transform_in->ivlen - 01631 ssl->transform_in->fixed_ivlen; 01632 01633 if( ssl->in_msglen < explicit_iv_len + taglen ) 01634 { 01635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01636 "+ taglen (%d)", ssl->in_msglen, 01637 explicit_iv_len, taglen ) ); 01638 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01639 } 01640 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01641 01642 dec_msg = ssl->in_msg; 01643 dec_msg_result = ssl->in_msg; 01644 ssl->in_msglen = dec_msglen; 01645 01646 memcpy( add_data, ssl->in_ctr, 8 ); 01647 add_data[8] = ssl->in_msgtype; 01648 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01649 ssl->conf->transport, add_data + 9 ); 01650 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01651 add_data[12] = ssl->in_msglen & 0xFF; 01652 01653 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01654 add_data, 13 ); 01655 01656 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01657 ssl->in_iv, 01658 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01659 01660 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01661 ssl->transform_in->ivlen ); 01662 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01663 01664 /* 01665 * Decrypt and authenticate 01666 */ 01667 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01668 ssl->transform_in->iv_dec, 01669 ssl->transform_in->ivlen, 01670 add_data, 13, 01671 dec_msg, dec_msglen, 01672 dec_msg_result, &olen, 01673 dec_msg + dec_msglen, taglen ) ) != 0 ) 01674 { 01675 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01676 01677 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01678 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01679 01680 return( ret ); 01681 } 01682 auth_done++; 01683 01684 if( olen != dec_msglen ) 01685 { 01686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01687 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01688 } 01689 } 01690 else 01691 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01692 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01693 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01694 if( mode == MBEDTLS_MODE_CBC ) 01695 { 01696 /* 01697 * Decrypt and check the padding 01698 */ 01699 int ret; 01700 unsigned char *dec_msg; 01701 unsigned char *dec_msg_result; 01702 size_t dec_msglen; 01703 size_t minlen = 0; 01704 size_t olen = 0; 01705 01706 /* 01707 * Check immediate ciphertext sanity 01708 */ 01709 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01710 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01711 minlen += ssl->transform_in->ivlen; 01712 #endif 01713 01714 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01715 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01716 { 01717 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01718 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01719 ssl->transform_in->ivlen, 01720 ssl->transform_in->maclen ) ); 01721 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01722 } 01723 01724 dec_msglen = ssl->in_msglen; 01725 dec_msg = ssl->in_msg; 01726 dec_msg_result = ssl->in_msg; 01727 01728 /* 01729 * Authenticate before decrypt if enabled 01730 */ 01731 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01732 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01733 { 01734 unsigned char computed_mac[SSL_MAX_MAC_SIZE]; 01735 unsigned char pseudo_hdr[13]; 01736 01737 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01738 01739 dec_msglen -= ssl->transform_in->maclen; 01740 ssl->in_msglen -= ssl->transform_in->maclen; 01741 01742 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01743 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01744 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01745 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01746 01747 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01748 01749 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01750 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01751 ssl->in_iv, ssl->in_msglen ); 01752 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); 01753 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01754 01755 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01756 ssl->transform_in->maclen ); 01757 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac, 01758 ssl->transform_in->maclen ); 01759 01760 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, 01761 ssl->transform_in->maclen ) != 0 ) 01762 { 01763 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01764 01765 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01766 } 01767 auth_done++; 01768 } 01769 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01770 01771 /* 01772 * Check length sanity 01773 */ 01774 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01775 { 01776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01777 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01778 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01779 } 01780 01781 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01782 /* 01783 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01784 */ 01785 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01786 { 01787 dec_msglen -= ssl->transform_in->ivlen; 01788 ssl->in_msglen -= ssl->transform_in->ivlen; 01789 01790 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01791 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01792 } 01793 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01794 01795 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01796 ssl->transform_in->iv_dec, 01797 ssl->transform_in->ivlen, 01798 dec_msg, dec_msglen, 01799 dec_msg_result, &olen ) ) != 0 ) 01800 { 01801 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01802 return( ret ); 01803 } 01804 01805 if( dec_msglen != olen ) 01806 { 01807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01808 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01809 } 01810 01811 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01812 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01813 { 01814 /* 01815 * Save IV in SSL3 and TLS1 01816 */ 01817 memcpy( ssl->transform_in->iv_dec, 01818 ssl->transform_in->cipher_ctx_dec.iv, 01819 ssl->transform_in->ivlen ); 01820 } 01821 #endif 01822 01823 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01824 01825 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01826 auth_done == 0 ) 01827 { 01828 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01830 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01831 #endif 01832 padlen = 0; 01833 correct = 0; 01834 } 01835 01836 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01837 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01838 { 01839 if( padlen > ssl->transform_in->ivlen ) 01840 { 01841 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01843 "should be no more than %d", 01844 padlen, ssl->transform_in->ivlen ) ); 01845 #endif 01846 correct = 0; 01847 } 01848 } 01849 else 01850 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01851 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01852 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01853 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01854 { 01855 /* 01856 * TLSv1+: always check the padding up to the first failure 01857 * and fake check up to 256 bytes of padding 01858 */ 01859 size_t pad_count = 0, real_count = 1; 01860 size_t padding_idx = ssl->in_msglen - padlen - 1; 01861 01862 /* 01863 * Padding is guaranteed to be incorrect if: 01864 * 1. padlen >= ssl->in_msglen 01865 * 01866 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01867 * ssl->transform_in->maclen 01868 * 01869 * In both cases we reset padding_idx to a safe value (0) to 01870 * prevent out-of-buffer reads. 01871 */ 01872 correct &= ( ssl->in_msglen >= padlen + 1 ); 01873 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01874 ssl->transform_in->maclen ); 01875 01876 padding_idx *= correct; 01877 01878 for( i = 1; i <= 256; i++ ) 01879 { 01880 real_count &= ( i <= padlen ); 01881 pad_count += real_count * 01882 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01883 } 01884 01885 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01886 01887 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01888 if( padlen > 0 && correct == 0 ) 01889 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01890 #endif 01891 padlen &= correct * 0x1FF; 01892 } 01893 else 01894 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01895 MBEDTLS_SSL_PROTO_TLS1_2 */ 01896 { 01897 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01898 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01899 } 01900 01901 ssl->in_msglen -= padlen; 01902 } 01903 else 01904 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01905 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01906 { 01907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01908 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01909 } 01910 01911 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01912 ssl->in_msg, ssl->in_msglen ); 01913 01914 /* 01915 * Authenticate if not done yet. 01916 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01917 */ 01918 #if defined(SSL_SOME_MODES_USE_MAC) 01919 if( auth_done == 0 ) 01920 { 01921 unsigned char tmp[SSL_MAX_MAC_SIZE]; 01922 01923 ssl->in_msglen -= ssl->transform_in->maclen; 01924 01925 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01926 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01927 01928 memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen ); 01929 01930 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01931 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01932 { 01933 ssl_mac( &ssl->transform_in->md_ctx_dec, 01934 ssl->transform_in->mac_dec, 01935 ssl->in_msg, ssl->in_msglen, 01936 ssl->in_ctr, ssl->in_msgtype ); 01937 } 01938 else 01939 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01940 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01941 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01942 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01943 { 01944 /* 01945 * Process MAC and always update for padlen afterwards to make 01946 * total time independent of padlen 01947 * 01948 * extra_run compensates MAC check for padlen 01949 * 01950 * Known timing attacks: 01951 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01952 * 01953 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01954 * correctly. (We round down instead of up, so -56 is the correct 01955 * value for our calculations instead of -55) 01956 */ 01957 size_t j, extra_run = 0; 01958 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 01959 ( 13 + ssl->in_msglen + 8 ) / 64; 01960 01961 extra_run &= correct * 0xFF; 01962 01963 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 01964 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 01965 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 01966 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 01967 ssl->in_msglen ); 01968 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, 01969 ssl->in_msg + ssl->in_msglen ); 01970 /* Call mbedtls_md_process at least once due to cache attacks */ 01971 for( j = 0; j < extra_run + 1; j++ ) 01972 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 01973 01974 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01975 } 01976 else 01977 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01978 MBEDTLS_SSL_PROTO_TLS1_2 */ 01979 { 01980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01981 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01982 } 01983 01984 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); 01985 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, 01986 ssl->transform_in->maclen ); 01987 01988 if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, 01989 ssl->transform_in->maclen ) != 0 ) 01990 { 01991 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01993 #endif 01994 correct = 0; 01995 } 01996 auth_done++; 01997 01998 /* 01999 * Finally check the correct flag 02000 */ 02001 if( correct == 0 ) 02002 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02003 } 02004 #endif /* SSL_SOME_MODES_USE_MAC */ 02005 02006 /* Make extra sure authentication was performed, exactly once */ 02007 if( auth_done != 1 ) 02008 { 02009 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02010 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02011 } 02012 02013 if( ssl->in_msglen == 0 ) 02014 { 02015 ssl->nb_zero++; 02016 02017 /* 02018 * Three or more empty messages may be a DoS attack 02019 * (excessive CPU consumption). 02020 */ 02021 if( ssl->nb_zero > 3 ) 02022 { 02023 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02024 "messages, possible DoS attack" ) ); 02025 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02026 } 02027 } 02028 else 02029 ssl->nb_zero = 0; 02030 02031 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02032 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02033 { 02034 ; /* in_ctr read from peer, not maintained internally */ 02035 } 02036 else 02037 #endif 02038 { 02039 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02040 if( ++ssl->in_ctr[i - 1] != 0 ) 02041 break; 02042 02043 /* The loop goes to its end iff the counter is wrapping */ 02044 if( i == ssl_ep_len( ssl ) ) 02045 { 02046 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02047 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02048 } 02049 } 02050 02051 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02052 02053 return( 0 ); 02054 } 02055 02056 #undef MAC_NONE 02057 #undef MAC_PLAINTEXT 02058 #undef MAC_CIPHERTEXT 02059 02060 #if defined(MBEDTLS_ZLIB_SUPPORT) 02061 /* 02062 * Compression/decompression functions 02063 */ 02064 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02065 { 02066 int ret; 02067 unsigned char *msg_post = ssl->out_msg; 02068 size_t len_pre = ssl->out_msglen; 02069 unsigned char *msg_pre = ssl->compress_buf; 02070 02071 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02072 02073 if( len_pre == 0 ) 02074 return( 0 ); 02075 02076 memcpy( msg_pre, ssl->out_msg, len_pre ); 02077 02078 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02079 ssl->out_msglen ) ); 02080 02081 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02082 ssl->out_msg, ssl->out_msglen ); 02083 02084 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02085 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02086 ssl->transform_out->ctx_deflate.next_out = msg_post; 02087 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; 02088 02089 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02090 if( ret != Z_OK ) 02091 { 02092 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02093 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02094 } 02095 02096 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02097 ssl->transform_out->ctx_deflate.avail_out; 02098 02099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02100 ssl->out_msglen ) ); 02101 02102 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02103 ssl->out_msg, ssl->out_msglen ); 02104 02105 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02106 02107 return( 0 ); 02108 } 02109 02110 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02111 { 02112 int ret; 02113 unsigned char *msg_post = ssl->in_msg; 02114 size_t len_pre = ssl->in_msglen; 02115 unsigned char *msg_pre = ssl->compress_buf; 02116 02117 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02118 02119 if( len_pre == 0 ) 02120 return( 0 ); 02121 02122 memcpy( msg_pre, ssl->in_msg, len_pre ); 02123 02124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02125 ssl->in_msglen ) ); 02126 02127 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02128 ssl->in_msg, ssl->in_msglen ); 02129 02130 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02131 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02132 ssl->transform_in->ctx_inflate.next_out = msg_post; 02133 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; 02134 02135 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02136 if( ret != Z_OK ) 02137 { 02138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02139 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02140 } 02141 02142 ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - 02143 ssl->transform_in->ctx_inflate.avail_out; 02144 02145 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02146 ssl->in_msglen ) ); 02147 02148 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02149 ssl->in_msg, ssl->in_msglen ); 02150 02151 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02152 02153 return( 0 ); 02154 } 02155 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02156 02157 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02158 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02159 02160 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02161 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02162 { 02163 /* If renegotiation is not enforced, retransmit until we would reach max 02164 * timeout if we were using the usual handshake doubling scheme */ 02165 if( ssl->conf->renego_max_records < 0 ) 02166 { 02167 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02168 unsigned char doublings = 1; 02169 02170 while( ratio != 0 ) 02171 { 02172 ++doublings; 02173 ratio >>= 1; 02174 } 02175 02176 if( ++ssl->renego_records_seen > doublings ) 02177 { 02178 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02179 return( 0 ); 02180 } 02181 } 02182 02183 return( ssl_write_hello_request( ssl ) ); 02184 } 02185 #endif 02186 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02187 02188 /* 02189 * Fill the input message buffer by appending data to it. 02190 * The amount of data already fetched is in ssl->in_left. 02191 * 02192 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02193 * available (from this read and/or a previous one). Otherwise, an error code 02194 * is returned (possibly EOF or WANT_READ). 02195 * 02196 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02197 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02198 * since we always read a whole datagram at once. 02199 * 02200 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02201 * they're done reading a record. 02202 */ 02203 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02204 { 02205 int ret; 02206 size_t len; 02207 02208 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02209 02210 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02211 { 02212 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02213 "or mbedtls_ssl_set_bio()" ) ); 02214 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02215 } 02216 02217 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02218 { 02219 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02220 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02221 } 02222 02223 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02224 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02225 { 02226 uint32_t timeout; 02227 02228 /* Just to be sure */ 02229 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02230 { 02231 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02232 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02233 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02234 } 02235 02236 /* 02237 * The point is, we need to always read a full datagram at once, so we 02238 * sometimes read more then requested, and handle the additional data. 02239 * It could be the rest of the current record (while fetching the 02240 * header) and/or some other records in the same datagram. 02241 */ 02242 02243 /* 02244 * Move to the next record in the already read datagram if applicable 02245 */ 02246 if( ssl->next_record_offset != 0 ) 02247 { 02248 if( ssl->in_left < ssl->next_record_offset ) 02249 { 02250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02251 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02252 } 02253 02254 ssl->in_left -= ssl->next_record_offset; 02255 02256 if( ssl->in_left != 0 ) 02257 { 02258 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02259 ssl->next_record_offset ) ); 02260 memmove( ssl->in_hdr, 02261 ssl->in_hdr + ssl->next_record_offset, 02262 ssl->in_left ); 02263 } 02264 02265 ssl->next_record_offset = 0; 02266 } 02267 02268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02269 ssl->in_left, nb_want ) ); 02270 02271 /* 02272 * Done if we already have enough data. 02273 */ 02274 if( nb_want <= ssl->in_left) 02275 { 02276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02277 return( 0 ); 02278 } 02279 02280 /* 02281 * A record can't be split accross datagrams. If we need to read but 02282 * are not at the beginning of a new record, the caller did something 02283 * wrong. 02284 */ 02285 if( ssl->in_left != 0 ) 02286 { 02287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02288 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02289 } 02290 02291 /* 02292 * Don't even try to read if time's out already. 02293 * This avoids by-passing the timer when repeatedly receiving messages 02294 * that will end up being dropped. 02295 */ 02296 if( ssl_check_timer( ssl ) != 0 ) 02297 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02298 else 02299 { 02300 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02301 02302 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02303 timeout = ssl->handshake->retransmit_timeout; 02304 else 02305 timeout = ssl->conf->read_timeout; 02306 02307 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02308 02309 if( ssl->f_recv_timeout != NULL ) 02310 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02311 timeout ); 02312 else 02313 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02314 02315 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02316 02317 if( ret == 0 ) 02318 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02319 } 02320 02321 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02322 { 02323 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02324 ssl_set_timer( ssl, 0 ); 02325 02326 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02327 { 02328 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02329 { 02330 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02331 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02332 } 02333 02334 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02335 { 02336 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02337 return( ret ); 02338 } 02339 02340 return( MBEDTLS_ERR_SSL_WANT_READ ); 02341 } 02342 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02343 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02344 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02345 { 02346 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02347 { 02348 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02349 return( ret ); 02350 } 02351 02352 return( MBEDTLS_ERR_SSL_WANT_READ ); 02353 } 02354 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02355 } 02356 02357 if( ret < 0 ) 02358 return( ret ); 02359 02360 ssl->in_left = ret; 02361 } 02362 else 02363 #endif 02364 { 02365 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02366 ssl->in_left, nb_want ) ); 02367 02368 while( ssl->in_left < nb_want ) 02369 { 02370 len = nb_want - ssl->in_left; 02371 02372 if( ssl_check_timer( ssl ) != 0 ) 02373 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02374 else 02375 { 02376 if( ssl->f_recv_timeout != NULL ) 02377 { 02378 ret = ssl->f_recv_timeout( ssl->p_bio, 02379 ssl->in_hdr + ssl->in_left, len, 02380 ssl->conf->read_timeout ); 02381 } 02382 else 02383 { 02384 ret = ssl->f_recv( ssl->p_bio, 02385 ssl->in_hdr + ssl->in_left, len ); 02386 } 02387 } 02388 02389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02390 ssl->in_left, nb_want ) ); 02391 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02392 02393 if( ret == 0 ) 02394 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02395 02396 if( ret < 0 ) 02397 return( ret ); 02398 02399 ssl->in_left += ret; 02400 } 02401 } 02402 02403 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02404 02405 return( 0 ); 02406 } 02407 02408 /* 02409 * Flush any data not yet written 02410 */ 02411 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02412 { 02413 int ret; 02414 unsigned char *buf, i; 02415 02416 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02417 02418 if( ssl->f_send == NULL ) 02419 { 02420 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02421 "or mbedtls_ssl_set_bio()" ) ); 02422 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02423 } 02424 02425 /* Avoid incrementing counter if data is flushed */ 02426 if( ssl->out_left == 0 ) 02427 { 02428 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02429 return( 0 ); 02430 } 02431 02432 while( ssl->out_left > 0 ) 02433 { 02434 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02435 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02436 02437 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02438 ssl->out_msglen - ssl->out_left; 02439 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02440 02441 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02442 02443 if( ret <= 0 ) 02444 return( ret ); 02445 02446 ssl->out_left -= ret; 02447 } 02448 02449 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02450 if( ++ssl->out_ctr[i - 1] != 0 ) 02451 break; 02452 02453 /* The loop goes to its end iff the counter is wrapping */ 02454 if( i == ssl_ep_len( ssl ) ) 02455 { 02456 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02457 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02458 } 02459 02460 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02461 02462 return( 0 ); 02463 } 02464 02465 /* 02466 * Functions to handle the DTLS retransmission state machine 02467 */ 02468 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02469 /* 02470 * Append current handshake message to current outgoing flight 02471 */ 02472 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02473 { 02474 mbedtls_ssl_flight_item *msg; 02475 02476 /* Allocate space for current message */ 02477 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02478 { 02479 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02480 sizeof( mbedtls_ssl_flight_item ) ) ); 02481 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02482 } 02483 02484 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02485 { 02486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02487 mbedtls_free( msg ); 02488 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02489 } 02490 02491 /* Copy current handshake message with headers */ 02492 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02493 msg->len = ssl->out_msglen; 02494 msg->type = ssl->out_msgtype; 02495 msg->next = NULL; 02496 02497 /* Append to the current flight */ 02498 if( ssl->handshake->flight == NULL ) 02499 ssl->handshake->flight = msg; 02500 else 02501 { 02502 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02503 while( cur->next != NULL ) 02504 cur = cur->next; 02505 cur->next = msg; 02506 } 02507 02508 return( 0 ); 02509 } 02510 02511 /* 02512 * Free the current flight of handshake messages 02513 */ 02514 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02515 { 02516 mbedtls_ssl_flight_item *cur = flight; 02517 mbedtls_ssl_flight_item *next; 02518 02519 while( cur != NULL ) 02520 { 02521 next = cur->next; 02522 02523 mbedtls_free( cur->p ); 02524 mbedtls_free( cur ); 02525 02526 cur = next; 02527 } 02528 } 02529 02530 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02531 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02532 #endif 02533 02534 /* 02535 * Swap transform_out and out_ctr with the alternative ones 02536 */ 02537 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02538 { 02539 mbedtls_ssl_transform *tmp_transform; 02540 unsigned char tmp_out_ctr[8]; 02541 02542 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02543 { 02544 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02545 return; 02546 } 02547 02548 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02549 02550 /* Swap transforms */ 02551 tmp_transform = ssl->transform_out; 02552 ssl->transform_out = ssl->handshake->alt_transform_out; 02553 ssl->handshake->alt_transform_out = tmp_transform; 02554 02555 /* Swap epoch + sequence_number */ 02556 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02557 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02558 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02559 02560 /* Adjust to the newly activated transform */ 02561 if( ssl->transform_out != NULL && 02562 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02563 { 02564 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02565 ssl->transform_out->fixed_ivlen; 02566 } 02567 else 02568 ssl->out_msg = ssl->out_iv; 02569 02570 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02571 if( mbedtls_ssl_hw_record_activate != NULL ) 02572 { 02573 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02574 { 02575 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02576 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02577 } 02578 } 02579 #endif 02580 } 02581 02582 /* 02583 * Retransmit the current flight of messages. 02584 * 02585 * Need to remember the current message in case flush_output returns 02586 * WANT_WRITE, causing us to exit this function and come back later. 02587 * This function must be called until state is no longer SENDING. 02588 */ 02589 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02590 { 02591 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02592 02593 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02594 { 02595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02596 02597 ssl->handshake->cur_msg = ssl->handshake->flight; 02598 ssl_swap_epochs( ssl ); 02599 02600 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02601 } 02602 02603 while( ssl->handshake->cur_msg != NULL ) 02604 { 02605 int ret; 02606 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02607 02608 /* Swap epochs before sending Finished: we can't do it after 02609 * sending ChangeCipherSpec, in case write returns WANT_READ. 02610 * Must be done before copying, may change out_msg pointer */ 02611 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02612 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02613 { 02614 ssl_swap_epochs( ssl ); 02615 } 02616 02617 memcpy( ssl->out_msg, cur->p, cur->len ); 02618 ssl->out_msglen = cur->len; 02619 ssl->out_msgtype = cur->type; 02620 02621 ssl->handshake->cur_msg = cur->next; 02622 02623 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02624 02625 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02626 { 02627 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02628 return( ret ); 02629 } 02630 } 02631 02632 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02633 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02634 else 02635 { 02636 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02637 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02638 } 02639 02640 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02641 02642 return( 0 ); 02643 } 02644 02645 /* 02646 * To be called when the last message of an incoming flight is received. 02647 */ 02648 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02649 { 02650 /* We won't need to resend that one any more */ 02651 ssl_flight_free( ssl->handshake->flight ); 02652 ssl->handshake->flight = NULL; 02653 ssl->handshake->cur_msg = NULL; 02654 02655 /* The next incoming flight will start with this msg_seq */ 02656 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02657 02658 /* Cancel timer */ 02659 ssl_set_timer( ssl, 0 ); 02660 02661 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02662 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02663 { 02664 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02665 } 02666 else 02667 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02668 } 02669 02670 /* 02671 * To be called when the last message of an outgoing flight is send. 02672 */ 02673 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02674 { 02675 ssl_reset_retransmit_timeout( ssl ); 02676 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02677 02678 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02679 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02680 { 02681 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02682 } 02683 else 02684 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02685 } 02686 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02687 02688 /* 02689 * Record layer functions 02690 */ 02691 02692 /* 02693 * Write current record. 02694 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02695 */ 02696 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02697 { 02698 int ret, done = 0, out_msg_type; 02699 size_t len = ssl->out_msglen; 02700 02701 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02702 02703 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02704 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02705 ssl->handshake != NULL && 02706 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02707 { 02708 ; /* Skip special handshake treatment when resending */ 02709 } 02710 else 02711 #endif 02712 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02713 { 02714 out_msg_type = ssl->out_msg[0]; 02715 02716 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST && 02717 ssl->handshake == NULL ) 02718 { 02719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02720 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02721 } 02722 02723 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02724 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02725 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02726 02727 /* 02728 * DTLS has additional fields in the Handshake layer, 02729 * between the length field and the actual payload: 02730 * uint16 message_seq; 02731 * uint24 fragment_offset; 02732 * uint24 fragment_length; 02733 */ 02734 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02735 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02736 { 02737 /* Make room for the additional DTLS fields */ 02738 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02739 ssl->out_msglen += 8; 02740 len += 8; 02741 02742 /* Write message_seq and update it, except for HelloRequest */ 02743 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02744 { 02745 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02746 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02747 ++( ssl->handshake->out_msg_seq ); 02748 } 02749 else 02750 { 02751 ssl->out_msg[4] = 0; 02752 ssl->out_msg[5] = 0; 02753 } 02754 02755 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02756 memset( ssl->out_msg + 6, 0x00, 3 ); 02757 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02758 } 02759 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02760 02761 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02762 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02763 } 02764 02765 /* Save handshake and CCS messages for resending */ 02766 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02767 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02768 ssl->handshake != NULL && 02769 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02770 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02771 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02772 { 02773 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02774 { 02775 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02776 return( ret ); 02777 } 02778 } 02779 #endif 02780 02781 #if defined(MBEDTLS_ZLIB_SUPPORT) 02782 if( ssl->transform_out != NULL && 02783 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02784 { 02785 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02786 { 02787 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02788 return( ret ); 02789 } 02790 02791 len = ssl->out_msglen; 02792 } 02793 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02794 02795 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02796 if( mbedtls_ssl_hw_record_write != NULL ) 02797 { 02798 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02799 02800 ret = mbedtls_ssl_hw_record_write( ssl ); 02801 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02802 { 02803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02804 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02805 } 02806 02807 if( ret == 0 ) 02808 done = 1; 02809 } 02810 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02811 if( !done ) 02812 { 02813 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02814 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02815 ssl->conf->transport, ssl->out_hdr + 1 ); 02816 02817 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02818 ssl->out_len[1] = (unsigned char)( len ); 02819 02820 if( ssl->transform_out != NULL ) 02821 { 02822 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02823 { 02824 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02825 return( ret ); 02826 } 02827 02828 len = ssl->out_msglen; 02829 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02830 ssl->out_len[1] = (unsigned char)( len ); 02831 } 02832 02833 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02834 02835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02836 "version = [%d:%d], msglen = %d", 02837 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02838 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02839 02840 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02841 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02842 } 02843 02844 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02845 { 02846 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02847 return( ret ); 02848 } 02849 02850 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02851 02852 return( 0 ); 02853 } 02854 02855 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02856 /* 02857 * Mark bits in bitmask (used for DTLS HS reassembly) 02858 */ 02859 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02860 { 02861 unsigned int start_bits, end_bits; 02862 02863 start_bits = 8 - ( offset % 8 ); 02864 if( start_bits != 8 ) 02865 { 02866 size_t first_byte_idx = offset / 8; 02867 02868 /* Special case */ 02869 if( len <= start_bits ) 02870 { 02871 for( ; len != 0; len-- ) 02872 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02873 02874 /* Avoid potential issues with offset or len becoming invalid */ 02875 return; 02876 } 02877 02878 offset += start_bits; /* Now offset % 8 == 0 */ 02879 len -= start_bits; 02880 02881 for( ; start_bits != 0; start_bits-- ) 02882 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02883 } 02884 02885 end_bits = len % 8; 02886 if( end_bits != 0 ) 02887 { 02888 size_t last_byte_idx = ( offset + len ) / 8; 02889 02890 len -= end_bits; /* Now len % 8 == 0 */ 02891 02892 for( ; end_bits != 0; end_bits-- ) 02893 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02894 } 02895 02896 memset( mask + offset / 8, 0xFF, len / 8 ); 02897 } 02898 02899 /* 02900 * Check that bitmask is full 02901 */ 02902 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02903 { 02904 size_t i; 02905 02906 for( i = 0; i < len / 8; i++ ) 02907 if( mask[i] != 0xFF ) 02908 return( -1 ); 02909 02910 for( i = 0; i < len % 8; i++ ) 02911 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02912 return( -1 ); 02913 02914 return( 0 ); 02915 } 02916 02917 /* 02918 * Reassemble fragmented DTLS handshake messages. 02919 * 02920 * Use a temporary buffer for reassembly, divided in two parts: 02921 * - the first holds the reassembled message (including handshake header), 02922 * - the second holds a bitmask indicating which parts of the message 02923 * (excluding headers) have been received so far. 02924 */ 02925 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02926 { 02927 unsigned char *msg, *bitmask; 02928 size_t frag_len, frag_off; 02929 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 02930 02931 if( ssl->handshake == NULL ) 02932 { 02933 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 02934 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02935 } 02936 02937 /* 02938 * For first fragment, check size and allocate buffer 02939 */ 02940 if( ssl->handshake->hs_msg == NULL ) 02941 { 02942 size_t alloc_len; 02943 02944 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 02945 msg_len ) ); 02946 02947 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02948 { 02949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 02950 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02951 } 02952 02953 /* The bitmask needs one bit per byte of message excluding header */ 02954 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 02955 02956 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 02957 if( ssl->handshake->hs_msg == NULL ) 02958 { 02959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 02960 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02961 } 02962 02963 /* Prepare final header: copy msg_type, length and message_seq, 02964 * then add standardised fragment_offset and fragment_length */ 02965 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 02966 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 02967 memcpy( ssl->handshake->hs_msg + 9, 02968 ssl->handshake->hs_msg + 1, 3 ); 02969 } 02970 else 02971 { 02972 /* Make sure msg_type and length are consistent */ 02973 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 02974 { 02975 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 02976 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 02977 } 02978 } 02979 02980 msg = ssl->handshake->hs_msg + 12; 02981 bitmask = msg + msg_len; 02982 02983 /* 02984 * Check and copy current fragment 02985 */ 02986 frag_off = ( ssl->in_msg[6] << 16 ) | 02987 ( ssl->in_msg[7] << 8 ) | 02988 ssl->in_msg[8]; 02989 frag_len = ( ssl->in_msg[9] << 16 ) | 02990 ( ssl->in_msg[10] << 8 ) | 02991 ssl->in_msg[11]; 02992 02993 if( frag_off + frag_len > msg_len ) 02994 { 02995 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 02996 frag_off, frag_len, msg_len ) ); 02997 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 02998 } 02999 03000 if( frag_len + 12 > ssl->in_msglen ) 03001 { 03002 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03003 frag_len, ssl->in_msglen ) ); 03004 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03005 } 03006 03007 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03008 frag_off, frag_len ) ); 03009 03010 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03011 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03012 03013 /* 03014 * Do we have the complete message by now? 03015 * If yes, finalize it, else ask to read the next record. 03016 */ 03017 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03018 { 03019 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03020 return( MBEDTLS_ERR_SSL_WANT_READ ); 03021 } 03022 03023 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03024 03025 if( frag_len + 12 < ssl->in_msglen ) 03026 { 03027 /* 03028 * We'got more handshake messages in the same record. 03029 * This case is not handled now because no know implementation does 03030 * that and it's hard to test, so we prefer to fail cleanly for now. 03031 */ 03032 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03033 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03034 } 03035 03036 if( ssl->in_left > ssl->next_record_offset ) 03037 { 03038 /* 03039 * We've got more data in the buffer after the current record, 03040 * that we don't want to overwrite. Move it before writing the 03041 * reassembled message, and adjust in_left and next_record_offset. 03042 */ 03043 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03044 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03045 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03046 03047 /* First compute and check new lengths */ 03048 ssl->next_record_offset = new_remain - ssl->in_hdr; 03049 ssl->in_left = ssl->next_record_offset + remain_len; 03050 03051 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03052 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03053 { 03054 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03055 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03056 } 03057 03058 memmove( new_remain, cur_remain, remain_len ); 03059 } 03060 03061 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03062 03063 mbedtls_free( ssl->handshake->hs_msg ); 03064 ssl->handshake->hs_msg = NULL; 03065 03066 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03067 ssl->in_msg, ssl->in_hslen ); 03068 03069 return( 0 ); 03070 } 03071 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03072 03073 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03074 { 03075 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03076 { 03077 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03078 ssl->in_msglen ) ); 03079 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03080 } 03081 03082 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03083 ( ssl->in_msg[1] << 16 ) | 03084 ( ssl->in_msg[2] << 8 ) | 03085 ssl->in_msg[3] ); 03086 03087 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03088 " %d, type = %d, hslen = %d", 03089 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03090 03091 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03092 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03093 { 03094 int ret; 03095 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03096 03097 /* ssl->handshake is NULL when receiving ClientHello for renego */ 03098 if( ssl->handshake != NULL && 03099 recv_msg_seq != ssl->handshake->in_msg_seq ) 03100 { 03101 /* Retransmit only on last message from previous flight, to avoid 03102 * too many retransmissions. 03103 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03104 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03105 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03106 { 03107 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03108 "message_seq = %d, start_of_flight = %d", 03109 recv_msg_seq, 03110 ssl->handshake->in_flight_start_seq ) ); 03111 03112 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03113 { 03114 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03115 return( ret ); 03116 } 03117 } 03118 else 03119 { 03120 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03121 "message_seq = %d, expected = %d", 03122 recv_msg_seq, 03123 ssl->handshake->in_msg_seq ) ); 03124 } 03125 03126 return( MBEDTLS_ERR_SSL_WANT_READ ); 03127 } 03128 /* Wait until message completion to increment in_msg_seq */ 03129 03130 /* Reassemble if current message is fragmented or reassembly is 03131 * already in progress */ 03132 if( ssl->in_msglen < ssl->in_hslen || 03133 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03134 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03135 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03136 { 03137 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03138 03139 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03140 { 03141 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03142 return( ret ); 03143 } 03144 } 03145 } 03146 else 03147 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03148 /* With TLS we don't handle fragmentation (for now) */ 03149 if( ssl->in_msglen < ssl->in_hslen ) 03150 { 03151 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03152 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03153 } 03154 03155 return( 0 ); 03156 } 03157 03158 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) 03159 { 03160 03161 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03162 ssl->handshake != NULL ) 03163 { 03164 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03165 } 03166 03167 /* Handshake message is complete, increment counter */ 03168 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03169 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03170 ssl->handshake != NULL ) 03171 { 03172 ssl->handshake->in_msg_seq++; 03173 } 03174 #endif 03175 } 03176 03177 /* 03178 * DTLS anti-replay: RFC 6347 4.1.2.6 03179 * 03180 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03181 * Bit n is set iff record number in_window_top - n has been seen. 03182 * 03183 * Usually, in_window_top is the last record number seen and the lsb of 03184 * in_window is set. The only exception is the initial state (record number 0 03185 * not seen yet). 03186 */ 03187 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03188 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03189 { 03190 ssl->in_window_top = 0; 03191 ssl->in_window = 0; 03192 } 03193 03194 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03195 { 03196 return( ( (uint64_t) buf[0] << 40 ) | 03197 ( (uint64_t) buf[1] << 32 ) | 03198 ( (uint64_t) buf[2] << 24 ) | 03199 ( (uint64_t) buf[3] << 16 ) | 03200 ( (uint64_t) buf[4] << 8 ) | 03201 ( (uint64_t) buf[5] ) ); 03202 } 03203 03204 /* 03205 * Return 0 if sequence number is acceptable, -1 otherwise 03206 */ 03207 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03208 { 03209 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03210 uint64_t bit; 03211 03212 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03213 return( 0 ); 03214 03215 if( rec_seqnum > ssl->in_window_top ) 03216 return( 0 ); 03217 03218 bit = ssl->in_window_top - rec_seqnum; 03219 03220 if( bit >= 64 ) 03221 return( -1 ); 03222 03223 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03224 return( -1 ); 03225 03226 return( 0 ); 03227 } 03228 03229 /* 03230 * Update replay window on new validated record 03231 */ 03232 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03233 { 03234 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03235 03236 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03237 return; 03238 03239 if( rec_seqnum > ssl->in_window_top ) 03240 { 03241 /* Update window_top and the contents of the window */ 03242 uint64_t shift = rec_seqnum - ssl->in_window_top; 03243 03244 if( shift >= 64 ) 03245 ssl->in_window = 1; 03246 else 03247 { 03248 ssl->in_window <<= shift; 03249 ssl->in_window |= 1; 03250 } 03251 03252 ssl->in_window_top = rec_seqnum; 03253 } 03254 else 03255 { 03256 /* Mark that number as seen in the current window */ 03257 uint64_t bit = ssl->in_window_top - rec_seqnum; 03258 03259 if( bit < 64 ) /* Always true, but be extra sure */ 03260 ssl->in_window |= (uint64_t) 1 << bit; 03261 } 03262 } 03263 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03264 03265 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03266 /* Forward declaration */ 03267 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03268 03269 /* 03270 * Without any SSL context, check if a datagram looks like a ClientHello with 03271 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03272 * Both input and output include full DTLS headers. 03273 * 03274 * - if cookie is valid, return 0 03275 * - if ClientHello looks superficially valid but cookie is not, 03276 * fill obuf and set olen, then 03277 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03278 * - otherwise return a specific error code 03279 */ 03280 static int ssl_check_dtls_clihlo_cookie( 03281 mbedtls_ssl_cookie_write_t *f_cookie_write, 03282 mbedtls_ssl_cookie_check_t *f_cookie_check, 03283 void *p_cookie, 03284 const unsigned char *cli_id, size_t cli_id_len, 03285 const unsigned char *in, size_t in_len, 03286 unsigned char *obuf, size_t buf_len, size_t *olen ) 03287 { 03288 size_t sid_len, cookie_len; 03289 unsigned char *p; 03290 03291 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03292 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03293 03294 /* 03295 * Structure of ClientHello with record and handshake headers, 03296 * and expected values. We don't need to check a lot, more checks will be 03297 * done when actually parsing the ClientHello - skipping those checks 03298 * avoids code duplication and does not make cookie forging any easier. 03299 * 03300 * 0-0 ContentType type; copied, must be handshake 03301 * 1-2 ProtocolVersion version; copied 03302 * 3-4 uint16 epoch; copied, must be 0 03303 * 5-10 uint48 sequence_number; copied 03304 * 11-12 uint16 length; (ignored) 03305 * 03306 * 13-13 HandshakeType msg_type; (ignored) 03307 * 14-16 uint24 length; (ignored) 03308 * 17-18 uint16 message_seq; copied 03309 * 19-21 uint24 fragment_offset; copied, must be 0 03310 * 22-24 uint24 fragment_length; (ignored) 03311 * 03312 * 25-26 ProtocolVersion client_version; (ignored) 03313 * 27-58 Random random; (ignored) 03314 * 59-xx SessionID session_id; 1 byte len + sid_len content 03315 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03316 * ... 03317 * 03318 * Minimum length is 61 bytes. 03319 */ 03320 if( in_len < 61 || 03321 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03322 in[3] != 0 || in[4] != 0 || 03323 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03324 { 03325 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03326 } 03327 03328 sid_len = in[59]; 03329 if( sid_len > in_len - 61 ) 03330 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03331 03332 cookie_len = in[60 + sid_len]; 03333 if( cookie_len > in_len - 60 ) 03334 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03335 03336 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03337 cli_id, cli_id_len ) == 0 ) 03338 { 03339 /* Valid cookie */ 03340 return( 0 ); 03341 } 03342 03343 /* 03344 * If we get here, we've got an invalid cookie, let's prepare HVR. 03345 * 03346 * 0-0 ContentType type; copied 03347 * 1-2 ProtocolVersion version; copied 03348 * 3-4 uint16 epoch; copied 03349 * 5-10 uint48 sequence_number; copied 03350 * 11-12 uint16 length; olen - 13 03351 * 03352 * 13-13 HandshakeType msg_type; hello_verify_request 03353 * 14-16 uint24 length; olen - 25 03354 * 17-18 uint16 message_seq; copied 03355 * 19-21 uint24 fragment_offset; copied 03356 * 22-24 uint24 fragment_length; olen - 25 03357 * 03358 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03359 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03360 * 03361 * Minimum length is 28. 03362 */ 03363 if( buf_len < 28 ) 03364 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03365 03366 /* Copy most fields and adapt others */ 03367 memcpy( obuf, in, 25 ); 03368 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03369 obuf[25] = 0xfe; 03370 obuf[26] = 0xff; 03371 03372 /* Generate and write actual cookie */ 03373 p = obuf + 28; 03374 if( f_cookie_write( p_cookie, 03375 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03376 { 03377 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03378 } 03379 03380 *olen = p - obuf; 03381 03382 /* Go back and fill length fields */ 03383 obuf[27] = (unsigned char)( *olen - 28 ); 03384 03385 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03386 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03387 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03388 03389 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03390 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03391 03392 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03393 } 03394 03395 /* 03396 * Handle possible client reconnect with the same UDP quadruplet 03397 * (RFC 6347 Section 4.2.8). 03398 * 03399 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03400 * that looks like a ClientHello. 03401 * 03402 * - if the input looks like a ClientHello without cookies, 03403 * send back HelloVerifyRequest, then 03404 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03405 * - if the input looks like a ClientHello with a valid cookie, 03406 * reset the session of the current context, and 03407 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03408 * - if anything goes wrong, return a specific error code 03409 * 03410 * mbedtls_ssl_read_record() will ignore the record if anything else than 03411 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03412 * cannot not return 0. 03413 */ 03414 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03415 { 03416 int ret; 03417 size_t len; 03418 03419 ret = ssl_check_dtls_clihlo_cookie( 03420 ssl->conf->f_cookie_write, 03421 ssl->conf->f_cookie_check, 03422 ssl->conf->p_cookie, 03423 ssl->cli_id, ssl->cli_id_len, 03424 ssl->in_buf, ssl->in_left, 03425 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03426 03427 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03428 03429 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03430 { 03431 /* Don't check write errors as we can't do anything here. 03432 * If the error is permanent we'll catch it later, 03433 * if it's not, then hopefully it'll work next time. */ 03434 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03435 03436 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03437 } 03438 03439 if( ret == 0 ) 03440 { 03441 /* Got a valid cookie, partially reset context */ 03442 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03443 { 03444 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03445 return( ret ); 03446 } 03447 03448 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03449 } 03450 03451 return( ret ); 03452 } 03453 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03454 03455 /* 03456 * ContentType type; 03457 * ProtocolVersion version; 03458 * uint16 epoch; // DTLS only 03459 * uint48 sequence_number; // DTLS only 03460 * uint16 length; 03461 * 03462 * Return 0 if header looks sane (and, for DTLS, the record is expected) 03463 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 03464 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 03465 * 03466 * With DTLS, mbedtls_ssl_read_record() will: 03467 * 1. proceed with the record if this function returns 0 03468 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 03469 * 3. return CLIENT_RECONNECT if this function return that value 03470 * 4. drop the whole datagram if this function returns anything else. 03471 * Point 2 is needed when the peer is resending, and we have already received 03472 * the first record from a datagram but are still waiting for the others. 03473 */ 03474 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03475 { 03476 int major_ver, minor_ver; 03477 03478 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03479 03480 ssl->in_msgtype = ssl->in_hdr[0]; 03481 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03482 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03483 03484 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03485 "version = [%d:%d], msglen = %d", 03486 ssl->in_msgtype, 03487 major_ver, minor_ver, ssl->in_msglen ) ); 03488 03489 /* Check record type */ 03490 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03491 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03492 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03493 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03494 { 03495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03496 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03497 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03498 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03499 } 03500 03501 /* Check version */ 03502 if( major_ver != ssl->major_ver ) 03503 { 03504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03505 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03506 } 03507 03508 if( minor_ver > ssl->conf->max_minor_ver ) 03509 { 03510 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03511 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03512 } 03513 03514 /* Check length against the size of our buffer */ 03515 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03516 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03517 { 03518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03519 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03520 } 03521 03522 /* Check length against bounds of the current transform and version */ 03523 if( ssl->transform_in == NULL ) 03524 { 03525 if( ssl->in_msglen < 1 || 03526 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03527 { 03528 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03529 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03530 } 03531 } 03532 else 03533 { 03534 if( ssl->in_msglen < ssl->transform_in->minlen ) 03535 { 03536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03537 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03538 } 03539 03540 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03541 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03542 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03543 { 03544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03545 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03546 } 03547 #endif 03548 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03549 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03550 /* 03551 * TLS encrypted messages can have up to 256 bytes of padding 03552 */ 03553 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03554 ssl->in_msglen > ssl->transform_in->minlen + 03555 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03556 { 03557 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03558 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03559 } 03560 #endif 03561 } 03562 03563 /* 03564 * DTLS-related tests done last, because most of them may result in 03565 * silently dropping the record (but not the whole datagram), and we only 03566 * want to consider that after ensuring that the "basic" fields (type, 03567 * version, length) are sane. 03568 */ 03569 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03570 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03571 { 03572 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03573 03574 /* Drop unexpected ChangeCipherSpec messages */ 03575 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03576 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03577 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03578 { 03579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03580 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03581 } 03582 03583 /* Drop unexpected ApplicationData records, 03584 * except at the beginning of renegotiations */ 03585 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03586 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03587 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03588 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03589 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03590 #endif 03591 ) 03592 { 03593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03594 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03595 } 03596 03597 /* Check epoch (and sequence number) with DTLS */ 03598 if( rec_epoch != ssl->in_epoch ) 03599 { 03600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03601 "expected %d, received %d", 03602 ssl->in_epoch, rec_epoch ) ); 03603 03604 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03605 /* 03606 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03607 * access the first byte of record content (handshake type), as we 03608 * have an active transform (possibly iv_len != 0), so use the 03609 * fact that the record header len is 13 instead. 03610 */ 03611 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03612 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03613 rec_epoch == 0 && 03614 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03615 ssl->in_left > 13 && 03616 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03617 { 03618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03619 "from the same port" ) ); 03620 return( ssl_handle_possible_reconnect( ssl ) ); 03621 } 03622 else 03623 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03624 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03625 } 03626 03627 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03628 /* Replay detection only works for the current epoch */ 03629 if( rec_epoch == ssl->in_epoch && 03630 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03631 { 03632 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03633 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03634 } 03635 #endif 03636 } 03637 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03638 03639 return( 0 ); 03640 } 03641 03642 /* 03643 * If applicable, decrypt (and decompress) record content 03644 */ 03645 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03646 { 03647 int ret, done = 0; 03648 03649 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03650 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03651 03652 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03653 if( mbedtls_ssl_hw_record_read != NULL ) 03654 { 03655 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03656 03657 ret = mbedtls_ssl_hw_record_read( ssl ); 03658 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03659 { 03660 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03661 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03662 } 03663 03664 if( ret == 0 ) 03665 done = 1; 03666 } 03667 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03668 if( !done && ssl->transform_in != NULL ) 03669 { 03670 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03671 { 03672 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03673 return( ret ); 03674 } 03675 03676 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03677 ssl->in_msg, ssl->in_msglen ); 03678 03679 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03680 { 03681 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03682 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03683 } 03684 } 03685 03686 #if defined(MBEDTLS_ZLIB_SUPPORT) 03687 if( ssl->transform_in != NULL && 03688 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03689 { 03690 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03691 { 03692 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03693 return( ret ); 03694 } 03695 } 03696 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03697 03698 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03699 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03700 { 03701 mbedtls_ssl_dtls_replay_update( ssl ); 03702 } 03703 #endif 03704 03705 return( 0 ); 03706 } 03707 03708 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03709 03710 /* 03711 * Read a record. 03712 * 03713 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03714 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03715 * 03716 */ 03717 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03718 { 03719 int ret; 03720 03721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03722 03723 if( ssl->keep_current_message == 0 ) 03724 { 03725 do { 03726 03727 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 ) 03728 { 03729 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03730 return( ret ); 03731 } 03732 03733 ret = mbedtls_ssl_handle_message_type( ssl ); 03734 03735 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ); 03736 03737 if( 0 != ret ) 03738 { 03739 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03740 return( ret ); 03741 } 03742 03743 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03744 { 03745 mbedtls_ssl_update_handshake_status( ssl ); 03746 } 03747 } 03748 else 03749 { 03750 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) ); 03751 ssl->keep_current_message = 0; 03752 } 03753 03754 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03755 03756 return( 0 ); 03757 } 03758 03759 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl ) 03760 { 03761 int ret; 03762 03763 /* 03764 * Step A 03765 * 03766 * Consume last content-layer message and potentially 03767 * update in_msglen which keeps track of the contents' 03768 * consumption state. 03769 * 03770 * (1) Handshake messages: 03771 * Remove last handshake message, move content 03772 * and adapt in_msglen. 03773 * 03774 * (2) Alert messages: 03775 * Consume whole record content, in_msglen = 0. 03776 * 03777 * NOTE: This needs to be fixed, since like for 03778 * handshake messages it is allowed to have 03779 * multiple alerts witin a single record. 03780 * Internal reference IOTSSL-1321. 03781 * 03782 * (3) Change cipher spec: 03783 * Consume whole record content, in_msglen = 0. 03784 * 03785 * (4) Application data: 03786 * Don't do anything - the record layer provides 03787 * the application data as a stream transport 03788 * and consumes through mbedtls_ssl_read only. 03789 * 03790 */ 03791 03792 /* Case (1): Handshake messages */ 03793 if( ssl->in_hslen != 0 ) 03794 { 03795 /* Hard assertion to be sure that no application data 03796 * is in flight, as corrupting ssl->in_msglen during 03797 * ssl->in_offt != NULL is fatal. */ 03798 if( ssl->in_offt != NULL ) 03799 { 03800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03801 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03802 } 03803 03804 /* 03805 * Get next Handshake message in the current record 03806 */ 03807 03808 /* Notes: 03809 * (1) in_hslen is *NOT* necessarily the size of the 03810 * current handshake content: If DTLS handshake 03811 * fragmentation is used, that's the fragment 03812 * size instead. Using the total handshake message 03813 * size here is FAULTY and should be changed at 03814 * some point. Internal reference IOTSSL-1414. 03815 * (2) While it doesn't seem to cause problems, one 03816 * has to be very careful not to assume that in_hslen 03817 * is always <= in_msglen in a sensible communication. 03818 * Again, it's wrong for DTLS handshake fragmentation. 03819 * The following check is therefore mandatory, and 03820 * should not be treated as a silently corrected assertion. 03821 * Additionally, ssl->in_hslen might be arbitrarily out of 03822 * bounds after handling a DTLS message with an unexpected 03823 * sequence number, see mbedtls_ssl_prepare_handshake_record. 03824 */ 03825 if( ssl->in_hslen < ssl->in_msglen ) 03826 { 03827 ssl->in_msglen -= ssl->in_hslen; 03828 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03829 ssl->in_msglen ); 03830 03831 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03832 ssl->in_msg, ssl->in_msglen ); 03833 } 03834 else 03835 { 03836 ssl->in_msglen = 0; 03837 } 03838 03839 ssl->in_hslen = 0; 03840 } 03841 /* Case (4): Application data */ 03842 else if( ssl->in_offt != NULL ) 03843 { 03844 return( 0 ); 03845 } 03846 /* Everything else (CCS & Alerts) */ 03847 else 03848 { 03849 ssl->in_msglen = 0; 03850 } 03851 03852 /* 03853 * Step B 03854 * 03855 * Fetch and decode new record if current one is fully consumed. 03856 * 03857 */ 03858 03859 if( ssl->in_msglen > 0 ) 03860 { 03861 /* There's something left to be processed in the current record. */ 03862 return( 0 ); 03863 } 03864 03865 /* Need to fetch a new record */ 03866 03867 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03868 read_record_header: 03869 #endif 03870 03871 /* Current record either fully processed or to be discarded. */ 03872 03873 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03874 { 03875 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03876 return( ret ); 03877 } 03878 03879 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03880 { 03881 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03882 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03883 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03884 { 03885 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 03886 { 03887 /* Skip unexpected record (but not whole datagram) */ 03888 ssl->next_record_offset = ssl->in_msglen 03889 + mbedtls_ssl_hdr_len( ssl ); 03890 03891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 03892 "(header)" ) ); 03893 } 03894 else 03895 { 03896 /* Skip invalid record and the rest of the datagram */ 03897 ssl->next_record_offset = 0; 03898 ssl->in_left = 0; 03899 03900 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 03901 "(header)" ) ); 03902 } 03903 03904 /* Get next record */ 03905 goto read_record_header; 03906 } 03907 #endif 03908 return( ret ); 03909 } 03910 03911 /* 03912 * Read and optionally decrypt the message contents 03913 */ 03914 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03915 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03916 { 03917 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03918 return( ret ); 03919 } 03920 03921 /* Done reading this record, get ready for the next one */ 03922 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03923 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03924 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 03925 else 03926 #endif 03927 ssl->in_left = 0; 03928 03929 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 03930 { 03931 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03932 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03933 { 03934 /* Silently discard invalid records */ 03935 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 03936 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03937 { 03938 /* Except when waiting for Finished as a bad mac here 03939 * probably means something went wrong in the handshake 03940 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 03941 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 03942 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 03943 { 03944 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03945 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03946 { 03947 mbedtls_ssl_send_alert_message( ssl, 03948 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03949 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03950 } 03951 #endif 03952 return( ret ); 03953 } 03954 03955 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 03956 if( ssl->conf->badmac_limit != 0 && 03957 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 03958 { 03959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 03960 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 03961 } 03962 #endif 03963 03964 /* As above, invalid records cause 03965 * dismissal of the whole datagram. */ 03966 03967 ssl->next_record_offset = 0; 03968 ssl->in_left = 0; 03969 03970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 03971 goto read_record_header; 03972 } 03973 03974 return( ret ); 03975 } 03976 else 03977 #endif 03978 { 03979 /* Error out (and send alert) on invalid records */ 03980 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03981 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03982 { 03983 mbedtls_ssl_send_alert_message( ssl, 03984 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03985 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 03986 } 03987 #endif 03988 return( ret ); 03989 } 03990 } 03991 03992 /* 03993 * When we sent the last flight of the handshake, we MUST respond to a 03994 * retransmit of the peer's previous flight with a retransmit. (In 03995 * practice, only the Finished message will make it, other messages 03996 * including CCS use the old transform so they're dropped as invalid.) 03997 * 03998 * If the record we received is not a handshake message, however, it 03999 * means the peer received our last flight so we can clean up 04000 * handshake info. 04001 * 04002 * This check needs to be done before prepare_handshake() due to an edge 04003 * case: if the client immediately requests renegotiation, this 04004 * finishes the current handshake first, avoiding the new ClientHello 04005 * being mistaken for an ancient message in the current handshake. 04006 */ 04007 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04008 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04009 ssl->handshake != NULL && 04010 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 04011 { 04012 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04013 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 04014 { 04015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) ); 04016 04017 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 04018 { 04019 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 04020 return( ret ); 04021 } 04022 04023 return( MBEDTLS_ERR_SSL_WANT_READ ); 04024 } 04025 else 04026 { 04027 ssl_handshake_wrapup_free_hs_transform( ssl ); 04028 } 04029 } 04030 #endif 04031 04032 return( 0 ); 04033 } 04034 04035 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) 04036 { 04037 int ret; 04038 04039 /* 04040 * Handle particular types of records 04041 */ 04042 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 04043 { 04044 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) 04045 { 04046 return( ret ); 04047 } 04048 } 04049 04050 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 04051 { 04052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 04053 ssl->in_msg[0], ssl->in_msg[1] ) ); 04054 04055 /* 04056 * Ignore non-fatal alerts, except close_notify and no_renegotiation 04057 */ 04058 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 04059 { 04060 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 04061 ssl->in_msg[1] ) ); 04062 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 04063 } 04064 04065 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04066 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 04067 { 04068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 04069 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 04070 } 04071 04072 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 04073 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04074 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 04075 { 04076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 04077 /* Will be handled when trying to parse ServerHello */ 04078 return( 0 ); 04079 } 04080 #endif 04081 04082 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 04083 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 04084 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04085 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04086 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04087 { 04088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 04089 /* Will be handled in mbedtls_ssl_parse_certificate() */ 04090 return( 0 ); 04091 } 04092 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 04093 04094 /* Silently ignore: fetch new message */ 04095 return MBEDTLS_ERR_SSL_NON_FATAL; 04096 } 04097 04098 return( 0 ); 04099 } 04100 04101 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 04102 { 04103 int ret; 04104 04105 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 04106 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04107 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 04108 { 04109 return( ret ); 04110 } 04111 04112 return( 0 ); 04113 } 04114 04115 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 04116 unsigned char level, 04117 unsigned char message ) 04118 { 04119 int ret; 04120 04121 if( ssl == NULL || ssl->conf == NULL ) 04122 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04123 04124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 04125 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); 04126 04127 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04128 ssl->out_msglen = 2; 04129 ssl->out_msg[0] = level; 04130 ssl->out_msg[1] = message; 04131 04132 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04133 { 04134 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04135 return( ret ); 04136 } 04137 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 04138 04139 return( 0 ); 04140 } 04141 04142 /* 04143 * Handshake functions 04144 */ 04145 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04146 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04147 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04148 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04149 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04150 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04151 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04152 /* No certificate support -> dummy functions */ 04153 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04154 { 04155 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04156 04157 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04158 04159 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04160 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04161 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04162 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04163 { 04164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04165 ssl->state++; 04166 return( 0 ); 04167 } 04168 04169 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04170 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04171 } 04172 04173 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04174 { 04175 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04176 04177 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04178 04179 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04180 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04181 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04182 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04183 { 04184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04185 ssl->state++; 04186 return( 0 ); 04187 } 04188 04189 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04190 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04191 } 04192 04193 #else 04194 /* Some certificate support -> implement write and parse */ 04195 04196 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04197 { 04198 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04199 size_t i, n; 04200 const mbedtls_x509_crt *crt; 04201 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04202 04203 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04204 04205 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04206 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04207 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04208 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04209 { 04210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04211 ssl->state++; 04212 return( 0 ); 04213 } 04214 04215 #if defined(MBEDTLS_SSL_CLI_C) 04216 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04217 { 04218 if( ssl->client_auth == 0 ) 04219 { 04220 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04221 ssl->state++; 04222 return( 0 ); 04223 } 04224 04225 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04226 /* 04227 * If using SSLv3 and got no cert, send an Alert message 04228 * (otherwise an empty Certificate message will be sent). 04229 */ 04230 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04231 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04232 { 04233 ssl->out_msglen = 2; 04234 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04235 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04236 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04237 04238 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04239 goto write_msg; 04240 } 04241 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04242 } 04243 #endif /* MBEDTLS_SSL_CLI_C */ 04244 #if defined(MBEDTLS_SSL_SRV_C) 04245 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04246 { 04247 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04248 { 04249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04250 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04251 } 04252 } 04253 #endif 04254 04255 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04256 04257 /* 04258 * 0 . 0 handshake type 04259 * 1 . 3 handshake length 04260 * 4 . 6 length of all certs 04261 * 7 . 9 length of cert. 1 04262 * 10 . n-1 peer certificate 04263 * n . n+2 length of cert. 2 04264 * n+3 . ... upper level cert, etc. 04265 */ 04266 i = 7; 04267 crt = mbedtls_ssl_own_cert( ssl ); 04268 04269 while( crt != NULL ) 04270 { 04271 n = crt->raw.len; 04272 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04273 { 04274 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04275 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04276 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04277 } 04278 04279 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04280 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04281 ssl->out_msg[i + 2] = (unsigned char)( n ); 04282 04283 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04284 i += n; crt = crt->next; 04285 } 04286 04287 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04288 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04289 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04290 04291 ssl->out_msglen = i; 04292 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04293 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04294 04295 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04296 write_msg: 04297 #endif 04298 04299 ssl->state++; 04300 04301 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04302 { 04303 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04304 return( ret ); 04305 } 04306 04307 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04308 04309 return( ret ); 04310 } 04311 04312 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04313 { 04314 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04315 size_t i, n; 04316 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04317 int authmode = ssl->conf->authmode; 04318 uint8_t alert; 04319 04320 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04321 04322 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04323 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04324 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04325 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04326 { 04327 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04328 ssl->state++; 04329 return( 0 ); 04330 } 04331 04332 #if defined(MBEDTLS_SSL_SRV_C) 04333 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04334 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04335 { 04336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04337 ssl->state++; 04338 return( 0 ); 04339 } 04340 04341 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04342 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04343 authmode = ssl->handshake->sni_authmode; 04344 #endif 04345 04346 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04347 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04348 { 04349 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04350 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04351 ssl->state++; 04352 return( 0 ); 04353 } 04354 #endif 04355 04356 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04357 { 04358 /* mbedtls_ssl_read_record may have sent an alert already. We 04359 let it decide whether to alert. */ 04360 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04361 return( ret ); 04362 } 04363 04364 ssl->state++; 04365 04366 #if defined(MBEDTLS_SSL_SRV_C) 04367 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04368 /* 04369 * Check if the client sent an empty certificate 04370 */ 04371 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04372 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04373 { 04374 if( ssl->in_msglen == 2 && 04375 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04376 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04377 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04378 { 04379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04380 04381 /* The client was asked for a certificate but didn't send 04382 one. The client should know what's going on, so we 04383 don't send an alert. */ 04384 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04385 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04386 return( 0 ); 04387 else 04388 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04389 } 04390 } 04391 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04392 04393 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04394 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04395 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04396 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04397 { 04398 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04399 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04400 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04401 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04402 { 04403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04404 04405 /* The client was asked for a certificate but didn't send 04406 one. The client should know what's going on, so we 04407 don't send an alert. */ 04408 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04409 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04410 return( 0 ); 04411 else 04412 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04413 } 04414 } 04415 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04416 MBEDTLS_SSL_PROTO_TLS1_2 */ 04417 #endif /* MBEDTLS_SSL_SRV_C */ 04418 04419 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04420 { 04421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04422 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04423 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04424 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04425 } 04426 04427 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04428 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04429 { 04430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04431 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04432 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04433 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04434 } 04435 04436 i = mbedtls_ssl_hs_hdr_len( ssl ); 04437 04438 /* 04439 * Same message structure as in mbedtls_ssl_write_certificate() 04440 */ 04441 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04442 04443 if( ssl->in_msg[i] != 0 || 04444 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04445 { 04446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04447 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04448 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04449 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04450 } 04451 04452 /* In case we tried to reuse a session but it failed */ 04453 if( ssl->session_negotiate->peer_cert != NULL ) 04454 { 04455 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04456 mbedtls_free( ssl->session_negotiate->peer_cert ); 04457 } 04458 04459 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04460 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04461 { 04462 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04463 sizeof( mbedtls_x509_crt ) ) ); 04464 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04465 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04466 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04467 } 04468 04469 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04470 04471 i += 3; 04472 04473 while( i < ssl->in_hslen ) 04474 { 04475 if( ssl->in_msg[i] != 0 ) 04476 { 04477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04479 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04480 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04481 } 04482 04483 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04484 | (unsigned int) ssl->in_msg[i + 2]; 04485 i += 3; 04486 04487 if( n < 128 || i + n > ssl->in_hslen ) 04488 { 04489 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04490 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04491 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04492 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04493 } 04494 04495 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04496 ssl->in_msg + i, n ); 04497 switch( ret ) 04498 { 04499 case 0: /*ok*/ 04500 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 04501 /* Ignore certificate with an unknown algorithm: maybe a 04502 prior certificate was already trusted. */ 04503 break; 04504 04505 case MBEDTLS_ERR_X509_ALLOC_FAILED: 04506 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 04507 goto crt_parse_der_failed; 04508 04509 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 04510 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04511 goto crt_parse_der_failed; 04512 04513 default: 04514 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04515 crt_parse_der_failed: 04516 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert ); 04517 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04518 return( ret ); 04519 } 04520 04521 i += n; 04522 } 04523 04524 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04525 04526 /* 04527 * On client, make sure the server cert doesn't change during renego to 04528 * avoid "triple handshake" attack: https://secure-resumption.com/ 04529 */ 04530 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04531 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04532 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04533 { 04534 if( ssl->session->peer_cert == NULL ) 04535 { 04536 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04537 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04538 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04539 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04540 } 04541 04542 if( ssl->session->peer_cert->raw.len != 04543 ssl->session_negotiate->peer_cert->raw.len || 04544 memcmp( ssl->session->peer_cert->raw.p, 04545 ssl->session_negotiate->peer_cert->raw.p, 04546 ssl->session->peer_cert->raw.len ) != 0 ) 04547 { 04548 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04549 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04550 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04551 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04552 } 04553 } 04554 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04555 04556 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04557 { 04558 mbedtls_x509_crt *ca_chain; 04559 mbedtls_x509_crl *ca_crl; 04560 04561 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04562 if( ssl->handshake->sni_ca_chain != NULL ) 04563 { 04564 ca_chain = ssl->handshake->sni_ca_chain; 04565 ca_crl = ssl->handshake->sni_ca_crl; 04566 } 04567 else 04568 #endif 04569 { 04570 ca_chain = ssl->conf->ca_chain; 04571 ca_crl = ssl->conf->ca_crl; 04572 } 04573 04574 /* 04575 * Main check: verify certificate 04576 */ 04577 ret = mbedtls_x509_crt_verify_with_profile( 04578 ssl->session_negotiate->peer_cert, 04579 ca_chain, ca_crl, 04580 ssl->conf->cert_profile, 04581 ssl->hostname, 04582 &ssl->session_negotiate->verify_result, 04583 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04584 04585 if( ret != 0 ) 04586 { 04587 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04588 } 04589 04590 /* 04591 * Secondary checks: always done, but change 'ret' only if it was 0 04592 */ 04593 04594 #if defined(MBEDTLS_ECP_C) 04595 { 04596 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04597 04598 /* If certificate uses an EC key, make sure the curve is OK */ 04599 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04600 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04601 { 04602 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; 04603 04604 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04605 if( ret == 0 ) 04606 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04607 } 04608 } 04609 #endif /* MBEDTLS_ECP_C */ 04610 04611 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04612 ciphersuite_info, 04613 ! ssl->conf->endpoint, 04614 &ssl->session_negotiate->verify_result ) != 0 ) 04615 { 04616 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04617 if( ret == 0 ) 04618 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04619 } 04620 04621 /* mbedtls_x509_crt_verify_with_profile is supposed to report a 04622 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, 04623 * with details encoded in the verification flags. All other kinds 04624 * of error codes, including those from the user provided f_vrfy 04625 * functions, are treated as fatal and lead to a failure of 04626 * ssl_parse_certificate even if verification was optional. */ 04627 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 04628 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 04629 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) 04630 { 04631 ret = 0; 04632 } 04633 04634 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) 04635 { 04636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04637 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 04638 } 04639 04640 if( ret != 0 ) 04641 { 04642 /* The certificate may have been rejected for several reasons. 04643 Pick one and send the corresponding alert. Which alert to send 04644 may be a subject of debate in some cases. */ 04645 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) 04646 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 04647 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) 04648 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04649 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) 04650 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04651 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) 04652 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04653 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) 04654 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04655 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) 04656 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04657 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) 04658 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04659 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) 04660 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 04661 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) 04662 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 04663 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) 04664 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 04665 else 04666 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 04667 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04668 alert ); 04669 } 04670 04671 #if defined(MBEDTLS_DEBUG_C) 04672 if( ssl->session_negotiate->verify_result != 0 ) 04673 { 04674 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", 04675 ssl->session_negotiate->verify_result ) ); 04676 } 04677 else 04678 { 04679 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); 04680 } 04681 #endif /* MBEDTLS_DEBUG_C */ 04682 } 04683 04684 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04685 04686 return( ret ); 04687 } 04688 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04689 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04690 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04691 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04692 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04693 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04694 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04695 04696 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04697 { 04698 int ret; 04699 04700 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04701 04702 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04703 ssl->out_msglen = 1; 04704 ssl->out_msg[0] = 1; 04705 04706 ssl->state++; 04707 04708 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04709 { 04710 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04711 return( ret ); 04712 } 04713 04714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04715 04716 return( 0 ); 04717 } 04718 04719 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04720 { 04721 int ret; 04722 04723 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04724 04725 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04726 { 04727 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04728 return( ret ); 04729 } 04730 04731 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04732 { 04733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04734 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04735 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04736 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04737 } 04738 04739 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04740 { 04741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04742 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04743 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04744 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04745 } 04746 04747 /* 04748 * Switch to our negotiated transform and session parameters for inbound 04749 * data. 04750 */ 04751 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04752 ssl->transform_in = ssl->transform_negotiate; 04753 ssl->session_in = ssl->session_negotiate; 04754 04755 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04756 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04757 { 04758 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04759 ssl_dtls_replay_reset( ssl ); 04760 #endif 04761 04762 /* Increment epoch */ 04763 if( ++ssl->in_epoch == 0 ) 04764 { 04765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04766 /* This is highly unlikely to happen for legitimate reasons, so 04767 treat it as an attack and don't send an alert. */ 04768 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04769 } 04770 } 04771 else 04772 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04773 memset( ssl->in_ctr, 0, 8 ); 04774 04775 /* 04776 * Set the in_msg pointer to the correct location based on IV length 04777 */ 04778 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04779 { 04780 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04781 ssl->transform_negotiate->fixed_ivlen; 04782 } 04783 else 04784 ssl->in_msg = ssl->in_iv; 04785 04786 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04787 if( mbedtls_ssl_hw_record_activate != NULL ) 04788 { 04789 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04790 { 04791 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04792 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04793 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04794 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04795 } 04796 } 04797 #endif 04798 04799 ssl->state++; 04800 04801 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04802 04803 return( 0 ); 04804 } 04805 04806 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04807 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04808 { 04809 ((void) ciphersuite_info); 04810 04811 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04812 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04813 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04814 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04815 else 04816 #endif 04817 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04818 #if defined(MBEDTLS_SHA512_C) 04819 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04820 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04821 else 04822 #endif 04823 #if defined(MBEDTLS_SHA256_C) 04824 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04825 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04826 else 04827 #endif 04828 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04829 { 04830 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04831 return; 04832 } 04833 } 04834 04835 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04836 { 04837 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04838 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04839 mbedtls_md5_starts( &ssl->handshake->fin_md5 ); 04840 mbedtls_sha1_starts( &ssl->handshake->fin_sha1 ); 04841 #endif 04842 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04843 #if defined(MBEDTLS_SHA256_C) 04844 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); 04845 #endif 04846 #if defined(MBEDTLS_SHA512_C) 04847 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); 04848 #endif 04849 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04850 } 04851 04852 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04853 const unsigned char *buf, size_t len ) 04854 { 04855 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04856 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04857 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04858 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04859 #endif 04860 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04861 #if defined(MBEDTLS_SHA256_C) 04862 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04863 #endif 04864 #if defined(MBEDTLS_SHA512_C) 04865 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04866 #endif 04867 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04868 } 04869 04870 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04871 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04872 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04873 const unsigned char *buf, size_t len ) 04874 { 04875 mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); 04876 mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); 04877 } 04878 #endif 04879 04880 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04881 #if defined(MBEDTLS_SHA256_C) 04882 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04883 const unsigned char *buf, size_t len ) 04884 { 04885 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); 04886 } 04887 #endif 04888 04889 #if defined(MBEDTLS_SHA512_C) 04890 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04891 const unsigned char *buf, size_t len ) 04892 { 04893 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); 04894 } 04895 #endif 04896 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04897 04898 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04899 static void ssl_calc_finished_ssl( 04900 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04901 { 04902 const char *sender; 04903 mbedtls_md5_context md5; 04904 mbedtls_sha1_context sha1; 04905 04906 unsigned char padbuf[48]; 04907 unsigned char md5sum[16]; 04908 unsigned char sha1sum[20]; 04909 04910 mbedtls_ssl_session *session = ssl->session_negotiate; 04911 if( !session ) 04912 session = ssl->session; 04913 04914 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04915 04916 mbedtls_md5_init( &md5 ); 04917 mbedtls_sha1_init( &sha1 ); 04918 04919 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04920 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04921 04922 /* 04923 * SSLv3: 04924 * hash = 04925 * MD5( master + pad2 + 04926 * MD5( handshake + sender + master + pad1 ) ) 04927 * + SHA1( master + pad2 + 04928 * SHA1( handshake + sender + master + pad1 ) ) 04929 */ 04930 04931 #if !defined(MBEDTLS_MD5_ALT) 04932 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04933 md5.state , sizeof( md5.state ) ); 04934 #endif 04935 04936 #if !defined(MBEDTLS_SHA1_ALT) 04937 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04938 sha1.state , sizeof( sha1.state ) ); 04939 #endif 04940 04941 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04942 : "SRVR"; 04943 04944 memset( padbuf, 0x36, 48 ); 04945 04946 mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 ); 04947 mbedtls_md5_update( &md5, session->master, 48 ); 04948 mbedtls_md5_update( &md5, padbuf, 48 ); 04949 mbedtls_md5_finish( &md5, md5sum ); 04950 04951 mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 ); 04952 mbedtls_sha1_update( &sha1, session->master, 48 ); 04953 mbedtls_sha1_update( &sha1, padbuf, 40 ); 04954 mbedtls_sha1_finish( &sha1, sha1sum ); 04955 04956 memset( padbuf, 0x5C, 48 ); 04957 04958 mbedtls_md5_starts( &md5 ); 04959 mbedtls_md5_update( &md5, session->master, 48 ); 04960 mbedtls_md5_update( &md5, padbuf, 48 ); 04961 mbedtls_md5_update( &md5, md5sum, 16 ); 04962 mbedtls_md5_finish( &md5, buf ); 04963 04964 mbedtls_sha1_starts( &sha1 ); 04965 mbedtls_sha1_update( &sha1, session->master, 48 ); 04966 mbedtls_sha1_update( &sha1, padbuf , 40 ); 04967 mbedtls_sha1_update( &sha1, sha1sum, 20 ); 04968 mbedtls_sha1_finish( &sha1, buf + 16 ); 04969 04970 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 04971 04972 mbedtls_md5_free( &md5 ); 04973 mbedtls_sha1_free( &sha1 ); 04974 04975 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 04976 mbedtls_zeroize( md5sum, sizeof( md5sum ) ); 04977 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 04978 04979 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 04980 } 04981 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04982 04983 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 04984 static void ssl_calc_finished_tls( 04985 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04986 { 04987 int len = 12; 04988 const char *sender; 04989 mbedtls_md5_context md5; 04990 mbedtls_sha1_context sha1; 04991 unsigned char padbuf[36]; 04992 04993 mbedtls_ssl_session *session = ssl->session_negotiate; 04994 if( !session ) 04995 session = ssl->session; 04996 04997 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 04998 04999 mbedtls_md5_init( &md5 ); 05000 mbedtls_sha1_init( &sha1 ); 05001 05002 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 05003 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 05004 05005 /* 05006 * TLSv1: 05007 * hash = PRF( master, finished_label, 05008 * MD5( handshake ) + SHA1( handshake ) )[0..11] 05009 */ 05010 05011 #if !defined(MBEDTLS_MD5_ALT) 05012 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 05013 md5.state , sizeof( md5.state ) ); 05014 #endif 05015 05016 #if !defined(MBEDTLS_SHA1_ALT) 05017 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 05018 sha1.state , sizeof( sha1.state ) ); 05019 #endif 05020 05021 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05022 ? "client finished" 05023 : "server finished"; 05024 05025 mbedtls_md5_finish( &md5, padbuf ); 05026 mbedtls_sha1_finish( &sha1, padbuf + 16 ); 05027 05028 ssl->handshake->tls_prf( session->master, 48, sender, 05029 padbuf, 36, buf, len ); 05030 05031 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05032 05033 mbedtls_md5_free( &md5 ); 05034 mbedtls_sha1_free( &sha1 ); 05035 05036 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05037 05038 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05039 } 05040 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 05041 05042 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05043 #if defined(MBEDTLS_SHA256_C) 05044 static void ssl_calc_finished_tls_sha256( 05045 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05046 { 05047 int len = 12; 05048 const char *sender; 05049 mbedtls_sha256_context sha256; 05050 unsigned char padbuf[32]; 05051 05052 mbedtls_ssl_session *session = ssl->session_negotiate; 05053 if( !session ) 05054 session = ssl->session; 05055 05056 mbedtls_sha256_init( &sha256 ); 05057 05058 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 05059 05060 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 05061 05062 /* 05063 * TLSv1.2: 05064 * hash = PRF( master, finished_label, 05065 * Hash( handshake ) )[0.11] 05066 */ 05067 05068 #if !defined(MBEDTLS_SHA256_ALT) 05069 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 05070 sha256.state , sizeof( sha256.state ) ); 05071 #endif 05072 05073 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05074 ? "client finished" 05075 : "server finished"; 05076 05077 mbedtls_sha256_finish( &sha256, padbuf ); 05078 05079 ssl->handshake->tls_prf( session->master, 48, sender, 05080 padbuf, 32, buf, len ); 05081 05082 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05083 05084 mbedtls_sha256_free( &sha256 ); 05085 05086 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05087 05088 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05089 } 05090 #endif /* MBEDTLS_SHA256_C */ 05091 05092 #if defined(MBEDTLS_SHA512_C) 05093 static void ssl_calc_finished_tls_sha384( 05094 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05095 { 05096 int len = 12; 05097 const char *sender; 05098 mbedtls_sha512_context sha512; 05099 unsigned char padbuf[48]; 05100 05101 mbedtls_ssl_session *session = ssl->session_negotiate; 05102 if( !session ) 05103 session = ssl->session; 05104 05105 mbedtls_sha512_init( &sha512 ); 05106 05107 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 05108 05109 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 05110 05111 /* 05112 * TLSv1.2: 05113 * hash = PRF( master, finished_label, 05114 * Hash( handshake ) )[0.11] 05115 */ 05116 05117 #if !defined(MBEDTLS_SHA512_ALT) 05118 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 05119 sha512.state , sizeof( sha512.state ) ); 05120 #endif 05121 05122 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05123 ? "client finished" 05124 : "server finished"; 05125 05126 mbedtls_sha512_finish( &sha512, padbuf ); 05127 05128 ssl->handshake->tls_prf( session->master, 48, sender, 05129 padbuf, 48, buf, len ); 05130 05131 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05132 05133 mbedtls_sha512_free( &sha512 ); 05134 05135 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05136 05137 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05138 } 05139 #endif /* MBEDTLS_SHA512_C */ 05140 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05141 05142 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 05143 { 05144 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 05145 05146 /* 05147 * Free our handshake params 05148 */ 05149 mbedtls_ssl_handshake_free( ssl->handshake ); 05150 mbedtls_free( ssl->handshake ); 05151 ssl->handshake = NULL; 05152 05153 /* 05154 * Free the previous transform and swith in the current one 05155 */ 05156 if( ssl->transform ) 05157 { 05158 mbedtls_ssl_transform_free( ssl->transform ); 05159 mbedtls_free( ssl->transform ); 05160 } 05161 ssl->transform = ssl->transform_negotiate; 05162 ssl->transform_negotiate = NULL; 05163 05164 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 05165 } 05166 05167 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 05168 { 05169 int resume = ssl->handshake->resume; 05170 05171 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 05172 05173 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05174 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 05175 { 05176 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 05177 ssl->renego_records_seen = 0; 05178 } 05179 #endif 05180 05181 /* 05182 * Free the previous session and switch in the current one 05183 */ 05184 if( ssl->session ) 05185 { 05186 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 05187 /* RFC 7366 3.1: keep the EtM state */ 05188 ssl->session_negotiate->encrypt_then_mac = 05189 ssl->session->encrypt_then_mac; 05190 #endif 05191 05192 mbedtls_ssl_session_free( ssl->session ); 05193 mbedtls_free( ssl->session ); 05194 } 05195 ssl->session = ssl->session_negotiate; 05196 ssl->session_negotiate = NULL; 05197 05198 /* 05199 * Add cache entry 05200 */ 05201 if( ssl->conf->f_set_cache != NULL && 05202 ssl->session->id_len != 0 && 05203 resume == 0 ) 05204 { 05205 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 05206 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 05207 } 05208 05209 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05210 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 05211 ssl->handshake->flight != NULL ) 05212 { 05213 /* Cancel handshake timer */ 05214 ssl_set_timer( ssl, 0 ); 05215 05216 /* Keep last flight around in case we need to resend it: 05217 * we need the handshake and transform structures for that */ 05218 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 05219 } 05220 else 05221 #endif 05222 ssl_handshake_wrapup_free_hs_transform( ssl ); 05223 05224 ssl->state++; 05225 05226 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 05227 } 05228 05229 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 05230 { 05231 int ret, hash_len; 05232 05233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 05234 05235 /* 05236 * Set the out_msg pointer to the correct location based on IV length 05237 */ 05238 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 05239 { 05240 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 05241 ssl->transform_negotiate->fixed_ivlen; 05242 } 05243 else 05244 ssl->out_msg = ssl->out_iv; 05245 05246 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 05247 05248 /* 05249 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 05250 * may define some other value. Currently (early 2016), no defined 05251 * ciphersuite does this (and this is unlikely to change as activity has 05252 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 05253 */ 05254 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 05255 05256 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05257 ssl->verify_data_len = hash_len; 05258 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 05259 #endif 05260 05261 ssl->out_msglen = 4 + hash_len; 05262 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05263 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05264 05265 /* 05266 * In case of session resuming, invert the client and server 05267 * ChangeCipherSpec messages order. 05268 */ 05269 if( ssl->handshake->resume != 0 ) 05270 { 05271 #if defined(MBEDTLS_SSL_CLI_C) 05272 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05273 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05274 #endif 05275 #if defined(MBEDTLS_SSL_SRV_C) 05276 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05277 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05278 #endif 05279 } 05280 else 05281 ssl->state++; 05282 05283 /* 05284 * Switch to our negotiated transform and session parameters for outbound 05285 * data. 05286 */ 05287 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05288 05289 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05290 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05291 { 05292 unsigned char i; 05293 05294 /* Remember current epoch settings for resending */ 05295 ssl->handshake->alt_transform_out = ssl->transform_out; 05296 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05297 05298 /* Set sequence_number to zero */ 05299 memset( ssl->out_ctr + 2, 0, 6 ); 05300 05301 /* Increment epoch */ 05302 for( i = 2; i > 0; i-- ) 05303 if( ++ssl->out_ctr[i - 1] != 0 ) 05304 break; 05305 05306 /* The loop goes to its end iff the counter is wrapping */ 05307 if( i == 0 ) 05308 { 05309 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05310 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05311 } 05312 } 05313 else 05314 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05315 memset( ssl->out_ctr, 0, 8 ); 05316 05317 ssl->transform_out = ssl->transform_negotiate; 05318 ssl->session_out = ssl->session_negotiate; 05319 05320 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05321 if( mbedtls_ssl_hw_record_activate != NULL ) 05322 { 05323 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05324 { 05325 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05326 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05327 } 05328 } 05329 #endif 05330 05331 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05332 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05333 mbedtls_ssl_send_flight_completed( ssl ); 05334 #endif 05335 05336 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05337 { 05338 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05339 return( ret ); 05340 } 05341 05342 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05343 05344 return( 0 ); 05345 } 05346 05347 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05348 #define SSL_MAX_HASH_LEN 36 05349 #else 05350 #define SSL_MAX_HASH_LEN 12 05351 #endif 05352 05353 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05354 { 05355 int ret; 05356 unsigned int hash_len; 05357 unsigned char buf[SSL_MAX_HASH_LEN]; 05358 05359 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05360 05361 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05362 05363 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05364 { 05365 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05366 return( ret ); 05367 } 05368 05369 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05370 { 05371 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05372 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05373 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 05374 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05375 } 05376 05377 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05378 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05379 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05380 hash_len = 36; 05381 else 05382 #endif 05383 hash_len = 12; 05384 05385 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05386 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05387 { 05388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05389 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05390 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05391 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05392 } 05393 05394 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05395 buf, hash_len ) != 0 ) 05396 { 05397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05398 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05399 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05400 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05401 } 05402 05403 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05404 ssl->verify_data_len = hash_len; 05405 memcpy( ssl->peer_verify_data, buf, hash_len ); 05406 #endif 05407 05408 if( ssl->handshake->resume != 0 ) 05409 { 05410 #if defined(MBEDTLS_SSL_CLI_C) 05411 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05412 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05413 #endif 05414 #if defined(MBEDTLS_SSL_SRV_C) 05415 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05416 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05417 #endif 05418 } 05419 else 05420 ssl->state++; 05421 05422 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05423 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05424 mbedtls_ssl_recv_flight_completed( ssl ); 05425 #endif 05426 05427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05428 05429 return( 0 ); 05430 } 05431 05432 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05433 { 05434 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05435 05436 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05437 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05438 mbedtls_md5_init( &handshake->fin_md5 ); 05439 mbedtls_sha1_init( &handshake->fin_sha1 ); 05440 mbedtls_md5_starts( &handshake->fin_md5 ); 05441 mbedtls_sha1_starts( &handshake->fin_sha1 ); 05442 #endif 05443 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05444 #if defined(MBEDTLS_SHA256_C) 05445 mbedtls_sha256_init( &handshake->fin_sha256 ); 05446 mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); 05447 #endif 05448 #if defined(MBEDTLS_SHA512_C) 05449 mbedtls_sha512_init( &handshake->fin_sha512 ); 05450 mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); 05451 #endif 05452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05453 05454 handshake->update_checksum = ssl_update_checksum_start; 05455 05456 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 05457 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05458 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs ); 05459 #endif 05460 05461 #if defined(MBEDTLS_DHM_C) 05462 mbedtls_dhm_init( &handshake->dhm_ctx ); 05463 #endif 05464 #if defined(MBEDTLS_ECDH_C) 05465 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05466 #endif 05467 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05468 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05469 #if defined(MBEDTLS_SSL_CLI_C) 05470 handshake->ecjpake_cache = NULL; 05471 handshake->ecjpake_cache_len = 0; 05472 #endif 05473 #endif 05474 05475 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05476 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05477 #endif 05478 } 05479 05480 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05481 { 05482 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05483 05484 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05485 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05486 05487 mbedtls_md_init( &transform->md_ctx_enc ); 05488 mbedtls_md_init( &transform->md_ctx_dec ); 05489 } 05490 05491 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05492 { 05493 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05494 } 05495 05496 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05497 { 05498 /* Clear old handshake information if present */ 05499 if( ssl->transform_negotiate ) 05500 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05501 if( ssl->session_negotiate ) 05502 mbedtls_ssl_session_free( ssl->session_negotiate ); 05503 if( ssl->handshake ) 05504 mbedtls_ssl_handshake_free( ssl->handshake ); 05505 05506 /* 05507 * Either the pointers are now NULL or cleared properly and can be freed. 05508 * Now allocate missing structures. 05509 */ 05510 if( ssl->transform_negotiate == NULL ) 05511 { 05512 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05513 } 05514 05515 if( ssl->session_negotiate == NULL ) 05516 { 05517 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05518 } 05519 05520 if( ssl->handshake == NULL ) 05521 { 05522 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05523 } 05524 05525 /* All pointers should exist and can be directly freed without issue */ 05526 if( ssl->handshake == NULL || 05527 ssl->transform_negotiate == NULL || 05528 ssl->session_negotiate == NULL ) 05529 { 05530 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05531 05532 mbedtls_free( ssl->handshake ); 05533 mbedtls_free( ssl->transform_negotiate ); 05534 mbedtls_free( ssl->session_negotiate ); 05535 05536 ssl->handshake = NULL; 05537 ssl->transform_negotiate = NULL; 05538 ssl->session_negotiate = NULL; 05539 05540 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05541 } 05542 05543 /* Initialize structures */ 05544 mbedtls_ssl_session_init( ssl->session_negotiate ); 05545 ssl_transform_init( ssl->transform_negotiate ); 05546 ssl_handshake_params_init( ssl->handshake ); 05547 05548 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05549 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05550 { 05551 ssl->handshake->alt_transform_out = ssl->transform_out; 05552 05553 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05554 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05555 else 05556 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05557 05558 ssl_set_timer( ssl, 0 ); 05559 } 05560 #endif 05561 05562 return( 0 ); 05563 } 05564 05565 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05566 /* Dummy cookie callbacks for defaults */ 05567 static int ssl_cookie_write_dummy( void *ctx, 05568 unsigned char **p, unsigned char *end, 05569 const unsigned char *cli_id, size_t cli_id_len ) 05570 { 05571 ((void) ctx); 05572 ((void) p); 05573 ((void) end); 05574 ((void) cli_id); 05575 ((void) cli_id_len); 05576 05577 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05578 } 05579 05580 static int ssl_cookie_check_dummy( void *ctx, 05581 const unsigned char *cookie, size_t cookie_len, 05582 const unsigned char *cli_id, size_t cli_id_len ) 05583 { 05584 ((void) ctx); 05585 ((void) cookie); 05586 ((void) cookie_len); 05587 ((void) cli_id); 05588 ((void) cli_id_len); 05589 05590 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05591 } 05592 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05593 05594 /* 05595 * Initialize an SSL context 05596 */ 05597 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05598 { 05599 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05600 } 05601 05602 /* 05603 * Setup an SSL context 05604 */ 05605 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05606 const mbedtls_ssl_config *conf ) 05607 { 05608 int ret; 05609 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05610 05611 ssl->conf = conf; 05612 05613 /* 05614 * Prepare base structures 05615 */ 05616 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05617 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05618 { 05619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05620 mbedtls_free( ssl->in_buf ); 05621 ssl->in_buf = NULL; 05622 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05623 } 05624 05625 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05626 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05627 { 05628 ssl->out_hdr = ssl->out_buf; 05629 ssl->out_ctr = ssl->out_buf + 3; 05630 ssl->out_len = ssl->out_buf + 11; 05631 ssl->out_iv = ssl->out_buf + 13; 05632 ssl->out_msg = ssl->out_buf + 13; 05633 05634 ssl->in_hdr = ssl->in_buf; 05635 ssl->in_ctr = ssl->in_buf + 3; 05636 ssl->in_len = ssl->in_buf + 11; 05637 ssl->in_iv = ssl->in_buf + 13; 05638 ssl->in_msg = ssl->in_buf + 13; 05639 } 05640 else 05641 #endif 05642 { 05643 ssl->out_ctr = ssl->out_buf; 05644 ssl->out_hdr = ssl->out_buf + 8; 05645 ssl->out_len = ssl->out_buf + 11; 05646 ssl->out_iv = ssl->out_buf + 13; 05647 ssl->out_msg = ssl->out_buf + 13; 05648 05649 ssl->in_ctr = ssl->in_buf; 05650 ssl->in_hdr = ssl->in_buf + 8; 05651 ssl->in_len = ssl->in_buf + 11; 05652 ssl->in_iv = ssl->in_buf + 13; 05653 ssl->in_msg = ssl->in_buf + 13; 05654 } 05655 05656 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05657 return( ret ); 05658 05659 return( 0 ); 05660 } 05661 05662 /* 05663 * Reset an initialized and used SSL context for re-use while retaining 05664 * all application-set variables, function pointers and data. 05665 * 05666 * If partial is non-zero, keep data in the input buffer and client ID. 05667 * (Use when a DTLS client reconnects from the same port.) 05668 */ 05669 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05670 { 05671 int ret; 05672 05673 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05674 05675 /* Cancel any possibly running timer */ 05676 ssl_set_timer( ssl, 0 ); 05677 05678 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05679 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05680 ssl->renego_records_seen = 0; 05681 05682 ssl->verify_data_len = 0; 05683 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05684 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05685 #endif 05686 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05687 05688 ssl->in_offt = NULL; 05689 05690 ssl->in_msg = ssl->in_buf + 13; 05691 ssl->in_msgtype = 0; 05692 ssl->in_msglen = 0; 05693 if( partial == 0 ) 05694 ssl->in_left = 0; 05695 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05696 ssl->next_record_offset = 0; 05697 ssl->in_epoch = 0; 05698 #endif 05699 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05700 ssl_dtls_replay_reset( ssl ); 05701 #endif 05702 05703 ssl->in_hslen = 0; 05704 ssl->nb_zero = 0; 05705 05706 ssl->keep_current_message = 0; 05707 05708 ssl->out_msg = ssl->out_buf + 13; 05709 ssl->out_msgtype = 0; 05710 ssl->out_msglen = 0; 05711 ssl->out_left = 0; 05712 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05713 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05714 ssl->split_done = 0; 05715 #endif 05716 05717 ssl->transform_in = NULL; 05718 ssl->transform_out = NULL; 05719 05720 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05721 if( partial == 0 ) 05722 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05723 05724 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05725 if( mbedtls_ssl_hw_record_reset != NULL ) 05726 { 05727 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05728 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05729 { 05730 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05731 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05732 } 05733 } 05734 #endif 05735 05736 if( ssl->transform ) 05737 { 05738 mbedtls_ssl_transform_free( ssl->transform ); 05739 mbedtls_free( ssl->transform ); 05740 ssl->transform = NULL; 05741 } 05742 05743 if( ssl->session ) 05744 { 05745 mbedtls_ssl_session_free( ssl->session ); 05746 mbedtls_free( ssl->session ); 05747 ssl->session = NULL; 05748 } 05749 05750 #if defined(MBEDTLS_SSL_ALPN) 05751 ssl->alpn_chosen = NULL; 05752 #endif 05753 05754 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05755 if( partial == 0 ) 05756 { 05757 mbedtls_free( ssl->cli_id ); 05758 ssl->cli_id = NULL; 05759 ssl->cli_id_len = 0; 05760 } 05761 #endif 05762 05763 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05764 return( ret ); 05765 05766 return( 0 ); 05767 } 05768 05769 /* 05770 * Reset an initialized and used SSL context for re-use while retaining 05771 * all application-set variables, function pointers and data. 05772 */ 05773 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05774 { 05775 return( ssl_session_reset_int( ssl, 0 ) ); 05776 } 05777 05778 /* 05779 * SSL set accessors 05780 */ 05781 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05782 { 05783 conf->endpoint = endpoint; 05784 } 05785 05786 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05787 { 05788 conf->transport = transport; 05789 } 05790 05791 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05792 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05793 { 05794 conf->anti_replay = mode; 05795 } 05796 #endif 05797 05798 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05799 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05800 { 05801 conf->badmac_limit = limit; 05802 } 05803 #endif 05804 05805 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05806 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05807 { 05808 conf->hs_timeout_min = min; 05809 conf->hs_timeout_max = max; 05810 } 05811 #endif 05812 05813 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05814 { 05815 conf->authmode = authmode; 05816 } 05817 05818 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05819 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05820 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05821 void *p_vrfy ) 05822 { 05823 conf->f_vrfy = f_vrfy; 05824 conf->p_vrfy = p_vrfy; 05825 } 05826 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05827 05828 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05829 int (*f_rng)(void *, unsigned char *, size_t), 05830 void *p_rng ) 05831 { 05832 conf->f_rng = f_rng; 05833 conf->p_rng = p_rng; 05834 } 05835 05836 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05837 void (*f_dbg)(void *, int, const char *, int, const char *), 05838 void *p_dbg ) 05839 { 05840 conf->f_dbg = f_dbg; 05841 conf->p_dbg = p_dbg; 05842 } 05843 05844 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05845 void *p_bio, 05846 mbedtls_ssl_send_t *f_send, 05847 mbedtls_ssl_recv_t *f_recv, 05848 mbedtls_ssl_recv_timeout_t *f_recv_timeout ) 05849 { 05850 ssl->p_bio = p_bio; 05851 ssl->f_send = f_send; 05852 ssl->f_recv = f_recv; 05853 ssl->f_recv_timeout = f_recv_timeout; 05854 } 05855 05856 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05857 { 05858 conf->read_timeout = timeout; 05859 } 05860 05861 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05862 void *p_timer, 05863 mbedtls_ssl_set_timer_t *f_set_timer, 05864 mbedtls_ssl_get_timer_t *f_get_timer ) 05865 { 05866 ssl->p_timer = p_timer; 05867 ssl->f_set_timer = f_set_timer; 05868 ssl->f_get_timer = f_get_timer; 05869 05870 /* Make sure we start with no timer running */ 05871 ssl_set_timer( ssl, 0 ); 05872 } 05873 05874 #if defined(MBEDTLS_SSL_SRV_C) 05875 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05876 void *p_cache, 05877 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05878 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05879 { 05880 conf->p_cache = p_cache; 05881 conf->f_get_cache = f_get_cache; 05882 conf->f_set_cache = f_set_cache; 05883 } 05884 #endif /* MBEDTLS_SSL_SRV_C */ 05885 05886 #if defined(MBEDTLS_SSL_CLI_C) 05887 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05888 { 05889 int ret; 05890 05891 if( ssl == NULL || 05892 session == NULL || 05893 ssl->session_negotiate == NULL || 05894 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05895 { 05896 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05897 } 05898 05899 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05900 return( ret ); 05901 05902 ssl->handshake->resume = 1; 05903 05904 return( 0 ); 05905 } 05906 #endif /* MBEDTLS_SSL_CLI_C */ 05907 05908 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05909 const int *ciphersuites ) 05910 { 05911 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05912 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05913 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05914 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05915 } 05916 05917 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05918 const int *ciphersuites, 05919 int major, int minor ) 05920 { 05921 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05922 return; 05923 05924 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05925 return; 05926 05927 conf->ciphersuite_list [minor] = ciphersuites; 05928 } 05929 05930 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05931 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05932 const mbedtls_x509_crt_profile *profile ) 05933 { 05934 conf->cert_profile = profile; 05935 } 05936 05937 /* Append a new keycert entry to a (possibly empty) list */ 05938 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05939 mbedtls_x509_crt *cert, 05940 mbedtls_pk_context *key ) 05941 { 05942 mbedtls_ssl_key_cert *new; 05943 05944 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 05945 if( new == NULL ) 05946 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05947 05948 new->cert = cert; 05949 new->key = key; 05950 new->next = NULL; 05951 05952 /* Update head is the list was null, else add to the end */ 05953 if( *head == NULL ) 05954 { 05955 *head = new; 05956 } 05957 else 05958 { 05959 mbedtls_ssl_key_cert *cur = *head; 05960 while( cur->next != NULL ) 05961 cur = cur->next; 05962 cur->next = new; 05963 } 05964 05965 return( 0 ); 05966 } 05967 05968 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 05969 mbedtls_x509_crt *own_cert, 05970 mbedtls_pk_context *pk_key ) 05971 { 05972 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 05973 } 05974 05975 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 05976 mbedtls_x509_crt *ca_chain, 05977 mbedtls_x509_crl *ca_crl ) 05978 { 05979 conf->ca_chain = ca_chain; 05980 conf->ca_crl = ca_crl; 05981 } 05982 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05983 05984 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05985 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 05986 mbedtls_x509_crt *own_cert, 05987 mbedtls_pk_context *pk_key ) 05988 { 05989 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 05990 own_cert, pk_key ) ); 05991 } 05992 05993 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 05994 mbedtls_x509_crt *ca_chain, 05995 mbedtls_x509_crl *ca_crl ) 05996 { 05997 ssl->handshake->sni_ca_chain = ca_chain; 05998 ssl->handshake->sni_ca_crl = ca_crl; 05999 } 06000 06001 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 06002 int authmode ) 06003 { 06004 ssl->handshake->sni_authmode = authmode; 06005 } 06006 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06007 06008 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06009 /* 06010 * Set EC J-PAKE password for current handshake 06011 */ 06012 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 06013 const unsigned char *pw, 06014 size_t pw_len ) 06015 { 06016 mbedtls_ecjpake_role role; 06017 06018 if( ssl->handshake == NULL || ssl->conf == NULL ) 06019 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06020 06021 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06022 role = MBEDTLS_ECJPAKE_SERVER; 06023 else 06024 role = MBEDTLS_ECJPAKE_CLIENT; 06025 06026 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 06027 role, 06028 MBEDTLS_MD_SHA256, 06029 MBEDTLS_ECP_DP_SECP256R1 , 06030 pw, pw_len ) ); 06031 } 06032 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 06033 06034 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06035 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 06036 const unsigned char *psk, size_t psk_len, 06037 const unsigned char *psk_identity, size_t psk_identity_len ) 06038 { 06039 if( psk == NULL || psk_identity == NULL ) 06040 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06041 06042 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06043 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06044 06045 /* Identity len will be encoded on two bytes */ 06046 if( ( psk_identity_len >> 16 ) != 0 || 06047 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06048 { 06049 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06050 } 06051 06052 if( conf->psk != NULL || conf->psk_identity != NULL ) 06053 { 06054 mbedtls_free( conf->psk ); 06055 mbedtls_free( conf->psk_identity ); 06056 conf->psk = NULL; 06057 conf->psk_identity = NULL; 06058 } 06059 06060 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 06061 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 06062 { 06063 mbedtls_free( conf->psk ); 06064 mbedtls_free( conf->psk_identity ); 06065 conf->psk = NULL; 06066 conf->psk_identity = NULL; 06067 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06068 } 06069 06070 conf->psk_len = psk_len; 06071 conf->psk_identity_len = psk_identity_len; 06072 06073 memcpy( conf->psk , psk, conf->psk_len ); 06074 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 06075 06076 return( 0 ); 06077 } 06078 06079 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 06080 const unsigned char *psk, size_t psk_len ) 06081 { 06082 if( psk == NULL || ssl->handshake == NULL ) 06083 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06084 06085 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06086 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06087 06088 if( ssl->handshake->psk != NULL ) 06089 mbedtls_free( ssl->handshake->psk ); 06090 06091 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 06092 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06093 06094 ssl->handshake->psk_len = psk_len; 06095 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 06096 06097 return( 0 ); 06098 } 06099 06100 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 06101 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 06102 size_t), 06103 void *p_psk ) 06104 { 06105 conf->f_psk = f_psk; 06106 conf->p_psk = p_psk; 06107 } 06108 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 06109 06110 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 06111 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 06112 { 06113 int ret; 06114 06115 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 06116 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 06117 { 06118 mbedtls_mpi_free( &conf->dhm_P ); 06119 mbedtls_mpi_free( &conf->dhm_G ); 06120 return( ret ); 06121 } 06122 06123 return( 0 ); 06124 } 06125 06126 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 06127 { 06128 int ret; 06129 06130 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 06131 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 06132 { 06133 mbedtls_mpi_free( &conf->dhm_P ); 06134 mbedtls_mpi_free( &conf->dhm_G ); 06135 return( ret ); 06136 } 06137 06138 return( 0 ); 06139 } 06140 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 06141 06142 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 06143 /* 06144 * Set the minimum length for Diffie-Hellman parameters 06145 */ 06146 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 06147 unsigned int bitlen ) 06148 { 06149 conf->dhm_min_bitlen = bitlen; 06150 } 06151 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 06152 06153 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 06154 /* 06155 * Set allowed/preferred hashes for handshake signatures 06156 */ 06157 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 06158 const int *hashes ) 06159 { 06160 conf->sig_hashes = hashes; 06161 } 06162 #endif 06163 06164 #if defined(MBEDTLS_ECP_C) 06165 /* 06166 * Set the allowed elliptic curves 06167 */ 06168 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 06169 const mbedtls_ecp_group_id *curve_list ) 06170 { 06171 conf->curve_list = curve_list; 06172 } 06173 #endif 06174 06175 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06176 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 06177 { 06178 size_t hostname_len; 06179 06180 if( hostname == NULL ) 06181 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06182 06183 hostname_len = strlen( hostname ); 06184 06185 if( hostname_len + 1 == 0 ) 06186 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06187 06188 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 06189 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06190 06191 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 06192 06193 if( ssl->hostname == NULL ) 06194 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06195 06196 memcpy( ssl->hostname, hostname, hostname_len ); 06197 06198 ssl->hostname[hostname_len] = '\0'; 06199 06200 return( 0 ); 06201 } 06202 #endif 06203 06204 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06205 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 06206 int (*f_sni)(void *, mbedtls_ssl_context *, 06207 const unsigned char *, size_t), 06208 void *p_sni ) 06209 { 06210 conf->f_sni = f_sni; 06211 conf->p_sni = p_sni; 06212 } 06213 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06214 06215 #if defined(MBEDTLS_SSL_ALPN) 06216 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 06217 { 06218 size_t cur_len, tot_len; 06219 const char **p; 06220 06221 /* 06222 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 06223 * MUST NOT be truncated." 06224 * We check lengths now rather than later. 06225 */ 06226 tot_len = 0; 06227 for( p = protos; *p != NULL; p++ ) 06228 { 06229 cur_len = strlen( *p ); 06230 tot_len += cur_len; 06231 06232 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 06233 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06234 } 06235 06236 conf->alpn_list = protos; 06237 06238 return( 0 ); 06239 } 06240 06241 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 06242 { 06243 return( ssl->alpn_chosen ); 06244 } 06245 #endif /* MBEDTLS_SSL_ALPN */ 06246 06247 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 06248 { 06249 conf->max_major_ver = major; 06250 conf->max_minor_ver = minor; 06251 } 06252 06253 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 06254 { 06255 conf->min_major_ver = major; 06256 conf->min_minor_ver = minor; 06257 } 06258 06259 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 06260 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 06261 { 06262 conf->fallback = fallback; 06263 } 06264 #endif 06265 06266 #if defined(MBEDTLS_SSL_SRV_C) 06267 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, 06268 char cert_req_ca_list ) 06269 { 06270 conf->cert_req_ca_list = cert_req_ca_list; 06271 } 06272 #endif 06273 06274 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 06275 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 06276 { 06277 conf->encrypt_then_mac = etm; 06278 } 06279 #endif 06280 06281 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06282 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06283 { 06284 conf->extended_ms = ems; 06285 } 06286 #endif 06287 06288 #if defined(MBEDTLS_ARC4_C) 06289 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06290 { 06291 conf->arc4_disabled = arc4; 06292 } 06293 #endif 06294 06295 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06296 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06297 { 06298 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06299 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06300 { 06301 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06302 } 06303 06304 conf->mfl_code = mfl_code; 06305 06306 return( 0 ); 06307 } 06308 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06309 06310 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06311 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06312 { 06313 conf->trunc_hmac = truncate; 06314 } 06315 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06316 06317 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06318 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06319 { 06320 conf->cbc_record_splitting = split; 06321 } 06322 #endif 06323 06324 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06325 { 06326 conf->allow_legacy_renegotiation = allow_legacy; 06327 } 06328 06329 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06330 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06331 { 06332 conf->disable_renegotiation = renegotiation; 06333 } 06334 06335 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06336 { 06337 conf->renego_max_records = max_records; 06338 } 06339 06340 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06341 const unsigned char period[8] ) 06342 { 06343 memcpy( conf->renego_period , period, 8 ); 06344 } 06345 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06346 06347 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06348 #if defined(MBEDTLS_SSL_CLI_C) 06349 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06350 { 06351 conf->session_tickets = use_tickets; 06352 } 06353 #endif 06354 06355 #if defined(MBEDTLS_SSL_SRV_C) 06356 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06357 mbedtls_ssl_ticket_write_t *f_ticket_write, 06358 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06359 void *p_ticket ) 06360 { 06361 conf->f_ticket_write = f_ticket_write; 06362 conf->f_ticket_parse = f_ticket_parse; 06363 conf->p_ticket = p_ticket; 06364 } 06365 #endif 06366 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06367 06368 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06369 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06370 mbedtls_ssl_export_keys_t *f_export_keys, 06371 void *p_export_keys ) 06372 { 06373 conf->f_export_keys = f_export_keys; 06374 conf->p_export_keys = p_export_keys; 06375 } 06376 #endif 06377 06378 /* 06379 * SSL get accessors 06380 */ 06381 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06382 { 06383 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06384 } 06385 06386 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06387 { 06388 if( ssl->session != NULL ) 06389 return( ssl->session->verify_result ); 06390 06391 if( ssl->session_negotiate != NULL ) 06392 return( ssl->session_negotiate->verify_result ); 06393 06394 return( 0xFFFFFFFF ); 06395 } 06396 06397 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06398 { 06399 if( ssl == NULL || ssl->session == NULL ) 06400 return( NULL ); 06401 06402 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06403 } 06404 06405 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06406 { 06407 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06408 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06409 { 06410 switch( ssl->minor_ver ) 06411 { 06412 case MBEDTLS_SSL_MINOR_VERSION_2: 06413 return( "DTLSv1.0" ); 06414 06415 case MBEDTLS_SSL_MINOR_VERSION_3: 06416 return( "DTLSv1.2" ); 06417 06418 default: 06419 return( "unknown (DTLS)" ); 06420 } 06421 } 06422 #endif 06423 06424 switch( ssl->minor_ver ) 06425 { 06426 case MBEDTLS_SSL_MINOR_VERSION_0: 06427 return( "SSLv3.0" ); 06428 06429 case MBEDTLS_SSL_MINOR_VERSION_1: 06430 return( "TLSv1.0" ); 06431 06432 case MBEDTLS_SSL_MINOR_VERSION_2: 06433 return( "TLSv1.1" ); 06434 06435 case MBEDTLS_SSL_MINOR_VERSION_3: 06436 return( "TLSv1.2" ); 06437 06438 default: 06439 return( "unknown" ); 06440 } 06441 } 06442 06443 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06444 { 06445 size_t transform_expansion; 06446 const mbedtls_ssl_transform *transform = ssl->transform_out; 06447 06448 #if defined(MBEDTLS_ZLIB_SUPPORT) 06449 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06450 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06451 #endif 06452 06453 if( transform == NULL ) 06454 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06455 06456 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06457 { 06458 case MBEDTLS_MODE_GCM: 06459 case MBEDTLS_MODE_CCM: 06460 case MBEDTLS_MODE_STREAM: 06461 transform_expansion = transform->minlen; 06462 break; 06463 06464 case MBEDTLS_MODE_CBC: 06465 transform_expansion = transform->maclen 06466 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06467 break; 06468 06469 default: 06470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06471 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06472 } 06473 06474 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06475 } 06476 06477 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06478 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06479 { 06480 size_t max_len; 06481 06482 /* 06483 * Assume mfl_code is correct since it was checked when set 06484 */ 06485 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06486 06487 /* 06488 * Check if a smaller max length was negotiated 06489 */ 06490 if( ssl->session_out != NULL && 06491 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06492 { 06493 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06494 } 06495 06496 return max_len; 06497 } 06498 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06499 06500 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06501 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06502 { 06503 if( ssl == NULL || ssl->session == NULL ) 06504 return( NULL ); 06505 06506 return( ssl->session->peer_cert ); 06507 } 06508 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06509 06510 #if defined(MBEDTLS_SSL_CLI_C) 06511 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06512 { 06513 if( ssl == NULL || 06514 dst == NULL || 06515 ssl->session == NULL || 06516 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06517 { 06518 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06519 } 06520 06521 return( ssl_session_copy( dst, ssl->session ) ); 06522 } 06523 #endif /* MBEDTLS_SSL_CLI_C */ 06524 06525 /* 06526 * Perform a single step of the SSL handshake 06527 */ 06528 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06529 { 06530 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06531 06532 if( ssl == NULL || ssl->conf == NULL ) 06533 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06534 06535 #if defined(MBEDTLS_SSL_CLI_C) 06536 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06537 ret = mbedtls_ssl_handshake_client_step( ssl ); 06538 #endif 06539 #if defined(MBEDTLS_SSL_SRV_C) 06540 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06541 ret = mbedtls_ssl_handshake_server_step( ssl ); 06542 #endif 06543 06544 return( ret ); 06545 } 06546 06547 /* 06548 * Perform the SSL handshake 06549 */ 06550 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06551 { 06552 int ret = 0; 06553 06554 if( ssl == NULL || ssl->conf == NULL ) 06555 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06556 06557 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06558 06559 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06560 { 06561 ret = mbedtls_ssl_handshake_step( ssl ); 06562 06563 if( ret != 0 ) 06564 break; 06565 } 06566 06567 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06568 06569 return( ret ); 06570 } 06571 06572 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06573 #if defined(MBEDTLS_SSL_SRV_C) 06574 /* 06575 * Write HelloRequest to request renegotiation on server 06576 */ 06577 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06578 { 06579 int ret; 06580 06581 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06582 06583 ssl->out_msglen = 4; 06584 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06585 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06586 06587 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06588 { 06589 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06590 return( ret ); 06591 } 06592 06593 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06594 06595 return( 0 ); 06596 } 06597 #endif /* MBEDTLS_SSL_SRV_C */ 06598 06599 /* 06600 * Actually renegotiate current connection, triggered by either: 06601 * - any side: calling mbedtls_ssl_renegotiate(), 06602 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06603 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06604 * the initial handshake is completed. 06605 * If the handshake doesn't complete due to waiting for I/O, it will continue 06606 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06607 */ 06608 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06609 { 06610 int ret; 06611 06612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06613 06614 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06615 return( ret ); 06616 06617 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06618 * the ServerHello will have message_seq = 1" */ 06619 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06620 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06621 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06622 { 06623 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06624 ssl->handshake->out_msg_seq = 1; 06625 else 06626 ssl->handshake->in_msg_seq = 1; 06627 } 06628 #endif 06629 06630 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06631 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06632 06633 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06634 { 06635 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06636 return( ret ); 06637 } 06638 06639 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06640 06641 return( 0 ); 06642 } 06643 06644 /* 06645 * Renegotiate current connection on client, 06646 * or request renegotiation on server 06647 */ 06648 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06649 { 06650 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06651 06652 if( ssl == NULL || ssl->conf == NULL ) 06653 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06654 06655 #if defined(MBEDTLS_SSL_SRV_C) 06656 /* On server, just send the request */ 06657 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06658 { 06659 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06660 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06661 06662 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06663 06664 /* Did we already try/start sending HelloRequest? */ 06665 if( ssl->out_left != 0 ) 06666 return( mbedtls_ssl_flush_output( ssl ) ); 06667 06668 return( ssl_write_hello_request( ssl ) ); 06669 } 06670 #endif /* MBEDTLS_SSL_SRV_C */ 06671 06672 #if defined(MBEDTLS_SSL_CLI_C) 06673 /* 06674 * On client, either start the renegotiation process or, 06675 * if already in progress, continue the handshake 06676 */ 06677 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06678 { 06679 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06680 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06681 06682 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06683 { 06684 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06685 return( ret ); 06686 } 06687 } 06688 else 06689 { 06690 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06691 { 06692 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06693 return( ret ); 06694 } 06695 } 06696 #endif /* MBEDTLS_SSL_CLI_C */ 06697 06698 return( ret ); 06699 } 06700 06701 /* 06702 * Check record counters and renegotiate if they're above the limit. 06703 */ 06704 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06705 { 06706 size_t ep_len = ssl_ep_len( ssl ); 06707 int in_ctr_cmp; 06708 int out_ctr_cmp; 06709 06710 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06711 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06712 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06713 { 06714 return( 0 ); 06715 } 06716 06717 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, 06718 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06719 out_ctr_cmp = memcmp( ssl->out_ctr + ep_len, 06720 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06721 06722 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) 06723 { 06724 return( 0 ); 06725 } 06726 06727 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06728 return( mbedtls_ssl_renegotiate( ssl ) ); 06729 } 06730 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06731 06732 /* 06733 * Receive application data decrypted from the SSL layer 06734 */ 06735 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06736 { 06737 int ret; 06738 size_t n; 06739 06740 if( ssl == NULL || ssl->conf == NULL ) 06741 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06742 06743 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06744 06745 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06746 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06747 { 06748 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06749 return( ret ); 06750 06751 if( ssl->handshake != NULL && 06752 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06753 { 06754 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06755 return( ret ); 06756 } 06757 } 06758 #endif 06759 06760 /* 06761 * Check if renegotiation is necessary and/or handshake is 06762 * in process. If yes, perform/continue, and fall through 06763 * if an unexpected packet is received while the client 06764 * is waiting for the ServerHello. 06765 * 06766 * (There is no equivalent to the last condition on 06767 * the server-side as it is not treated as within 06768 * a handshake while waiting for the ClientHello 06769 * after a renegotiation request.) 06770 */ 06771 06772 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06773 ret = ssl_check_ctr_renegotiate( ssl ); 06774 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06775 ret != 0 ) 06776 { 06777 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06778 return( ret ); 06779 } 06780 #endif 06781 06782 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06783 { 06784 ret = mbedtls_ssl_handshake( ssl ); 06785 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06786 ret != 0 ) 06787 { 06788 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06789 return( ret ); 06790 } 06791 } 06792 06793 /* 06794 * TODO 06795 * 06796 * The logic should be streamlined here: 06797 * 06798 * Instead of 06799 * 06800 * - Manually checking whether ssl->in_offt is NULL 06801 * - Fetching a new record if yes 06802 * - Setting ssl->in_offt if one finds an application record 06803 * - Resetting keep_current_message after handling the application data 06804 * 06805 * one should 06806 * 06807 * - Adapt read_record to set ssl->in_offt automatically 06808 * when a new application data record is processed. 06809 * - Always call mbedtls_ssl_read_record here. 06810 * 06811 * This way, the logic of ssl_read would be much clearer: 06812 * 06813 * (1) Always call record layer and see what kind of record is on 06814 * and have it ready for consumption (in particular, in_offt 06815 * properly set for application data records). 06816 * (2) If it's application data (either freshly fetched 06817 * or something already being partially processed), 06818 * serve the read request from it. 06819 * (3) If it's something different from application data, 06820 * handle it accordingly, e.g. potentially start a 06821 * renegotiation. 06822 * 06823 * This will also remove the need to manually reset 06824 * ssl->keep_current_message = 0 below. 06825 * 06826 */ 06827 06828 if( ssl->in_offt == NULL ) 06829 { 06830 /* Start timer if not already running */ 06831 if( ssl->f_get_timer != NULL && 06832 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06833 { 06834 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06835 } 06836 06837 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06838 { 06839 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06840 return( 0 ); 06841 06842 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06843 return( ret ); 06844 } 06845 06846 if( ssl->in_msglen == 0 && 06847 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06848 { 06849 /* 06850 * OpenSSL sends empty messages to randomize the IV 06851 */ 06852 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06853 { 06854 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06855 return( 0 ); 06856 06857 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06858 return( ret ); 06859 } 06860 } 06861 06862 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06863 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06864 { 06865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06866 06867 /* 06868 * - For client-side, expect SERVER_HELLO_REQUEST. 06869 * - For server-side, expect CLIENT_HELLO. 06870 * - Fail (TLS) or silently drop record (DTLS) in other cases. 06871 */ 06872 06873 #if defined(MBEDTLS_SSL_CLI_C) 06874 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 06875 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 06876 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 06877 { 06878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 06879 06880 /* With DTLS, drop the packet (probably from last handshake) */ 06881 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06882 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06883 return( MBEDTLS_ERR_SSL_WANT_READ ); 06884 #endif 06885 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06886 } 06887 #endif /* MBEDTLS_SSL_CLI_C */ 06888 06889 #if defined(MBEDTLS_SSL_SRV_C) 06890 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06891 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 06892 { 06893 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 06894 06895 /* With DTLS, drop the packet (probably from last handshake) */ 06896 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06897 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06898 return( MBEDTLS_ERR_SSL_WANT_READ ); 06899 #endif 06900 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06901 } 06902 #endif /* MBEDTLS_SSL_SRV_C */ 06903 06904 /* Determine whether renegotiation attempt should be accepted */ 06905 06906 if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 06907 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 06908 ssl->conf->allow_legacy_renegotiation == 06909 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) 06910 { 06911 /* 06912 * Refuse renegotiation 06913 */ 06914 06915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 06916 06917 #if defined(MBEDTLS_SSL_PROTO_SSL3) 06918 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 06919 { 06920 /* SSLv3 does not have a "no_renegotiation" warning, so 06921 we send a fatal alert and abort the connection. */ 06922 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 06923 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 06924 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06925 } 06926 else 06927 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 06928 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 06929 defined(MBEDTLS_SSL_PROTO_TLS1_2) 06930 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 06931 { 06932 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 06933 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 06934 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 06935 { 06936 return( ret ); 06937 } 06938 } 06939 else 06940 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 06941 MBEDTLS_SSL_PROTO_TLS1_2 */ 06942 { 06943 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06944 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06945 } 06946 } 06947 else 06948 { 06949 /* 06950 * Accept renegotiation request 06951 */ 06952 06953 /* DTLS clients need to know renego is server-initiated */ 06954 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06955 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06956 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06957 { 06958 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06959 } 06960 #endif 06961 ret = ssl_start_renegotiation( ssl ); 06962 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06963 ret != 0 ) 06964 { 06965 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06966 return( ret ); 06967 } 06968 } 06969 06970 return( MBEDTLS_ERR_SSL_WANT_READ ); 06971 } 06972 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06973 { 06974 if( ssl->conf->renego_max_records >= 0 ) 06975 { 06976 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 06977 { 06978 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 06979 "but not honored by client" ) ); 06980 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06981 } 06982 } 06983 } 06984 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06985 06986 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 06987 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 06988 { 06989 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 06990 return( MBEDTLS_ERR_SSL_WANT_READ ); 06991 } 06992 06993 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06994 { 06995 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 06996 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06997 } 06998 06999 ssl->in_offt = ssl->in_msg; 07000 07001 /* We're going to return something now, cancel timer, 07002 * except if handshake (renegotiation) is in progress */ 07003 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07004 ssl_set_timer( ssl, 0 ); 07005 07006 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07007 /* If we requested renego but received AppData, resend HelloRequest. 07008 * Do it now, after setting in_offt, to avoid taking this branch 07009 * again if ssl_write_hello_request() returns WANT_WRITE */ 07010 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 07011 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 07012 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 07013 { 07014 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 07015 { 07016 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 07017 return( ret ); 07018 } 07019 } 07020 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 07021 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 07022 } 07023 07024 n = ( len < ssl->in_msglen ) 07025 ? len : ssl->in_msglen; 07026 07027 memcpy( buf, ssl->in_offt, n ); 07028 ssl->in_msglen -= n; 07029 07030 if( ssl->in_msglen == 0 ) 07031 { 07032 /* all bytes consumed */ 07033 ssl->in_offt = NULL; 07034 ssl->keep_current_message = 0; 07035 } 07036 else 07037 { 07038 /* more data available */ 07039 ssl->in_offt += n; 07040 } 07041 07042 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 07043 07044 return( (int) n ); 07045 } 07046 07047 /* 07048 * Send application data to be encrypted by the SSL layer, 07049 * taking care of max fragment length and buffer size 07050 */ 07051 static int ssl_write_real( mbedtls_ssl_context *ssl, 07052 const unsigned char *buf, size_t len ) 07053 { 07054 int ret; 07055 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 07056 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 07057 07058 if( len > max_len ) 07059 { 07060 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07061 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07062 { 07063 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 07064 "maximum fragment length: %d > %d", 07065 len, max_len ) ); 07066 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07067 } 07068 else 07069 #endif 07070 len = max_len; 07071 } 07072 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 07073 07074 if( ssl->out_left != 0 ) 07075 { 07076 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 07077 { 07078 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 07079 return( ret ); 07080 } 07081 } 07082 else 07083 { 07084 ssl->out_msglen = len; 07085 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 07086 memcpy( ssl->out_msg, buf, len ); 07087 07088 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 07089 { 07090 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 07091 return( ret ); 07092 } 07093 } 07094 07095 return( (int) len ); 07096 } 07097 07098 /* 07099 * Write application data, doing 1/n-1 splitting if necessary. 07100 * 07101 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 07102 * then the caller will call us again with the same arguments, so 07103 * remember wether we already did the split or not. 07104 */ 07105 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07106 static int ssl_write_split( mbedtls_ssl_context *ssl, 07107 const unsigned char *buf, size_t len ) 07108 { 07109 int ret; 07110 07111 if( ssl->conf->cbc_record_splitting == 07112 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 07113 len <= 1 || 07114 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 07115 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 07116 != MBEDTLS_MODE_CBC ) 07117 { 07118 return( ssl_write_real( ssl, buf, len ) ); 07119 } 07120 07121 if( ssl->split_done == 0 ) 07122 { 07123 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 07124 return( ret ); 07125 ssl->split_done = 1; 07126 } 07127 07128 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 07129 return( ret ); 07130 ssl->split_done = 0; 07131 07132 return( ret + 1 ); 07133 } 07134 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 07135 07136 /* 07137 * Write application data (public-facing wrapper) 07138 */ 07139 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 07140 { 07141 int ret; 07142 07143 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 07144 07145 if( ssl == NULL || ssl->conf == NULL ) 07146 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07147 07148 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07149 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 07150 { 07151 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 07152 return( ret ); 07153 } 07154 #endif 07155 07156 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 07157 { 07158 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 07159 { 07160 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 07161 return( ret ); 07162 } 07163 } 07164 07165 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07166 ret = ssl_write_split( ssl, buf, len ); 07167 #else 07168 ret = ssl_write_real( ssl, buf, len ); 07169 #endif 07170 07171 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 07172 07173 return( ret ); 07174 } 07175 07176 /* 07177 * Notify the peer that the connection is being closed 07178 */ 07179 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 07180 { 07181 int ret; 07182 07183 if( ssl == NULL || ssl->conf == NULL ) 07184 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07185 07186 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 07187 07188 if( ssl->out_left != 0 ) 07189 return( mbedtls_ssl_flush_output( ssl ) ); 07190 07191 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07192 { 07193 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 07194 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 07195 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 07196 { 07197 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 07198 return( ret ); 07199 } 07200 } 07201 07202 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 07203 07204 return( 0 ); 07205 } 07206 07207 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 07208 { 07209 if( transform == NULL ) 07210 return; 07211 07212 #if defined(MBEDTLS_ZLIB_SUPPORT) 07213 deflateEnd( &transform->ctx_deflate ); 07214 inflateEnd( &transform->ctx_inflate ); 07215 #endif 07216 07217 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 07218 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 07219 07220 mbedtls_md_free( &transform->md_ctx_enc ); 07221 mbedtls_md_free( &transform->md_ctx_dec ); 07222 07223 mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 07224 } 07225 07226 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07227 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 07228 { 07229 mbedtls_ssl_key_cert *cur = key_cert, *next; 07230 07231 while( cur != NULL ) 07232 { 07233 next = cur->next; 07234 mbedtls_free( cur ); 07235 cur = next; 07236 } 07237 } 07238 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07239 07240 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 07241 { 07242 if( handshake == NULL ) 07243 return; 07244 07245 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 07246 defined(MBEDTLS_SSL_PROTO_TLS1_1) 07247 mbedtls_md5_free( &handshake->fin_md5 ); 07248 mbedtls_sha1_free( &handshake->fin_sha1 ); 07249 #endif 07250 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 07251 #if defined(MBEDTLS_SHA256_C) 07252 mbedtls_sha256_free( &handshake->fin_sha256 ); 07253 #endif 07254 #if defined(MBEDTLS_SHA512_C) 07255 mbedtls_sha512_free( &handshake->fin_sha512 ); 07256 #endif 07257 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 07258 07259 #if defined(MBEDTLS_DHM_C) 07260 mbedtls_dhm_free( &handshake->dhm_ctx ); 07261 #endif 07262 #if defined(MBEDTLS_ECDH_C) 07263 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 07264 #endif 07265 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07266 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 07267 #if defined(MBEDTLS_SSL_CLI_C) 07268 mbedtls_free( handshake->ecjpake_cache ); 07269 handshake->ecjpake_cache = NULL; 07270 handshake->ecjpake_cache_len = 0; 07271 #endif 07272 #endif 07273 07274 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 07275 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07276 /* explicit void pointer cast for buggy MS compiler */ 07277 mbedtls_free( (void *) handshake->curves ); 07278 #endif 07279 07280 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07281 if( handshake->psk != NULL ) 07282 { 07283 mbedtls_zeroize( handshake->psk, handshake->psk_len ); 07284 mbedtls_free( handshake->psk ); 07285 } 07286 #endif 07287 07288 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 07289 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 07290 /* 07291 * Free only the linked list wrapper, not the keys themselves 07292 * since the belong to the SNI callback 07293 */ 07294 if( handshake->sni_key_cert != NULL ) 07295 { 07296 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 07297 07298 while( cur != NULL ) 07299 { 07300 next = cur->next; 07301 mbedtls_free( cur ); 07302 cur = next; 07303 } 07304 } 07305 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 07306 07307 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07308 mbedtls_free( handshake->verify_cookie ); 07309 mbedtls_free( handshake->hs_msg ); 07310 ssl_flight_free( handshake->flight ); 07311 #endif 07312 07313 mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); 07314 } 07315 07316 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 07317 { 07318 if( session == NULL ) 07319 return; 07320 07321 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07322 if( session->peer_cert != NULL ) 07323 { 07324 mbedtls_x509_crt_free( session->peer_cert ); 07325 mbedtls_free( session->peer_cert ); 07326 } 07327 #endif 07328 07329 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 07330 mbedtls_free( session->ticket ); 07331 #endif 07332 07333 mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) ); 07334 } 07335 07336 /* 07337 * Free an SSL context 07338 */ 07339 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 07340 { 07341 if( ssl == NULL ) 07342 return; 07343 07344 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 07345 07346 if( ssl->out_buf != NULL ) 07347 { 07348 mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07349 mbedtls_free( ssl->out_buf ); 07350 } 07351 07352 if( ssl->in_buf != NULL ) 07353 { 07354 mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07355 mbedtls_free( ssl->in_buf ); 07356 } 07357 07358 #if defined(MBEDTLS_ZLIB_SUPPORT) 07359 if( ssl->compress_buf != NULL ) 07360 { 07361 mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07362 mbedtls_free( ssl->compress_buf ); 07363 } 07364 #endif 07365 07366 if( ssl->transform ) 07367 { 07368 mbedtls_ssl_transform_free( ssl->transform ); 07369 mbedtls_free( ssl->transform ); 07370 } 07371 07372 if( ssl->handshake ) 07373 { 07374 mbedtls_ssl_handshake_free( ssl->handshake ); 07375 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07376 mbedtls_ssl_session_free( ssl->session_negotiate ); 07377 07378 mbedtls_free( ssl->handshake ); 07379 mbedtls_free( ssl->transform_negotiate ); 07380 mbedtls_free( ssl->session_negotiate ); 07381 } 07382 07383 if( ssl->session ) 07384 { 07385 mbedtls_ssl_session_free( ssl->session ); 07386 mbedtls_free( ssl->session ); 07387 } 07388 07389 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07390 if( ssl->hostname != NULL ) 07391 { 07392 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07393 mbedtls_free( ssl->hostname ); 07394 } 07395 #endif 07396 07397 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07398 if( mbedtls_ssl_hw_record_finish != NULL ) 07399 { 07400 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07401 mbedtls_ssl_hw_record_finish( ssl ); 07402 } 07403 #endif 07404 07405 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07406 mbedtls_free( ssl->cli_id ); 07407 #endif 07408 07409 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07410 07411 /* Actually clear after last debug message */ 07412 mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07413 } 07414 07415 /* 07416 * Initialze mbedtls_ssl_config 07417 */ 07418 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07419 { 07420 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07421 } 07422 07423 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07424 static int ssl_preset_default_hashes[] = { 07425 #if defined(MBEDTLS_SHA512_C) 07426 MBEDTLS_MD_SHA512, 07427 MBEDTLS_MD_SHA384, 07428 #endif 07429 #if defined(MBEDTLS_SHA256_C) 07430 MBEDTLS_MD_SHA256, 07431 MBEDTLS_MD_SHA224, 07432 #endif 07433 #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE) 07434 MBEDTLS_MD_SHA1, 07435 #endif 07436 MBEDTLS_MD_NONE 07437 }; 07438 #endif 07439 07440 static int ssl_preset_suiteb_ciphersuites[] = { 07441 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07442 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07443 0 07444 }; 07445 07446 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07447 static int ssl_preset_suiteb_hashes[] = { 07448 MBEDTLS_MD_SHA256, 07449 MBEDTLS_MD_SHA384, 07450 MBEDTLS_MD_NONE 07451 }; 07452 #endif 07453 07454 #if defined(MBEDTLS_ECP_C) 07455 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07456 MBEDTLS_ECP_DP_SECP256R1 , 07457 MBEDTLS_ECP_DP_SECP384R1 , 07458 MBEDTLS_ECP_DP_NONE 07459 }; 07460 #endif 07461 07462 /* 07463 * Load default in mbedtls_ssl_config 07464 */ 07465 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07466 int endpoint, int transport, int preset ) 07467 { 07468 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07469 int ret; 07470 #endif 07471 07472 /* Use the functions here so that they are covered in tests, 07473 * but otherwise access member directly for efficiency */ 07474 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07475 mbedtls_ssl_conf_transport( conf, transport ); 07476 07477 /* 07478 * Things that are common to all presets 07479 */ 07480 #if defined(MBEDTLS_SSL_CLI_C) 07481 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07482 { 07483 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07484 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07485 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07486 #endif 07487 } 07488 #endif 07489 07490 #if defined(MBEDTLS_ARC4_C) 07491 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07492 #endif 07493 07494 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07495 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07496 #endif 07497 07498 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07499 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07500 #endif 07501 07502 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07503 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07504 #endif 07505 07506 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07507 conf->f_cookie_write = ssl_cookie_write_dummy; 07508 conf->f_cookie_check = ssl_cookie_check_dummy; 07509 #endif 07510 07511 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07512 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07513 #endif 07514 07515 #if defined(MBEDTLS_SSL_SRV_C) 07516 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 07517 #endif 07518 07519 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07520 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07521 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07522 #endif 07523 07524 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07525 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07526 memset( conf->renego_period , 0x00, 2 ); 07527 memset( conf->renego_period + 2, 0xFF, 6 ); 07528 #endif 07529 07530 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07531 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07532 { 07533 if( ( ret = mbedtls_ssl_conf_dh_param( conf, 07534 MBEDTLS_DHM_RFC5114_MODP_2048_P, 07535 MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) 07536 { 07537 return( ret ); 07538 } 07539 } 07540 #endif 07541 07542 /* 07543 * Preset-specific defaults 07544 */ 07545 switch( preset ) 07546 { 07547 /* 07548 * NSA Suite B 07549 */ 07550 case MBEDTLS_SSL_PRESET_SUITEB: 07551 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07552 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07553 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07554 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07555 07556 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07557 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07558 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07559 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07560 ssl_preset_suiteb_ciphersuites; 07561 07562 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07563 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07564 #endif 07565 07566 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07567 conf->sig_hashes = ssl_preset_suiteb_hashes; 07568 #endif 07569 07570 #if defined(MBEDTLS_ECP_C) 07571 conf->curve_list = ssl_preset_suiteb_curves; 07572 #endif 07573 break; 07574 07575 /* 07576 * Default 07577 */ 07578 default: 07579 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07580 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ 07581 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07582 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07583 07584 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07585 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07586 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07587 #endif 07588 07589 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07590 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07591 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07592 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07593 mbedtls_ssl_list_ciphersuites(); 07594 07595 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07596 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07597 #endif 07598 07599 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07600 conf->sig_hashes = ssl_preset_default_hashes; 07601 #endif 07602 07603 #if defined(MBEDTLS_ECP_C) 07604 conf->curve_list = mbedtls_ecp_grp_id_list(); 07605 #endif 07606 07607 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07608 conf->dhm_min_bitlen = 1024; 07609 #endif 07610 } 07611 07612 return( 0 ); 07613 } 07614 07615 /* 07616 * Free mbedtls_ssl_config 07617 */ 07618 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07619 { 07620 #if defined(MBEDTLS_DHM_C) 07621 mbedtls_mpi_free( &conf->dhm_P ); 07622 mbedtls_mpi_free( &conf->dhm_G ); 07623 #endif 07624 07625 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07626 if( conf->psk != NULL ) 07627 { 07628 mbedtls_zeroize( conf->psk , conf->psk_len ); 07629 mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len ); 07630 mbedtls_free( conf->psk ); 07631 mbedtls_free( conf->psk_identity ); 07632 conf->psk_len = 0; 07633 conf->psk_identity_len = 0; 07634 } 07635 #endif 07636 07637 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07638 ssl_key_cert_free( conf->key_cert ); 07639 #endif 07640 07641 mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07642 } 07643 07644 #if defined(MBEDTLS_PK_C) && \ 07645 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07646 /* 07647 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07648 */ 07649 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07650 { 07651 #if defined(MBEDTLS_RSA_C) 07652 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07653 return( MBEDTLS_SSL_SIG_RSA ); 07654 #endif 07655 #if defined(MBEDTLS_ECDSA_C) 07656 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07657 return( MBEDTLS_SSL_SIG_ECDSA ); 07658 #endif 07659 return( MBEDTLS_SSL_SIG_ANON ); 07660 } 07661 07662 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type ) 07663 { 07664 switch( type ) { 07665 case MBEDTLS_PK_RSA: 07666 return( MBEDTLS_SSL_SIG_RSA ); 07667 case MBEDTLS_PK_ECDSA: 07668 case MBEDTLS_PK_ECKEY: 07669 return( MBEDTLS_SSL_SIG_ECDSA ); 07670 default: 07671 return( MBEDTLS_SSL_SIG_ANON ); 07672 } 07673 } 07674 07675 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07676 { 07677 switch( sig ) 07678 { 07679 #if defined(MBEDTLS_RSA_C) 07680 case MBEDTLS_SSL_SIG_RSA: 07681 return( MBEDTLS_PK_RSA ); 07682 #endif 07683 #if defined(MBEDTLS_ECDSA_C) 07684 case MBEDTLS_SSL_SIG_ECDSA: 07685 return( MBEDTLS_PK_ECDSA ); 07686 #endif 07687 default: 07688 return( MBEDTLS_PK_NONE ); 07689 } 07690 } 07691 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07692 07693 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 07694 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07695 07696 /* Find an entry in a signature-hash set matching a given hash algorithm. */ 07697 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, 07698 mbedtls_pk_type_t sig_alg ) 07699 { 07700 switch( sig_alg ) 07701 { 07702 case MBEDTLS_PK_RSA: 07703 return( set->rsa ); 07704 case MBEDTLS_PK_ECDSA: 07705 return( set->ecdsa ); 07706 default: 07707 return( MBEDTLS_MD_NONE ); 07708 } 07709 } 07710 07711 /* Add a signature-hash-pair to a signature-hash set */ 07712 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, 07713 mbedtls_pk_type_t sig_alg, 07714 mbedtls_md_type_t md_alg ) 07715 { 07716 switch( sig_alg ) 07717 { 07718 case MBEDTLS_PK_RSA: 07719 if( set->rsa == MBEDTLS_MD_NONE ) 07720 set->rsa = md_alg; 07721 break; 07722 07723 case MBEDTLS_PK_ECDSA: 07724 if( set->ecdsa == MBEDTLS_MD_NONE ) 07725 set->ecdsa = md_alg; 07726 break; 07727 07728 default: 07729 break; 07730 } 07731 } 07732 07733 /* Allow exactly one hash algorithm for each signature. */ 07734 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, 07735 mbedtls_md_type_t md_alg ) 07736 { 07737 set->rsa = md_alg; 07738 set->ecdsa = md_alg; 07739 } 07740 07741 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && 07742 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07743 07744 /* 07745 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07746 */ 07747 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07748 { 07749 switch( hash ) 07750 { 07751 #if defined(MBEDTLS_MD5_C) 07752 case MBEDTLS_SSL_HASH_MD5: 07753 return( MBEDTLS_MD_MD5 ); 07754 #endif 07755 #if defined(MBEDTLS_SHA1_C) 07756 case MBEDTLS_SSL_HASH_SHA1: 07757 return( MBEDTLS_MD_SHA1 ); 07758 #endif 07759 #if defined(MBEDTLS_SHA256_C) 07760 case MBEDTLS_SSL_HASH_SHA224: 07761 return( MBEDTLS_MD_SHA224 ); 07762 case MBEDTLS_SSL_HASH_SHA256: 07763 return( MBEDTLS_MD_SHA256 ); 07764 #endif 07765 #if defined(MBEDTLS_SHA512_C) 07766 case MBEDTLS_SSL_HASH_SHA384: 07767 return( MBEDTLS_MD_SHA384 ); 07768 case MBEDTLS_SSL_HASH_SHA512: 07769 return( MBEDTLS_MD_SHA512 ); 07770 #endif 07771 default: 07772 return( MBEDTLS_MD_NONE ); 07773 } 07774 } 07775 07776 /* 07777 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07778 */ 07779 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07780 { 07781 switch( md ) 07782 { 07783 #if defined(MBEDTLS_MD5_C) 07784 case MBEDTLS_MD_MD5: 07785 return( MBEDTLS_SSL_HASH_MD5 ); 07786 #endif 07787 #if defined(MBEDTLS_SHA1_C) 07788 case MBEDTLS_MD_SHA1: 07789 return( MBEDTLS_SSL_HASH_SHA1 ); 07790 #endif 07791 #if defined(MBEDTLS_SHA256_C) 07792 case MBEDTLS_MD_SHA224: 07793 return( MBEDTLS_SSL_HASH_SHA224 ); 07794 case MBEDTLS_MD_SHA256: 07795 return( MBEDTLS_SSL_HASH_SHA256 ); 07796 #endif 07797 #if defined(MBEDTLS_SHA512_C) 07798 case MBEDTLS_MD_SHA384: 07799 return( MBEDTLS_SSL_HASH_SHA384 ); 07800 case MBEDTLS_MD_SHA512: 07801 return( MBEDTLS_SSL_HASH_SHA512 ); 07802 #endif 07803 default: 07804 return( MBEDTLS_SSL_HASH_NONE ); 07805 } 07806 } 07807 07808 #if defined(MBEDTLS_ECP_C) 07809 /* 07810 * Check if a curve proposed by the peer is in our list. 07811 * Return 0 if we're willing to use it, -1 otherwise. 07812 */ 07813 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07814 { 07815 const mbedtls_ecp_group_id *gid; 07816 07817 if( ssl->conf->curve_list == NULL ) 07818 return( -1 ); 07819 07820 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07821 if( *gid == grp_id ) 07822 return( 0 ); 07823 07824 return( -1 ); 07825 } 07826 #endif /* MBEDTLS_ECP_C */ 07827 07828 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07829 /* 07830 * Check if a hash proposed by the peer is in our list. 07831 * Return 0 if we're willing to use it, -1 otherwise. 07832 */ 07833 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 07834 mbedtls_md_type_t md ) 07835 { 07836 const int *cur; 07837 07838 if( ssl->conf->sig_hashes == NULL ) 07839 return( -1 ); 07840 07841 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 07842 if( *cur == (int) md ) 07843 return( 0 ); 07844 07845 return( -1 ); 07846 } 07847 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07848 07849 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07850 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 07851 const mbedtls_ssl_ciphersuite_t *ciphersuite, 07852 int cert_endpoint, 07853 uint32_t *flags ) 07854 { 07855 int ret = 0; 07856 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07857 int usage = 0; 07858 #endif 07859 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07860 const char *ext_oid; 07861 size_t ext_len; 07862 #endif 07863 07864 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 07865 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07866 ((void) cert); 07867 ((void) cert_endpoint); 07868 ((void) flags); 07869 #endif 07870 07871 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07872 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07873 { 07874 /* Server part of the key exchange */ 07875 switch( ciphersuite->key_exchange ) 07876 { 07877 case MBEDTLS_KEY_EXCHANGE_RSA: 07878 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 07879 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 07880 break; 07881 07882 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 07883 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 07884 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 07885 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07886 break; 07887 07888 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 07889 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 07890 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 07891 break; 07892 07893 /* Don't use default: we want warnings when adding new values */ 07894 case MBEDTLS_KEY_EXCHANGE_NONE: 07895 case MBEDTLS_KEY_EXCHANGE_PSK: 07896 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 07897 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 07898 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 07899 usage = 0; 07900 } 07901 } 07902 else 07903 { 07904 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 07905 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07906 } 07907 07908 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 07909 { 07910 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 07911 ret = -1; 07912 } 07913 #else 07914 ((void) ciphersuite); 07915 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 07916 07917 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07918 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07919 { 07920 ext_oid = MBEDTLS_OID_SERVER_AUTH; 07921 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 07922 } 07923 else 07924 { 07925 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 07926 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 07927 } 07928 07929 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 07930 { 07931 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 07932 ret = -1; 07933 } 07934 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 07935 07936 return( ret ); 07937 } 07938 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07939 07940 /* 07941 * Convert version numbers to/from wire format 07942 * and, for DTLS, to/from TLS equivalent. 07943 * 07944 * For TLS this is the identity. 07945 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: 07946 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 07947 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 07948 */ 07949 void mbedtls_ssl_write_version( int major, int minor, int transport, 07950 unsigned char ver[2] ) 07951 { 07952 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07953 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07954 { 07955 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 07956 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07957 07958 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 07959 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 07960 } 07961 else 07962 #else 07963 ((void) transport); 07964 #endif 07965 { 07966 ver[0] = (unsigned char) major; 07967 ver[1] = (unsigned char) minor; 07968 } 07969 } 07970 07971 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 07972 const unsigned char ver[2] ) 07973 { 07974 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07975 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07976 { 07977 *major = 255 - ver[0] + 2; 07978 *minor = 255 - ver[1] + 1; 07979 07980 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 07981 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 07982 } 07983 else 07984 #else 07985 ((void) transport); 07986 #endif 07987 { 07988 *major = ver[0]; 07989 *minor = ver[1]; 07990 } 07991 } 07992 07993 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) 07994 { 07995 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 07996 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 07997 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 07998 07999 switch( md ) 08000 { 08001 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 08002 #if defined(MBEDTLS_MD5_C) 08003 case MBEDTLS_SSL_HASH_MD5: 08004 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08005 #endif 08006 #if defined(MBEDTLS_SHA1_C) 08007 case MBEDTLS_SSL_HASH_SHA1: 08008 ssl->handshake->calc_verify = ssl_calc_verify_tls; 08009 break; 08010 #endif 08011 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 08012 #if defined(MBEDTLS_SHA512_C) 08013 case MBEDTLS_SSL_HASH_SHA384: 08014 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 08015 break; 08016 #endif 08017 #if defined(MBEDTLS_SHA256_C) 08018 case MBEDTLS_SSL_HASH_SHA256: 08019 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 08020 break; 08021 #endif 08022 default: 08023 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08024 } 08025 08026 return 0; 08027 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */ 08028 (void) ssl; 08029 (void) md; 08030 08031 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08032 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 08033 } 08034 08035 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Tue Jul 12 2022 17:25:43 by
1.7.2