BA
/
BaBoRo1
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #if defined(MBEDTLS_ECP_C) 00045 #include "mbedtls/ecp.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_HAVE_TIME) 00049 #include "mbedtls/platform_time.h" 00050 #endif 00051 00052 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00053 /* Implementation that should never be optimized out by the compiler */ 00054 static void mbedtls_zeroize( void *v, size_t n ) { 00055 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00056 } 00057 #endif 00058 00059 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00060 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00061 const unsigned char *info, 00062 size_t ilen ) 00063 { 00064 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00065 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00066 00067 mbedtls_free( ssl->cli_id ); 00068 00069 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00070 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00071 00072 memcpy( ssl->cli_id, info, ilen ); 00073 ssl->cli_id_len = ilen; 00074 00075 return( 0 ); 00076 } 00077 00078 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00079 mbedtls_ssl_cookie_write_t *f_cookie_write, 00080 mbedtls_ssl_cookie_check_t *f_cookie_check, 00081 void *p_cookie ) 00082 { 00083 conf->f_cookie_write = f_cookie_write; 00084 conf->f_cookie_check = f_cookie_check; 00085 conf->p_cookie = p_cookie; 00086 } 00087 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00088 00089 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00090 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00091 const unsigned char *buf, 00092 size_t len ) 00093 { 00094 int ret; 00095 size_t servername_list_size, hostname_len; 00096 const unsigned char *p; 00097 00098 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00099 00100 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00101 if( servername_list_size + 2 != len ) 00102 { 00103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00104 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00105 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00107 } 00108 00109 p = buf + 2; 00110 while( servername_list_size > 0 ) 00111 { 00112 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00113 if( hostname_len + 3 > servername_list_size ) 00114 { 00115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00116 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00117 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00118 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00119 } 00120 00121 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00122 { 00123 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00124 ssl, p + 3, hostname_len ); 00125 if( ret != 0 ) 00126 { 00127 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00128 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00129 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00130 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00131 } 00132 return( 0 ); 00133 } 00134 00135 servername_list_size -= hostname_len + 3; 00136 p += hostname_len + 3; 00137 } 00138 00139 if( servername_list_size != 0 ) 00140 { 00141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00142 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00143 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00144 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00145 } 00146 00147 return( 0 ); 00148 } 00149 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00150 00151 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00152 const unsigned char *buf, 00153 size_t len ) 00154 { 00155 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00156 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00157 { 00158 /* Check verify-data in constant-time. The length OTOH is no secret */ 00159 if( len != 1 + ssl->verify_data_len || 00160 buf[0] != ssl->verify_data_len || 00161 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00162 ssl->verify_data_len ) != 0 ) 00163 { 00164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00165 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00166 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00168 } 00169 } 00170 else 00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00172 { 00173 if( len != 1 || buf[0] != 0x0 ) 00174 { 00175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00176 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00177 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00178 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00179 } 00180 00181 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00182 } 00183 00184 return( 0 ); 00185 } 00186 00187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00188 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00189 00190 /* 00191 * Status of the implementation of signature-algorithms extension: 00192 * 00193 * Currently, we are only considering the signature-algorithm extension 00194 * to pick a ciphersuite which allows us to send the ServerKeyExchange 00195 * message with a signature-hash combination that the user allows. 00196 * 00197 * We do *not* check whether all certificates in our certificate 00198 * chain are signed with an allowed signature-hash pair. 00199 * This needs to be done at a later stage. 00200 * 00201 */ 00202 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00203 const unsigned char *buf, 00204 size_t len ) 00205 { 00206 size_t sig_alg_list_size; 00207 00208 const unsigned char *p; 00209 const unsigned char *end = buf + len; 00210 00211 mbedtls_md_type_t md_cur; 00212 mbedtls_pk_type_t sig_cur; 00213 00214 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00215 if( sig_alg_list_size + 2 != len || 00216 sig_alg_list_size % 2 != 0 ) 00217 { 00218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00220 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00222 } 00223 00224 /* Currently we only guarantee signing the ServerKeyExchange message according 00225 * to the constraints specified in this extension (see above), so it suffices 00226 * to remember only one suitable hash for each possible signature algorithm. 00227 * 00228 * This will change when we also consider certificate signatures, 00229 * in which case we will need to remember the whole signature-hash 00230 * pair list from the extension. 00231 */ 00232 00233 for( p = buf + 2; p < end; p += 2 ) 00234 { 00235 /* Silently ignore unknown signature or hash algorithms. */ 00236 00237 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) 00238 { 00239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" 00240 " unknown sig alg encoding %d", p[1] ) ); 00241 continue; 00242 } 00243 00244 /* Check if we support the hash the user proposes */ 00245 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); 00246 if( md_cur == MBEDTLS_MD_NONE ) 00247 { 00248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00249 " unknown hash alg encoding %d", p[0] ) ); 00250 continue; 00251 } 00252 00253 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) 00254 { 00255 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); 00256 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00257 " match sig %d and hash %d", 00258 sig_cur, md_cur ) ); 00259 } 00260 else 00261 { 00262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " 00263 "hash alg %d not supported", md_cur ) ); 00264 } 00265 } 00266 00267 return( 0 ); 00268 } 00269 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00270 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00271 00272 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00273 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00274 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00275 const unsigned char *buf, 00276 size_t len ) 00277 { 00278 size_t list_size, our_size; 00279 const unsigned char *p; 00280 const mbedtls_ecp_curve_info *curve_info, **curves; 00281 00282 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00283 if( list_size + 2 != len || 00284 list_size % 2 != 0 ) 00285 { 00286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00287 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00288 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00289 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00290 } 00291 00292 /* Should never happen unless client duplicates the extension */ 00293 if( ssl->handshake->curves != NULL ) 00294 { 00295 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00296 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00297 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00298 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00299 } 00300 00301 /* Don't allow our peer to make us allocate too much memory, 00302 * and leave room for a final 0 */ 00303 our_size = list_size / 2 + 1; 00304 if( our_size > MBEDTLS_ECP_DP_MAX ) 00305 our_size = MBEDTLS_ECP_DP_MAX; 00306 00307 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00308 { 00309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00310 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 00311 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00312 } 00313 00314 ssl->handshake->curves = curves; 00315 00316 p = buf + 2; 00317 while( list_size > 0 && our_size > 1 ) 00318 { 00319 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00320 00321 if( curve_info != NULL ) 00322 { 00323 *curves++ = curve_info; 00324 our_size--; 00325 } 00326 00327 list_size -= 2; 00328 p += 2; 00329 } 00330 00331 return( 0 ); 00332 } 00333 00334 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00335 const unsigned char *buf, 00336 size_t len ) 00337 { 00338 size_t list_size; 00339 const unsigned char *p; 00340 00341 list_size = buf[0]; 00342 if( list_size + 1 != len ) 00343 { 00344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00345 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00346 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00347 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00348 } 00349 00350 p = buf + 1; 00351 while( list_size > 0 ) 00352 { 00353 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00354 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00355 { 00356 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00357 ssl->handshake->ecdh_ctx.point_format = p[0]; 00358 #endif 00359 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00360 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00361 #endif 00362 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00363 return( 0 ); 00364 } 00365 00366 list_size--; 00367 p++; 00368 } 00369 00370 return( 0 ); 00371 } 00372 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00373 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00374 00375 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00376 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00377 const unsigned char *buf, 00378 size_t len ) 00379 { 00380 int ret; 00381 00382 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00383 { 00384 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00385 return( 0 ); 00386 } 00387 00388 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00389 buf, len ) ) != 0 ) 00390 { 00391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00392 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00393 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00394 return( ret ); 00395 } 00396 00397 /* Only mark the extension as OK when we're sure it is */ 00398 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00399 00400 return( 0 ); 00401 } 00402 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00403 00404 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00405 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00406 const unsigned char *buf, 00407 size_t len ) 00408 { 00409 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00410 { 00411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00412 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00413 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00414 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00415 } 00416 00417 ssl->session_negotiate->mfl_code = buf[0]; 00418 00419 return( 0 ); 00420 } 00421 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00422 00423 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00424 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00425 const unsigned char *buf, 00426 size_t len ) 00427 { 00428 if( len != 0 ) 00429 { 00430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00431 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00432 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00433 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00434 } 00435 00436 ((void) buf); 00437 00438 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00439 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00440 00441 return( 0 ); 00442 } 00443 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00444 00445 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00446 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00447 const unsigned char *buf, 00448 size_t len ) 00449 { 00450 if( len != 0 ) 00451 { 00452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00453 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00454 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00455 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00456 } 00457 00458 ((void) buf); 00459 00460 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00461 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00462 { 00463 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00464 } 00465 00466 return( 0 ); 00467 } 00468 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00469 00470 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00471 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00472 const unsigned char *buf, 00473 size_t len ) 00474 { 00475 if( len != 0 ) 00476 { 00477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00479 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00480 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00481 } 00482 00483 ((void) buf); 00484 00485 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00486 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00487 { 00488 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00489 } 00490 00491 return( 0 ); 00492 } 00493 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00494 00495 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00496 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00497 unsigned char *buf, 00498 size_t len ) 00499 { 00500 int ret; 00501 mbedtls_ssl_session session; 00502 00503 mbedtls_ssl_session_init( &session ); 00504 00505 if( ssl->conf->f_ticket_parse == NULL || 00506 ssl->conf->f_ticket_write == NULL ) 00507 { 00508 return( 0 ); 00509 } 00510 00511 /* Remember the client asked us to send a new ticket */ 00512 ssl->handshake->new_session_ticket = 1; 00513 00514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00515 00516 if( len == 0 ) 00517 return( 0 ); 00518 00519 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00520 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00523 return( 0 ); 00524 } 00525 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00526 00527 /* 00528 * Failures are ok: just ignore the ticket and proceed. 00529 */ 00530 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00531 buf, len ) ) != 0 ) 00532 { 00533 mbedtls_ssl_session_free( &session ); 00534 00535 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00537 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00538 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00539 else 00540 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00541 00542 return( 0 ); 00543 } 00544 00545 /* 00546 * Keep the session ID sent by the client, since we MUST send it back to 00547 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00548 */ 00549 session.id_len = ssl->session_negotiate->id_len; 00550 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00551 00552 mbedtls_ssl_session_free( ssl->session_negotiate ); 00553 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00554 00555 /* Zeroize instead of free as we copied the content */ 00556 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00557 00558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00559 00560 ssl->handshake->resume = 1; 00561 00562 /* Don't send a new ticket after all, this one is OK */ 00563 ssl->handshake->new_session_ticket = 0; 00564 00565 return( 0 ); 00566 } 00567 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00568 00569 #if defined(MBEDTLS_SSL_ALPN) 00570 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00571 const unsigned char *buf, size_t len ) 00572 { 00573 size_t list_len, cur_len, ours_len; 00574 const unsigned char *theirs, *start, *end; 00575 const char **ours; 00576 00577 /* If ALPN not configured, just ignore the extension */ 00578 if( ssl->conf->alpn_list == NULL ) 00579 return( 0 ); 00580 00581 /* 00582 * opaque ProtocolName<1..2^8-1>; 00583 * 00584 * struct { 00585 * ProtocolName protocol_name_list<2..2^16-1> 00586 * } ProtocolNameList; 00587 */ 00588 00589 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00590 if( len < 4 ) 00591 { 00592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00593 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00594 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00595 } 00596 00597 list_len = ( buf[0] << 8 ) | buf[1]; 00598 if( list_len != len - 2 ) 00599 { 00600 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00601 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00602 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00603 } 00604 00605 /* 00606 * Validate peer's list (lengths) 00607 */ 00608 start = buf + 2; 00609 end = buf + len; 00610 for( theirs = start; theirs != end; theirs += cur_len ) 00611 { 00612 cur_len = *theirs++; 00613 00614 /* Current identifier must fit in list */ 00615 if( cur_len > (size_t)( end - theirs ) ) 00616 { 00617 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00618 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00619 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00620 } 00621 00622 /* Empty strings MUST NOT be included */ 00623 if( cur_len == 0 ) 00624 { 00625 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00626 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00627 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00628 } 00629 } 00630 00631 /* 00632 * Use our order of preference 00633 */ 00634 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00635 { 00636 ours_len = strlen( *ours ); 00637 for( theirs = start; theirs != end; theirs += cur_len ) 00638 { 00639 cur_len = *theirs++; 00640 00641 if( cur_len == ours_len && 00642 memcmp( theirs, *ours, cur_len ) == 0 ) 00643 { 00644 ssl->alpn_chosen = *ours; 00645 return( 0 ); 00646 } 00647 } 00648 } 00649 00650 /* If we get there, no match was found */ 00651 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00652 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00653 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00654 } 00655 #endif /* MBEDTLS_SSL_ALPN */ 00656 00657 /* 00658 * Auxiliary functions for ServerHello parsing and related actions 00659 */ 00660 00661 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00662 /* 00663 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00664 */ 00665 #if defined(MBEDTLS_ECDSA_C) 00666 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00667 const mbedtls_ecp_curve_info **curves ) 00668 { 00669 const mbedtls_ecp_curve_info **crv = curves; 00670 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00671 00672 while( *crv != NULL ) 00673 { 00674 if( (*crv)->grp_id == grp_id ) 00675 return( 0 ); 00676 crv++; 00677 } 00678 00679 return( -1 ); 00680 } 00681 #endif /* MBEDTLS_ECDSA_C */ 00682 00683 /* 00684 * Try picking a certificate for this ciphersuite, 00685 * return 0 on success and -1 on failure. 00686 */ 00687 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00688 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00689 { 00690 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00691 mbedtls_pk_type_t pk_alg = 00692 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00693 uint32_t flags; 00694 00695 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00696 if( ssl->handshake->sni_key_cert != NULL ) 00697 list = ssl->handshake->sni_key_cert; 00698 else 00699 #endif 00700 list = ssl->conf->key_cert; 00701 00702 if( pk_alg == MBEDTLS_PK_NONE ) 00703 return( 0 ); 00704 00705 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00706 00707 if( list == NULL ) 00708 { 00709 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00710 return( -1 ); 00711 } 00712 00713 for( cur = list; cur != NULL; cur = cur->next ) 00714 { 00715 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00716 cur->cert ); 00717 00718 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) 00719 { 00720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00721 continue; 00722 } 00723 00724 /* 00725 * This avoids sending the client a cert it'll reject based on 00726 * keyUsage or other extensions. 00727 * 00728 * It also allows the user to provision different certificates for 00729 * different uses based on keyUsage, eg if they want to avoid signing 00730 * and decrypting with the same RSA key. 00731 */ 00732 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00733 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00734 { 00735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00736 "(extended) key usage extension" ) ); 00737 continue; 00738 } 00739 00740 #if defined(MBEDTLS_ECDSA_C) 00741 if( pk_alg == MBEDTLS_PK_ECDSA && 00742 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00743 { 00744 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00745 continue; 00746 } 00747 #endif 00748 00749 /* 00750 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00751 * present them a SHA-higher cert rather than failing if it's the only 00752 * one we got that satisfies the other conditions. 00753 */ 00754 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00755 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00756 { 00757 if( fallback == NULL ) 00758 fallback = cur; 00759 { 00760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00761 "sha-2 with pre-TLS 1.2 client" ) ); 00762 continue; 00763 } 00764 } 00765 00766 /* If we get there, we got a winner */ 00767 break; 00768 } 00769 00770 if( cur == NULL ) 00771 cur = fallback; 00772 00773 /* Do not update ssl->handshake->key_cert unless there is a match */ 00774 if( cur != NULL ) 00775 { 00776 ssl->handshake->key_cert = cur; 00777 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00778 ssl->handshake->key_cert->cert ); 00779 return( 0 ); 00780 } 00781 00782 return( -1 ); 00783 } 00784 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00785 00786 /* 00787 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00788 * Sets ciphersuite_info only if the suite matches. 00789 */ 00790 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00791 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00792 { 00793 const mbedtls_ssl_ciphersuite_t *suite_info; 00794 00795 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00796 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00797 mbedtls_pk_type_t sig_type; 00798 #endif 00799 00800 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00801 if( suite_info == NULL ) 00802 { 00803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00804 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00805 } 00806 00807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00808 00809 if( suite_info->min_minor_ver > ssl->minor_ver || 00810 suite_info->max_minor_ver < ssl->minor_ver ) 00811 { 00812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00813 return( 0 ); 00814 } 00815 00816 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00817 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00818 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00819 return( 0 ); 00820 #endif 00821 00822 #if defined(MBEDTLS_ARC4_C) 00823 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00824 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00825 { 00826 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00827 return( 0 ); 00828 } 00829 #endif 00830 00831 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00832 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00833 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00834 { 00835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00836 "not configured or ext missing" ) ); 00837 return( 0 ); 00838 } 00839 #endif 00840 00841 00842 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00843 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00844 ( ssl->handshake->curves == NULL || 00845 ssl->handshake->curves[0] == NULL ) ) 00846 { 00847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00848 "no common elliptic curve" ) ); 00849 return( 0 ); 00850 } 00851 #endif 00852 00853 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00854 /* If the ciphersuite requires a pre-shared key and we don't 00855 * have one, skip it now rather than failing later */ 00856 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00857 ssl->conf->f_psk == NULL && 00858 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 00859 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 00860 { 00861 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00862 return( 0 ); 00863 } 00864 #endif 00865 00866 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00867 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00868 /* If the ciphersuite requires signing, check whether 00869 * a suitable hash algorithm is present. */ 00870 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00871 { 00872 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); 00873 if( sig_type != MBEDTLS_PK_NONE && 00874 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) 00875 { 00876 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " 00877 "for signature algorithm %d", sig_type ) ); 00878 return( 0 ); 00879 } 00880 } 00881 00882 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00883 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00884 00885 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00886 /* 00887 * Final check: if ciphersuite requires us to have a 00888 * certificate/key of a particular type: 00889 * - select the appropriate certificate if we have one, or 00890 * - try the next ciphersuite if we don't 00891 * This must be done last since we modify the key_cert list. 00892 */ 00893 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00894 { 00895 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00896 "no suitable certificate" ) ); 00897 return( 0 ); 00898 } 00899 #endif 00900 00901 *ciphersuite_info = suite_info; 00902 return( 0 ); 00903 } 00904 00905 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00906 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 00907 { 00908 int ret, got_common_suite; 00909 unsigned int i, j; 00910 size_t n; 00911 unsigned int ciph_len, sess_len, chal_len; 00912 unsigned char *buf, *p; 00913 const int *ciphersuites; 00914 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00915 00916 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00917 00918 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00919 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00920 { 00921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00922 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00923 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00924 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00925 } 00926 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00927 00928 buf = ssl->in_hdr; 00929 00930 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00931 00932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00933 buf[2] ) ); 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00935 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00936 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00937 buf[3], buf[4] ) ); 00938 00939 /* 00940 * SSLv2 Client Hello 00941 * 00942 * Record layer: 00943 * 0 . 1 message length 00944 * 00945 * SSL layer: 00946 * 2 . 2 message type 00947 * 3 . 4 protocol version 00948 */ 00949 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 00950 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00953 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00954 } 00955 00956 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00957 00958 if( n < 17 || n > 512 ) 00959 { 00960 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00961 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00962 } 00963 00964 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 00965 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 00966 ? buf[4] : ssl->conf->max_minor_ver; 00967 00968 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 00969 { 00970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00971 " [%d:%d] < [%d:%d]", 00972 ssl->major_ver, ssl->minor_ver, 00973 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 00974 00975 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00976 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 00977 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00978 } 00979 00980 ssl->handshake->max_major_ver = buf[3]; 00981 ssl->handshake->max_minor_ver = buf[4]; 00982 00983 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00984 { 00985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 00986 return( ret ); 00987 } 00988 00989 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00990 00991 buf = ssl->in_msg; 00992 n = ssl->in_left - 5; 00993 00994 /* 00995 * 0 . 1 ciphersuitelist length 00996 * 2 . 3 session id length 00997 * 4 . 5 challenge length 00998 * 6 . .. ciphersuitelist 00999 * .. . .. session id 01000 * .. . .. challenge 01001 */ 01002 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01003 01004 ciph_len = ( buf[0] << 8 ) | buf[1]; 01005 sess_len = ( buf[2] << 8 ) | buf[3]; 01006 chal_len = ( buf[4] << 8 ) | buf[5]; 01007 01008 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01009 ciph_len, sess_len, chal_len ) ); 01010 01011 /* 01012 * Make sure each parameter length is valid 01013 */ 01014 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01015 { 01016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01017 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01018 } 01019 01020 if( sess_len > 32 ) 01021 { 01022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01023 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01024 } 01025 01026 if( chal_len < 8 || chal_len > 32 ) 01027 { 01028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01029 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01030 } 01031 01032 if( n != 6 + ciph_len + sess_len + chal_len ) 01033 { 01034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01035 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01036 } 01037 01038 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01039 buf + 6, ciph_len ); 01040 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 01041 buf + 6 + ciph_len, sess_len ); 01042 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 01043 buf + 6 + ciph_len + sess_len, chal_len ); 01044 01045 p = buf + 6 + ciph_len; 01046 ssl->session_negotiate->id_len = sess_len; 01047 memset( ssl->session_negotiate->id, 0, 01048 sizeof( ssl->session_negotiate->id ) ); 01049 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 01050 01051 p += sess_len; 01052 memset( ssl->handshake->randbytes, 0, 64 ); 01053 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01054 01055 /* 01056 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01057 */ 01058 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01059 { 01060 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01061 { 01062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01063 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01064 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01065 { 01066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01067 "during renegotiation" ) ); 01068 01069 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01070 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01072 } 01073 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01074 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01075 break; 01076 } 01077 } 01078 01079 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01080 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01081 { 01082 if( p[0] == 0 && 01083 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01084 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01085 { 01086 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01087 01088 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01089 { 01090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01091 01092 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01093 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01094 01095 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01096 } 01097 01098 break; 01099 } 01100 } 01101 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01102 01103 got_common_suite = 0; 01104 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01105 ciphersuite_info = NULL; 01106 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01107 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01108 for( i = 0; ciphersuites[i] != 0; i++ ) 01109 #else 01110 for( i = 0; ciphersuites[i] != 0; i++ ) 01111 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01112 #endif 01113 { 01114 if( p[0] != 0 || 01115 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01116 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01117 continue; 01118 01119 got_common_suite = 1; 01120 01121 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01122 &ciphersuite_info ) ) != 0 ) 01123 return( ret ); 01124 01125 if( ciphersuite_info != NULL ) 01126 goto have_ciphersuite_v2; 01127 } 01128 01129 if( got_common_suite ) 01130 { 01131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01132 "but none of them usable" ) ); 01133 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01134 } 01135 else 01136 { 01137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01138 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01139 } 01140 01141 have_ciphersuite_v2: 01142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01143 01144 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01145 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01146 01147 /* 01148 * SSLv2 Client Hello relevant renegotiation security checks 01149 */ 01150 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01151 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01152 { 01153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01154 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01155 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01156 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01157 } 01158 01159 ssl->in_left = 0; 01160 ssl->state++; 01161 01162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01163 01164 return( 0 ); 01165 } 01166 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01167 01168 /* This function doesn't alert on errors that happen early during 01169 ClientHello parsing because they might indicate that the client is 01170 not talking SSL/TLS at all and would not understand our alert. */ 01171 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01172 { 01173 int ret, got_common_suite; 01174 size_t i, j; 01175 size_t ciph_offset, comp_offset, ext_offset; 01176 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01177 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01178 size_t cookie_offset, cookie_len; 01179 #endif 01180 unsigned char *buf, *p, *ext; 01181 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01182 int renegotiation_info_seen = 0; 01183 #endif 01184 int handshake_failure = 0; 01185 const int *ciphersuites; 01186 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01187 int major, minor; 01188 01189 /* If there is no signature-algorithm extension present, 01190 * we need to fall back to the default values for allowed 01191 * signature-hash pairs. */ 01192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01193 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01194 int sig_hash_alg_ext_present = 0; 01195 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01196 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01197 01198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01199 01200 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01201 read_record_header: 01202 #endif 01203 /* 01204 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01205 * otherwise read it ourselves manually in order to support SSLv2 01206 * ClientHello, which doesn't use the same record layer format. 01207 */ 01208 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01209 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01210 #endif 01211 { 01212 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01213 { 01214 /* No alert on a read error. */ 01215 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01216 return( ret ); 01217 } 01218 } 01219 01220 buf = ssl->in_hdr; 01221 01222 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01223 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01224 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01225 #endif 01226 if( ( buf[0] & 0x80 ) != 0 ) 01227 return( ssl_parse_client_hello_v2( ssl ) ); 01228 #endif 01229 01230 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); 01231 01232 /* 01233 * SSLv3/TLS Client Hello 01234 * 01235 * Record layer: 01236 * 0 . 0 message type 01237 * 1 . 2 protocol version 01238 * 3 . 11 DTLS: epoch + record sequence number 01239 * 3 . 4 message length 01240 */ 01241 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01242 buf[0] ) ); 01243 01244 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01245 { 01246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01247 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01248 } 01249 01250 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01251 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01252 01253 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01254 buf[1], buf[2] ) ); 01255 01256 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01257 01258 /* According to RFC 5246 Appendix E.1, the version here is typically 01259 * "{03,00}, the lowest version number supported by the client, [or] the 01260 * value of ClientHello.client_version", so the only meaningful check here 01261 * is the major version shouldn't be less than 3 */ 01262 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01263 { 01264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01265 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01266 } 01267 01268 /* For DTLS if this is the initial handshake, remember the client sequence 01269 * number to use it in our next message (RFC 6347 4.2.1) */ 01270 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01271 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01272 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01273 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01274 #endif 01275 ) 01276 { 01277 /* Epoch should be 0 for initial handshakes */ 01278 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01279 { 01280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01282 } 01283 01284 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); 01285 01286 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01287 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01288 { 01289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01290 ssl->next_record_offset = 0; 01291 ssl->in_left = 0; 01292 goto read_record_header; 01293 } 01294 01295 /* No MAC to check yet, so we can update right now */ 01296 mbedtls_ssl_dtls_replay_update( ssl ); 01297 #endif 01298 } 01299 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01300 01301 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01302 01303 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01304 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01305 { 01306 /* Set by mbedtls_ssl_read_record() */ 01307 msg_len = ssl->in_hslen; 01308 } 01309 else 01310 #endif 01311 { 01312 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01313 { 01314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01315 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01316 } 01317 01318 if( ( ret = mbedtls_ssl_fetch_input( ssl, 01319 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) 01320 { 01321 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01322 return( ret ); 01323 } 01324 01325 /* Done reading this record, get ready for the next one */ 01326 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01327 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01328 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); 01329 else 01330 #endif 01331 ssl->in_left = 0; 01332 } 01333 01334 buf = ssl->in_msg; 01335 01336 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01337 01338 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01339 01340 /* 01341 * Handshake layer: 01342 * 0 . 0 handshake type 01343 * 1 . 3 handshake length 01344 * 4 . 5 DTLS only: message seqence number 01345 * 6 . 8 DTLS only: fragment offset 01346 * 9 . 11 DTLS only: fragment length 01347 */ 01348 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01349 { 01350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01352 } 01353 01354 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01355 01356 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01357 { 01358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01359 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01360 } 01361 01362 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01363 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01364 01365 /* We don't support fragmentation of ClientHello (yet?) */ 01366 if( buf[1] != 0 || 01367 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01368 { 01369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01370 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01371 } 01372 01373 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01374 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01375 { 01376 /* 01377 * Copy the client's handshake message_seq on initial handshakes, 01378 * check sequence number on renego. 01379 */ 01380 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01381 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01382 { 01383 /* This couldn't be done in ssl_prepare_handshake_record() */ 01384 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01385 ssl->in_msg[5]; 01386 01387 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01388 { 01389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01390 "%d (expected %d)", cli_msg_seq, 01391 ssl->handshake->in_msg_seq ) ); 01392 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01393 } 01394 01395 ssl->handshake->in_msg_seq++; 01396 } 01397 else 01398 #endif 01399 { 01400 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01401 ssl->in_msg[5]; 01402 ssl->handshake->out_msg_seq = cli_msg_seq; 01403 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01404 } 01405 01406 /* 01407 * For now we don't support fragmentation, so make sure 01408 * fragment_offset == 0 and fragment_length == length 01409 */ 01410 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01411 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01412 { 01413 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01414 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01415 } 01416 } 01417 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01418 01419 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01420 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01421 01422 /* 01423 * ClientHello layer: 01424 * 0 . 1 protocol version 01425 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01426 * 34 . 35 session id length (1 byte) 01427 * 35 . 34+x session id 01428 * 35+x . 35+x DTLS only: cookie length (1 byte) 01429 * 36+x . .. DTLS only: cookie 01430 * .. . .. ciphersuite list length (2 bytes) 01431 * .. . .. ciphersuite list 01432 * .. . .. compression alg. list length (1 byte) 01433 * .. . .. compression alg. list 01434 * .. . .. extensions length (2 bytes, optional) 01435 * .. . .. extensions (optional) 01436 */ 01437 01438 /* 01439 * Minimal length (with everything empty and extensions ommitted) is 01440 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01441 * read at least up to session id length without worrying. 01442 */ 01443 if( msg_len < 38 ) 01444 { 01445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01446 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01447 } 01448 01449 /* 01450 * Check and save the protocol version 01451 */ 01452 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01453 01454 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01455 ssl->conf->transport, buf ); 01456 01457 ssl->handshake->max_major_ver = ssl->major_ver; 01458 ssl->handshake->max_minor_ver = ssl->minor_ver; 01459 01460 if( ssl->major_ver < ssl->conf->min_major_ver || 01461 ssl->minor_ver < ssl->conf->min_minor_ver ) 01462 { 01463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01464 " [%d:%d] < [%d:%d]", 01465 ssl->major_ver, ssl->minor_ver, 01466 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01468 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01469 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01470 } 01471 01472 if( ssl->major_ver > ssl->conf->max_major_ver ) 01473 { 01474 ssl->major_ver = ssl->conf->max_major_ver; 01475 ssl->minor_ver = ssl->conf->max_minor_ver; 01476 } 01477 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01478 ssl->minor_ver = ssl->conf->max_minor_ver; 01479 01480 /* 01481 * Save client random (inc. Unix time) 01482 */ 01483 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01484 01485 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01486 01487 /* 01488 * Check the session ID length and save session ID 01489 */ 01490 sess_len = buf[34]; 01491 01492 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01493 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01494 { 01495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01496 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01497 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01498 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01499 } 01500 01501 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01502 01503 ssl->session_negotiate->id_len = sess_len; 01504 memset( ssl->session_negotiate->id, 0, 01505 sizeof( ssl->session_negotiate->id ) ); 01506 memcpy( ssl->session_negotiate->id, buf + 35, 01507 ssl->session_negotiate->id_len ); 01508 01509 /* 01510 * Check the cookie length and content 01511 */ 01512 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01513 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01514 { 01515 cookie_offset = 35 + sess_len; 01516 cookie_len = buf[cookie_offset]; 01517 01518 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01519 { 01520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01521 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01522 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01523 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01524 } 01525 01526 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01527 buf + cookie_offset + 1, cookie_len ); 01528 01529 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01530 if( ssl->conf->f_cookie_check != NULL 01531 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01532 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01533 #endif 01534 ) 01535 { 01536 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01537 buf + cookie_offset + 1, cookie_len, 01538 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01539 { 01540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01541 ssl->handshake->verify_cookie_len = 1; 01542 } 01543 else 01544 { 01545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01546 ssl->handshake->verify_cookie_len = 0; 01547 } 01548 } 01549 else 01550 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01551 { 01552 /* We know we didn't send a cookie, so it should be empty */ 01553 if( cookie_len != 0 ) 01554 { 01555 /* This may be an attacker's probe, so don't send an alert */ 01556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01557 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01558 } 01559 01560 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01561 } 01562 01563 /* 01564 * Check the ciphersuitelist length (will be parsed later) 01565 */ 01566 ciph_offset = cookie_offset + 1 + cookie_len; 01567 } 01568 else 01569 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01570 ciph_offset = 35 + sess_len; 01571 01572 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01573 | ( buf[ciph_offset + 1] ); 01574 01575 if( ciph_len < 2 || 01576 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01577 ( ciph_len % 2 ) != 0 ) 01578 { 01579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01580 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01583 } 01584 01585 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01586 buf + ciph_offset + 2, ciph_len ); 01587 01588 /* 01589 * Check the compression algorithms length and pick one 01590 */ 01591 comp_offset = ciph_offset + 2 + ciph_len; 01592 01593 comp_len = buf[comp_offset]; 01594 01595 if( comp_len < 1 || 01596 comp_len > 16 || 01597 comp_len + comp_offset + 1 > msg_len ) 01598 { 01599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01600 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01601 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01602 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01603 } 01604 01605 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01606 buf + comp_offset + 1, comp_len ); 01607 01608 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01609 #if defined(MBEDTLS_ZLIB_SUPPORT) 01610 for( i = 0; i < comp_len; ++i ) 01611 { 01612 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01613 { 01614 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01615 break; 01616 } 01617 } 01618 #endif 01619 01620 /* See comments in ssl_write_client_hello() */ 01621 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01622 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01623 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01624 #endif 01625 01626 /* Do not parse the extensions if the protocol is SSLv3 */ 01627 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01628 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01629 { 01630 #endif 01631 /* 01632 * Check the extension length 01633 */ 01634 ext_offset = comp_offset + 1 + comp_len; 01635 if( msg_len > ext_offset ) 01636 { 01637 if( msg_len < ext_offset + 2 ) 01638 { 01639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01640 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01641 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01642 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01643 } 01644 01645 ext_len = ( buf[ext_offset + 0] << 8 ) 01646 | ( buf[ext_offset + 1] ); 01647 01648 if( ( ext_len > 0 && ext_len < 4 ) || 01649 msg_len != ext_offset + 2 + ext_len ) 01650 { 01651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01652 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01653 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01654 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01655 } 01656 } 01657 else 01658 ext_len = 0; 01659 01660 ext = buf + ext_offset + 2; 01661 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01662 01663 while( ext_len != 0 ) 01664 { 01665 unsigned int ext_id = ( ( ext[0] << 8 ) 01666 | ( ext[1] ) ); 01667 unsigned int ext_size = ( ( ext[2] << 8 ) 01668 | ( ext[3] ) ); 01669 01670 if( ext_size + 4 > ext_len ) 01671 { 01672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01673 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01674 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01675 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01676 } 01677 switch( ext_id ) 01678 { 01679 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01680 case MBEDTLS_TLS_EXT_SERVERNAME: 01681 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01682 if( ssl->conf->f_sni == NULL ) 01683 break; 01684 01685 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01686 if( ret != 0 ) 01687 return( ret ); 01688 break; 01689 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01690 01691 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01692 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01693 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01694 renegotiation_info_seen = 1; 01695 #endif 01696 01697 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01698 if( ret != 0 ) 01699 return( ret ); 01700 break; 01701 01702 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01703 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01704 case MBEDTLS_TLS_EXT_SIG_ALG: 01705 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01706 01707 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01708 if( ret != 0 ) 01709 return( ret ); 01710 01711 sig_hash_alg_ext_present = 1; 01712 break; 01713 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01714 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01715 01716 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01717 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01718 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01719 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01720 01721 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01722 if( ret != 0 ) 01723 return( ret ); 01724 break; 01725 01726 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01728 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01729 01730 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01731 if( ret != 0 ) 01732 return( ret ); 01733 break; 01734 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01735 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01736 01737 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01738 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01740 01741 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01742 if( ret != 0 ) 01743 return( ret ); 01744 break; 01745 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01746 01747 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01748 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01750 01751 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01752 if( ret != 0 ) 01753 return( ret ); 01754 break; 01755 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01756 01757 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01758 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01760 01761 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01762 if( ret != 0 ) 01763 return( ret ); 01764 break; 01765 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01766 01767 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01768 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01769 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01770 01771 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01772 if( ret != 0 ) 01773 return( ret ); 01774 break; 01775 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01776 01777 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01778 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01780 01781 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01782 if( ret != 0 ) 01783 return( ret ); 01784 break; 01785 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01786 01787 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01788 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01790 01791 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01792 if( ret != 0 ) 01793 return( ret ); 01794 break; 01795 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01796 01797 #if defined(MBEDTLS_SSL_ALPN) 01798 case MBEDTLS_TLS_EXT_ALPN: 01799 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01800 01801 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01802 if( ret != 0 ) 01803 return( ret ); 01804 break; 01805 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01806 01807 default: 01808 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01809 ext_id ) ); 01810 } 01811 01812 ext_len -= 4 + ext_size; 01813 ext += 4 + ext_size; 01814 01815 if( ext_len > 0 && ext_len < 4 ) 01816 { 01817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01818 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01819 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01820 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01821 } 01822 } 01823 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01824 } 01825 #endif 01826 01827 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01828 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01829 { 01830 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01831 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01832 { 01833 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01834 01835 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01836 { 01837 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01838 01839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01840 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01841 01842 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01843 } 01844 01845 break; 01846 } 01847 } 01848 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01849 01850 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01851 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01852 01853 /* 01854 * Try to fall back to default hash SHA1 if the client 01855 * hasn't provided any preferred signature-hash combinations. 01856 */ 01857 if( sig_hash_alg_ext_present == 0 ) 01858 { 01859 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; 01860 01861 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) 01862 md_default = MBEDTLS_MD_NONE; 01863 01864 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); 01865 } 01866 01867 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01868 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01869 01870 /* 01871 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01872 */ 01873 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01874 { 01875 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01876 { 01877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01878 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01879 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01880 { 01881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01882 "during renegotiation" ) ); 01883 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01884 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01885 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01886 } 01887 #endif 01888 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01889 break; 01890 } 01891 } 01892 01893 /* 01894 * Renegotiation security checks 01895 */ 01896 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 01897 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01898 { 01899 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01900 handshake_failure = 1; 01901 } 01902 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01903 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01904 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01905 renegotiation_info_seen == 0 ) 01906 { 01907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01908 handshake_failure = 1; 01909 } 01910 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01911 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01912 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01913 { 01914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01915 handshake_failure = 1; 01916 } 01917 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01918 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01919 renegotiation_info_seen == 1 ) 01920 { 01921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01922 handshake_failure = 1; 01923 } 01924 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01925 01926 if( handshake_failure == 1 ) 01927 { 01928 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01929 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01930 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01931 } 01932 01933 /* 01934 * Search for a matching ciphersuite 01935 * (At the end because we need information from the EC-based extensions 01936 * and certificate from the SNI callback triggered by the SNI extension.) 01937 */ 01938 got_common_suite = 0; 01939 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01940 ciphersuite_info = NULL; 01941 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01942 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01943 for( i = 0; ciphersuites[i] != 0; i++ ) 01944 #else 01945 for( i = 0; ciphersuites[i] != 0; i++ ) 01946 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01947 #endif 01948 { 01949 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01950 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01951 continue; 01952 01953 got_common_suite = 1; 01954 01955 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01956 &ciphersuite_info ) ) != 0 ) 01957 return( ret ); 01958 01959 if( ciphersuite_info != NULL ) 01960 goto have_ciphersuite; 01961 } 01962 01963 if( got_common_suite ) 01964 { 01965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01966 "but none of them usable" ) ); 01967 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01968 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01969 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01970 } 01971 else 01972 { 01973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01974 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01975 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01976 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01977 } 01978 01979 have_ciphersuite: 01980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01981 01982 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01983 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01984 01985 ssl->state++; 01986 01987 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01988 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01989 mbedtls_ssl_recv_flight_completed( ssl ); 01990 #endif 01991 01992 /* Debugging-only output for testsuite */ 01993 #if defined(MBEDTLS_DEBUG_C) && \ 01994 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01995 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01996 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 01997 { 01998 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); 01999 if( sig_alg != MBEDTLS_PK_NONE ) 02000 { 02001 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 02002 sig_alg ); 02003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 02004 mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); 02005 } 02006 else 02007 { 02008 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " 02009 "%d - should not happen", sig_alg ) ); 02010 } 02011 } 02012 #endif 02013 02014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 02015 02016 return( 0 ); 02017 } 02018 02019 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02020 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 02021 unsigned char *buf, 02022 size_t *olen ) 02023 { 02024 unsigned char *p = buf; 02025 02026 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 02027 { 02028 *olen = 0; 02029 return; 02030 } 02031 02032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 02033 02034 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 02035 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 02036 02037 *p++ = 0x00; 02038 *p++ = 0x00; 02039 02040 *olen = 4; 02041 } 02042 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02043 02044 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02045 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 02046 unsigned char *buf, 02047 size_t *olen ) 02048 { 02049 unsigned char *p = buf; 02050 const mbedtls_ssl_ciphersuite_t *suite = NULL; 02051 const mbedtls_cipher_info_t *cipher = NULL; 02052 02053 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 02054 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02055 { 02056 *olen = 0; 02057 return; 02058 } 02059 02060 /* 02061 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 02062 * from a client and then selects a stream or Authenticated Encryption 02063 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 02064 * encrypt-then-MAC response extension back to the client." 02065 */ 02066 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 02067 ssl->session_negotiate->ciphersuite ) ) == NULL || 02068 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 02069 cipher->mode != MBEDTLS_MODE_CBC ) 02070 { 02071 *olen = 0; 02072 return; 02073 } 02074 02075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 02076 02077 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 02078 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 02079 02080 *p++ = 0x00; 02081 *p++ = 0x00; 02082 02083 *olen = 4; 02084 } 02085 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02086 02087 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02088 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 02089 unsigned char *buf, 02090 size_t *olen ) 02091 { 02092 unsigned char *p = buf; 02093 02094 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02095 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02096 { 02097 *olen = 0; 02098 return; 02099 } 02100 02101 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 02102 "extension" ) ); 02103 02104 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 02105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 02106 02107 *p++ = 0x00; 02108 *p++ = 0x00; 02109 02110 *olen = 4; 02111 } 02112 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02113 02114 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02115 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 02116 unsigned char *buf, 02117 size_t *olen ) 02118 { 02119 unsigned char *p = buf; 02120 02121 if( ssl->handshake->new_session_ticket == 0 ) 02122 { 02123 *olen = 0; 02124 return; 02125 } 02126 02127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 02128 02129 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 02130 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 02131 02132 *p++ = 0x00; 02133 *p++ = 0x00; 02134 02135 *olen = 4; 02136 } 02137 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02138 02139 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 02140 unsigned char *buf, 02141 size_t *olen ) 02142 { 02143 unsigned char *p = buf; 02144 02145 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 02146 { 02147 *olen = 0; 02148 return; 02149 } 02150 02151 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 02152 02153 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 02154 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 02155 02156 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02157 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 02158 { 02159 *p++ = 0x00; 02160 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02161 *p++ = ssl->verify_data_len * 2 & 0xFF; 02162 02163 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02164 p += ssl->verify_data_len; 02165 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02166 p += ssl->verify_data_len; 02167 } 02168 else 02169 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02170 { 02171 *p++ = 0x00; 02172 *p++ = 0x01; 02173 *p++ = 0x00; 02174 } 02175 02176 *olen = p - buf; 02177 } 02178 02179 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02180 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02181 unsigned char *buf, 02182 size_t *olen ) 02183 { 02184 unsigned char *p = buf; 02185 02186 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02187 { 02188 *olen = 0; 02189 return; 02190 } 02191 02192 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02193 02194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02195 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02196 02197 *p++ = 0x00; 02198 *p++ = 1; 02199 02200 *p++ = ssl->session_negotiate->mfl_code; 02201 02202 *olen = 5; 02203 } 02204 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02205 02206 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02207 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02208 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02209 unsigned char *buf, 02210 size_t *olen ) 02211 { 02212 unsigned char *p = buf; 02213 ((void) ssl); 02214 02215 if( ( ssl->handshake->cli_exts & 02216 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02217 { 02218 *olen = 0; 02219 return; 02220 } 02221 02222 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02223 02224 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02225 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02226 02227 *p++ = 0x00; 02228 *p++ = 2; 02229 02230 *p++ = 1; 02231 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02232 02233 *olen = 6; 02234 } 02235 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02236 02237 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02238 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02239 unsigned char *buf, 02240 size_t *olen ) 02241 { 02242 int ret; 02243 unsigned char *p = buf; 02244 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02245 size_t kkpp_len; 02246 02247 *olen = 0; 02248 02249 /* Skip costly computation if not needed */ 02250 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 02251 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02252 return; 02253 02254 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02255 02256 if( end - p < 4 ) 02257 { 02258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02259 return; 02260 } 02261 02262 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02263 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02264 02265 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02266 p + 2, end - p - 2, &kkpp_len, 02267 ssl->conf->f_rng, ssl->conf->p_rng ); 02268 if( ret != 0 ) 02269 { 02270 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02271 return; 02272 } 02273 02274 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02275 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02276 02277 *olen = kkpp_len + 4; 02278 } 02279 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02280 02281 #if defined(MBEDTLS_SSL_ALPN ) 02282 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02283 unsigned char *buf, size_t *olen ) 02284 { 02285 if( ssl->alpn_chosen == NULL ) 02286 { 02287 *olen = 0; 02288 return; 02289 } 02290 02291 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02292 02293 /* 02294 * 0 . 1 ext identifier 02295 * 2 . 3 ext length 02296 * 4 . 5 protocol list length 02297 * 6 . 6 protocol name length 02298 * 7 . 7+n protocol name 02299 */ 02300 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02301 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02302 02303 *olen = 7 + strlen( ssl->alpn_chosen ); 02304 02305 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02306 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02307 02308 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02309 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02310 02311 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02312 02313 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02314 } 02315 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02316 02317 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02318 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02319 { 02320 int ret; 02321 unsigned char *p = ssl->out_msg + 4; 02322 unsigned char *cookie_len_byte; 02323 02324 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02325 02326 /* 02327 * struct { 02328 * ProtocolVersion server_version; 02329 * opaque cookie<0..2^8-1>; 02330 * } HelloVerifyRequest; 02331 */ 02332 02333 /* The RFC is not clear on this point, but sending the actual negotiated 02334 * version looks like the most interoperable thing to do. */ 02335 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02336 ssl->conf->transport, p ); 02337 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02338 p += 2; 02339 02340 /* If we get here, f_cookie_check is not null */ 02341 if( ssl->conf->f_cookie_write == NULL ) 02342 { 02343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02344 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02345 } 02346 02347 /* Skip length byte until we know the length */ 02348 cookie_len_byte = p++; 02349 02350 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02351 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, 02352 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02353 { 02354 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02355 return( ret ); 02356 } 02357 02358 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02359 02360 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02361 02362 ssl->out_msglen = p - ssl->out_msg; 02363 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02364 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02365 02366 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02367 02368 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02369 { 02370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02371 return( ret ); 02372 } 02373 02374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02375 02376 return( 0 ); 02377 } 02378 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02379 02380 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02381 { 02382 #if defined(MBEDTLS_HAVE_TIME) 02383 mbedtls_time_t t; 02384 #endif 02385 int ret; 02386 size_t olen, ext_len = 0, n; 02387 unsigned char *buf, *p; 02388 02389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02390 02391 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02392 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02393 ssl->handshake->verify_cookie_len != 0 ) 02394 { 02395 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02397 02398 return( ssl_write_hello_verify_request( ssl ) ); 02399 } 02400 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02401 02402 if( ssl->conf->f_rng == NULL ) 02403 { 02404 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02405 return( MBEDTLS_ERR_SSL_NO_RNG ); 02406 } 02407 02408 /* 02409 * 0 . 0 handshake type 02410 * 1 . 3 handshake length 02411 * 4 . 5 protocol version 02412 * 6 . 9 UNIX time() 02413 * 10 . 37 random bytes 02414 */ 02415 buf = ssl->out_msg; 02416 p = buf + 4; 02417 02418 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02419 ssl->conf->transport, p ); 02420 p += 2; 02421 02422 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02423 buf[4], buf[5] ) ); 02424 02425 #if defined(MBEDTLS_HAVE_TIME) 02426 t = mbedtls_time( NULL ); 02427 *p++ = (unsigned char)( t >> 24 ); 02428 *p++ = (unsigned char)( t >> 16 ); 02429 *p++ = (unsigned char)( t >> 8 ); 02430 *p++ = (unsigned char)( t ); 02431 02432 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02433 #else 02434 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02435 return( ret ); 02436 02437 p += 4; 02438 #endif /* MBEDTLS_HAVE_TIME */ 02439 02440 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02441 return( ret ); 02442 02443 p += 28; 02444 02445 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02446 02447 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02448 02449 /* 02450 * Resume is 0 by default, see ssl_handshake_init(). 02451 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02452 * If not, try looking up session ID in our cache. 02453 */ 02454 if( ssl->handshake->resume == 0 && 02455 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02456 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02457 #endif 02458 ssl->session_negotiate->id_len != 0 && 02459 ssl->conf->f_get_cache != NULL && 02460 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02461 { 02462 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02463 ssl->handshake->resume = 1; 02464 } 02465 02466 if( ssl->handshake->resume == 0 ) 02467 { 02468 /* 02469 * New session, create a new session id, 02470 * unless we're about to issue a session ticket 02471 */ 02472 ssl->state++; 02473 02474 #if defined(MBEDTLS_HAVE_TIME) 02475 ssl->session_negotiate->start = mbedtls_time( NULL ); 02476 #endif 02477 02478 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02479 if( ssl->handshake->new_session_ticket != 0 ) 02480 { 02481 ssl->session_negotiate->id_len = n = 0; 02482 memset( ssl->session_negotiate->id, 0, 32 ); 02483 } 02484 else 02485 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02486 { 02487 ssl->session_negotiate->id_len = n = 32; 02488 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02489 n ) ) != 0 ) 02490 return( ret ); 02491 } 02492 } 02493 else 02494 { 02495 /* 02496 * Resuming a session 02497 */ 02498 n = ssl->session_negotiate->id_len; 02499 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02500 02501 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02502 { 02503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02504 return( ret ); 02505 } 02506 } 02507 02508 /* 02509 * 38 . 38 session id length 02510 * 39 . 38+n session id 02511 * 39+n . 40+n chosen ciphersuite 02512 * 41+n . 41+n chosen compression alg. 02513 * 42+n . 43+n extensions length 02514 * 44+n . 43+n+m extensions 02515 */ 02516 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02517 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02518 p += ssl->session_negotiate->id_len; 02519 02520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02521 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02523 ssl->handshake->resume ? "a" : "no" ) ); 02524 02525 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02526 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02527 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02528 02529 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02530 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02531 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02532 ssl->session_negotiate->compression ) ); 02533 02534 /* Do not write the extensions if the protocol is SSLv3 */ 02535 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02536 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02537 { 02538 #endif 02539 02540 /* 02541 * First write extensions, then the total length 02542 */ 02543 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02544 ext_len += olen; 02545 02546 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02547 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02548 ext_len += olen; 02549 #endif 02550 02551 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02552 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02553 ext_len += olen; 02554 #endif 02555 02556 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02557 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02558 ext_len += olen; 02559 #endif 02560 02561 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02562 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02563 ext_len += olen; 02564 #endif 02565 02566 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02567 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02568 ext_len += olen; 02569 #endif 02570 02571 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02572 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02573 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02574 ext_len += olen; 02575 #endif 02576 02577 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02578 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02579 ext_len += olen; 02580 #endif 02581 02582 #if defined(MBEDTLS_SSL_ALPN) 02583 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02584 ext_len += olen; 02585 #endif 02586 02587 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02588 02589 if( ext_len > 0 ) 02590 { 02591 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02592 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02593 p += ext_len; 02594 } 02595 02596 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02597 } 02598 #endif 02599 02600 ssl->out_msglen = p - buf; 02601 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02602 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02603 02604 ret = mbedtls_ssl_write_record( ssl ); 02605 02606 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02607 02608 return( ret ); 02609 } 02610 02611 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02612 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02613 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02614 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02615 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02616 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02617 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02618 { 02619 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02620 ssl->transform_negotiate->ciphersuite_info; 02621 02622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02623 02624 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02625 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02626 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02627 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02628 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02629 { 02630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02631 ssl->state++; 02632 return( 0 ); 02633 } 02634 02635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02636 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02637 } 02638 #else 02639 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02640 { 02641 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02642 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02643 ssl->transform_negotiate->ciphersuite_info; 02644 size_t dn_size, total_dn_size; /* excluding length bytes */ 02645 size_t ct_len, sa_len; /* including length bytes */ 02646 unsigned char *buf, *p; 02647 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02648 const mbedtls_x509_crt *crt; 02649 int authmode; 02650 02651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02652 02653 ssl->state++; 02654 02655 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02656 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02657 authmode = ssl->handshake->sni_authmode; 02658 else 02659 #endif 02660 authmode = ssl->conf->authmode; 02661 02662 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02663 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02664 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02665 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02666 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 02667 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02668 { 02669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02670 return( 0 ); 02671 } 02672 02673 /* 02674 * 0 . 0 handshake type 02675 * 1 . 3 handshake length 02676 * 4 . 4 cert type count 02677 * 5 .. m-1 cert types 02678 * m .. m+1 sig alg length (TLS 1.2 only) 02679 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02680 * n .. n+1 length of all DNs 02681 * n+2 .. n+3 length of DN 1 02682 * n+4 .. ... Distinguished Name #1 02683 * ... .. ... length of DN 2, etc. 02684 */ 02685 buf = ssl->out_msg; 02686 p = buf + 4; 02687 02688 /* 02689 * Supported certificate types 02690 * 02691 * ClientCertificateType certificate_types<1..2^8-1>; 02692 * enum { (255) } ClientCertificateType; 02693 */ 02694 ct_len = 0; 02695 02696 #if defined(MBEDTLS_RSA_C) 02697 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02698 #endif 02699 #if defined(MBEDTLS_ECDSA_C) 02700 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02701 #endif 02702 02703 p[0] = (unsigned char) ct_len++; 02704 p += ct_len; 02705 02706 sa_len = 0; 02707 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02708 /* 02709 * Add signature_algorithms for verify (TLS 1.2) 02710 * 02711 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02712 * 02713 * struct { 02714 * HashAlgorithm hash; 02715 * SignatureAlgorithm signature; 02716 * } SignatureAndHashAlgorithm; 02717 * 02718 * enum { (255) } HashAlgorithm; 02719 * enum { (255) } SignatureAlgorithm; 02720 */ 02721 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02722 { 02723 const int *cur; 02724 02725 /* 02726 * Supported signature algorithms 02727 */ 02728 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 02729 { 02730 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); 02731 02732 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) 02733 continue; 02734 02735 #if defined(MBEDTLS_RSA_C) 02736 p[2 + sa_len++] = hash; 02737 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02738 #endif 02739 #if defined(MBEDTLS_ECDSA_C) 02740 p[2 + sa_len++] = hash; 02741 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02742 #endif 02743 } 02744 02745 p[0] = (unsigned char)( sa_len >> 8 ); 02746 p[1] = (unsigned char)( sa_len ); 02747 sa_len += 2; 02748 p += sa_len; 02749 } 02750 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02751 02752 /* 02753 * DistinguishedName certificate_authorities<0..2^16-1>; 02754 * opaque DistinguishedName<1..2^16-1>; 02755 */ 02756 p += 2; 02757 02758 total_dn_size = 0; 02759 02760 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) 02761 { 02762 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02763 if( ssl->handshake->sni_ca_chain != NULL ) 02764 crt = ssl->handshake->sni_ca_chain; 02765 else 02766 #endif 02767 crt = ssl->conf->ca_chain; 02768 02769 while( crt != NULL && crt->version != 0 ) 02770 { 02771 dn_size = crt->subject_raw.len; 02772 02773 if( end < p || 02774 (size_t)( end - p ) < dn_size || 02775 (size_t)( end - p ) < 2 + dn_size ) 02776 { 02777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02778 break; 02779 } 02780 02781 *p++ = (unsigned char)( dn_size >> 8 ); 02782 *p++ = (unsigned char)( dn_size ); 02783 memcpy( p, crt->subject_raw.p, dn_size ); 02784 p += dn_size; 02785 02786 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02787 02788 total_dn_size += 2 + dn_size; 02789 crt = crt->next; 02790 } 02791 } 02792 02793 ssl->out_msglen = p - buf; 02794 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02795 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02796 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02797 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02798 02799 ret = mbedtls_ssl_write_record( ssl ); 02800 02801 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02802 02803 return( ret ); 02804 } 02805 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02806 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02807 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02808 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02809 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02810 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02811 02812 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02813 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02814 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02815 { 02816 int ret; 02817 02818 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 02819 { 02820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02821 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02822 } 02823 02824 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 02825 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 02826 MBEDTLS_ECDH_OURS ) ) != 0 ) 02827 { 02828 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02829 return( ret ); 02830 } 02831 02832 return( 0 ); 02833 } 02834 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02835 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02836 02837 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 02838 { 02839 int ret; 02840 size_t n = 0; 02841 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02842 ssl->transform_negotiate->ciphersuite_info; 02843 02844 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) 02845 unsigned char *p = ssl->out_msg + 4; 02846 size_t len; 02847 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02848 unsigned char *dig_signed = p; 02849 size_t dig_signed_len = 0; 02850 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02851 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ 02852 02853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02854 02855 /* 02856 * 02857 * Part 1: Extract static ECDH parameters and abort 02858 * if ServerKeyExchange not needed. 02859 * 02860 */ 02861 02862 /* For suites involving ECDH, extract DH parameters 02863 * from certificate at this point. */ 02864 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) 02865 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) 02866 { 02867 ssl_get_ecdh_params_from_cert( ssl ); 02868 } 02869 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ 02870 02871 /* Key exchanges not involving ephemeral keys don't use 02872 * ServerKeyExchange, so end here. */ 02873 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 02874 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) 02875 { 02876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02877 ssl->state++; 02878 return( 0 ); 02879 } 02880 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */ 02881 02882 /* 02883 * 02884 * Part 2: Provide key exchange parameters for chosen ciphersuite. 02885 * 02886 */ 02887 02888 /* 02889 * - ECJPAKE key exchanges 02890 */ 02891 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02892 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02893 { 02894 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02895 02896 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02897 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng ); 02898 if( ret != 0 ) 02899 { 02900 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02901 return( ret ); 02902 } 02903 02904 p += len; 02905 n += len; 02906 } 02907 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02908 02909 /* 02910 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 02911 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 02912 * we use empty support identity hints here. 02913 **/ 02914 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02915 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02917 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02918 { 02919 *(p++) = 0x00; 02920 *(p++) = 0x00; 02921 02922 n += 2; 02923 } 02924 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 02925 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02926 02927 /* 02928 * - DHE key exchanges 02929 */ 02930 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) 02931 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) 02932 { 02933 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 02934 { 02935 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 02936 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02937 } 02938 02939 /* 02940 * Ephemeral DH parameters: 02941 * 02942 * struct { 02943 * opaque dh_p<1..2^16-1>; 02944 * opaque dh_g<1..2^16-1>; 02945 * opaque dh_Ys<1..2^16-1>; 02946 * } ServerDHParams; 02947 */ 02948 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, 02949 &ssl->conf->dhm_P, 02950 &ssl->conf->dhm_G ) ) != 0 ) 02951 { 02952 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); 02953 return( ret ); 02954 } 02955 02956 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, 02957 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02958 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02959 { 02960 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 02961 return( ret ); 02962 } 02963 02964 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02965 dig_signed = p; 02966 dig_signed_len = len; 02967 #endif 02968 02969 p += len; 02970 n += len; 02971 02972 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02973 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02974 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02975 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02976 } 02977 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ 02978 02979 /* 02980 * - ECDHE key exchanges 02981 */ 02982 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02983 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) 02984 { 02985 /* 02986 * Ephemeral ECDH parameters: 02987 * 02988 * struct { 02989 * ECParameters curve_params; 02990 * ECPoint public; 02991 * } ServerECDHParams; 02992 */ 02993 const mbedtls_ecp_curve_info **curve = NULL; 02994 const mbedtls_ecp_group_id *gid; 02995 02996 /* Match our preference list against the offered curves */ 02997 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 02998 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02999 if( (*curve)->grp_id == *gid ) 03000 goto curve_matching_done; 03001 03002 curve_matching_done: 03003 if( curve == NULL || *curve == NULL ) 03004 { 03005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 03006 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 03007 } 03008 03009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 03010 03011 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, 03012 (*curve)->grp_id ) ) != 0 ) 03013 { 03014 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 03015 return( ret ); 03016 } 03017 03018 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 03019 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, 03020 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03021 { 03022 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 03023 return( ret ); 03024 } 03025 03026 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03027 dig_signed = p; 03028 dig_signed_len = len; 03029 #endif 03030 03031 p += len; 03032 n += len; 03033 03034 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 03035 } 03036 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 03037 03038 /* 03039 * 03040 * Part 3: For key exchanges involving the server signing the 03041 * exchange parameters, compute and add the signature here. 03042 * 03043 */ 03044 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03045 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 03046 { 03047 size_t signature_len = 0; 03048 unsigned int hashlen = 0; 03049 unsigned char hash[64]; 03050 03051 /* 03052 * 3.1: Choose hash algorithm: 03053 * A: For TLS 1.2, obey signature-hash-algorithm extension 03054 * to choose appropriate hash. 03055 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 03056 * (RFC 4492, Sec. 5.4) 03057 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) 03058 */ 03059 03060 mbedtls_md_type_t md_alg; 03061 03062 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03063 mbedtls_pk_type_t sig_alg = 03064 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 03065 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03066 { 03067 /* A: For TLS 1.2, obey signature-hash-algorithm extension 03068 * (RFC 5246, Sec. 7.4.1.4.1). */ 03069 if( sig_alg == MBEDTLS_PK_NONE || 03070 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 03071 sig_alg ) ) == MBEDTLS_MD_NONE ) 03072 { 03073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03074 /* (... because we choose a cipher suite 03075 * only if there is a matching hash.) */ 03076 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03077 } 03078 } 03079 else 03080 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03081 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03082 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03083 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03084 { 03085 /* B: Default hash SHA1 */ 03086 md_alg = MBEDTLS_MD_SHA1; 03087 } 03088 else 03089 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03090 MBEDTLS_SSL_PROTO_TLS1_1 */ 03091 { 03092 /* C: MD5 + SHA1 */ 03093 md_alg = MBEDTLS_MD_NONE; 03094 } 03095 03096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); 03097 03098 /* 03099 * 3.2: Compute the hash to be signed 03100 */ 03101 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03102 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03103 if( md_alg == MBEDTLS_MD_NONE ) 03104 { 03105 hashlen = 36; 03106 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, 03107 dig_signed, 03108 dig_signed_len ); 03109 if( ret != 0 ) 03110 return( ret ); 03111 } 03112 else 03113 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03114 MBEDTLS_SSL_PROTO_TLS1_1 */ 03115 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03116 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03117 if( md_alg != MBEDTLS_MD_NONE ) 03118 { 03119 /* Info from md_alg will be used instead */ 03120 hashlen = 0; 03121 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, 03122 dig_signed, 03123 dig_signed_len, 03124 md_alg ); 03125 if( ret != 0 ) 03126 return( ret ); 03127 } 03128 else 03129 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 03130 MBEDTLS_SSL_PROTO_TLS1_2 */ 03131 { 03132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03133 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03134 } 03135 03136 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 03137 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 03138 03139 /* 03140 * 3.3: Compute and add the signature 03141 */ 03142 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03143 { 03144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 03145 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03146 } 03147 03148 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03149 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03150 { 03151 /* 03152 * For TLS 1.2, we need to specify signature and hash algorithm 03153 * explicitly through a prefix to the signature. 03154 * 03155 * struct { 03156 * HashAlgorithm hash; 03157 * SignatureAlgorithm signature; 03158 * } SignatureAndHashAlgorithm; 03159 * 03160 * struct { 03161 * SignatureAndHashAlgorithm algorithm; 03162 * opaque signature<0..2^16-1>; 03163 * } DigitallySigned; 03164 * 03165 */ 03166 03167 *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg ); 03168 *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg ); 03169 03170 n += 2; 03171 } 03172 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03173 03174 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, 03175 p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03176 { 03177 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03178 return( ret ); 03179 } 03180 03181 *(p++) = (unsigned char)( signature_len >> 8 ); 03182 *(p++) = (unsigned char)( signature_len ); 03183 n += 2; 03184 03185 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 03186 03187 n += signature_len; 03188 } 03189 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03190 03191 /* Done with actual work; add header and send. */ 03192 03193 ssl->out_msglen = 4 + n; 03194 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03195 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03196 03197 ssl->state++; 03198 03199 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03200 { 03201 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03202 return( ret ); 03203 } 03204 03205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03206 03207 return( 0 ); 03208 } 03209 03210 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03211 { 03212 int ret; 03213 03214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03215 03216 ssl->out_msglen = 4; 03217 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03218 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03219 03220 ssl->state++; 03221 03222 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03223 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03224 mbedtls_ssl_send_flight_completed( ssl ); 03225 #endif 03226 03227 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03228 { 03229 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03230 return( ret ); 03231 } 03232 03233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03234 03235 return( 0 ); 03236 } 03237 03238 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03239 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03240 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03241 const unsigned char *end ) 03242 { 03243 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03244 size_t n; 03245 03246 /* 03247 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03248 */ 03249 if( *p + 2 > end ) 03250 { 03251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03253 } 03254 03255 n = ( (*p)[0] << 8 ) | (*p)[1]; 03256 *p += 2; 03257 03258 if( *p + n > end ) 03259 { 03260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03262 } 03263 03264 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03265 { 03266 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03267 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03268 } 03269 03270 *p += n; 03271 03272 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03273 03274 return( ret ); 03275 } 03276 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03277 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03278 03279 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03280 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03281 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03282 const unsigned char *p, 03283 const unsigned char *end, 03284 size_t pms_offset ) 03285 { 03286 int ret; 03287 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); 03288 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03289 unsigned char ver[2]; 03290 unsigned char fake_pms[48], peer_pms[48]; 03291 unsigned char mask; 03292 size_t i, peer_pmslen; 03293 unsigned int diff; 03294 03295 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 03296 { 03297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03298 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03299 } 03300 03301 /* 03302 * Decrypt the premaster using own private RSA key 03303 */ 03304 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03305 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03306 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03307 { 03308 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03309 *p++ != ( ( len ) & 0xFF ) ) 03310 { 03311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03312 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03313 } 03314 } 03315 #endif 03316 03317 if( p + len != end ) 03318 { 03319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03320 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03321 } 03322 03323 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03324 ssl->handshake->max_minor_ver, 03325 ssl->conf->transport, ver ); 03326 03327 /* 03328 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03329 * must not cause the connection to end immediately; instead, send a 03330 * bad_record_mac later in the handshake. 03331 * Also, avoid data-dependant branches here to protect against 03332 * timing-based variants. 03333 */ 03334 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03335 if( ret != 0 ) 03336 return( ret ); 03337 03338 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, 03339 peer_pms, &peer_pmslen, 03340 sizeof( peer_pms ), 03341 ssl->conf->f_rng, ssl->conf->p_rng ); 03342 03343 diff = (unsigned int) ret; 03344 diff |= peer_pmslen ^ 48; 03345 diff |= peer_pms[0] ^ ver[0]; 03346 diff |= peer_pms[1] ^ ver[1]; 03347 03348 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03349 if( diff != 0 ) 03350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03351 #endif 03352 03353 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03354 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03355 { 03356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03357 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03358 } 03359 ssl->handshake->pmslen = 48; 03360 03361 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03362 /* MSVC has a warning about unary minus on unsigned, but this is 03363 * well-defined and precisely what we want to do here */ 03364 #if defined(_MSC_VER) 03365 #pragma warning( push ) 03366 #pragma warning( disable : 4146 ) 03367 #endif 03368 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03369 #if defined(_MSC_VER) 03370 #pragma warning( pop ) 03371 #endif 03372 03373 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03374 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03375 03376 return( 0 ); 03377 } 03378 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03379 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03380 03381 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03382 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03383 const unsigned char *end ) 03384 { 03385 int ret = 0; 03386 size_t n; 03387 03388 if( ssl->conf->f_psk == NULL && 03389 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 03390 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 03391 { 03392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03393 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03394 } 03395 03396 /* 03397 * Receive client pre-shared key identity name 03398 */ 03399 if( end - *p < 2 ) 03400 { 03401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03402 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03403 } 03404 03405 n = ( (*p)[0] << 8 ) | (*p)[1]; 03406 *p += 2; 03407 03408 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) 03409 { 03410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03411 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03412 } 03413 03414 if( ssl->conf->f_psk != NULL ) 03415 { 03416 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03417 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03418 } 03419 else 03420 { 03421 /* Identity is not a big secret since clients send it in the clear, 03422 * but treat it carefully anyway, just in case */ 03423 if( n != ssl->conf->psk_identity_len || 03424 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03425 { 03426 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03427 } 03428 } 03429 03430 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03431 { 03432 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03433 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03434 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); 03435 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03436 } 03437 03438 *p += n; 03439 03440 return( 0 ); 03441 } 03442 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03443 03444 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03445 { 03446 int ret; 03447 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03448 unsigned char *p, *end; 03449 03450 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03451 03452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03453 03454 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03455 { 03456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03457 return( ret ); 03458 } 03459 03460 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03461 end = ssl->in_msg + ssl->in_hslen; 03462 03463 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03464 { 03465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03466 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03467 } 03468 03469 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03470 { 03471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03472 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03473 } 03474 03475 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03476 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03477 { 03478 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03479 { 03480 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03481 return( ret ); 03482 } 03483 03484 if( p != end ) 03485 { 03486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03487 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03488 } 03489 03490 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03491 ssl->handshake->premaster, 03492 MBEDTLS_PREMASTER_SIZE, 03493 &ssl->handshake->pmslen, 03494 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03495 { 03496 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03497 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03498 } 03499 03500 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03501 } 03502 else 03503 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03504 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03505 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03506 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03507 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03508 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03509 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03510 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03511 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03512 { 03513 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03514 p, end - p) ) != 0 ) 03515 { 03516 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03518 } 03519 03520 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03521 03522 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03523 &ssl->handshake->pmslen, 03524 ssl->handshake->premaster, 03525 MBEDTLS_MPI_MAX_SIZE, 03526 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03527 { 03528 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03529 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03530 } 03531 03532 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03533 } 03534 else 03535 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03536 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03537 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03538 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03539 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03540 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03541 { 03542 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03543 { 03544 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03545 return( ret ); 03546 } 03547 03548 if( p != end ) 03549 { 03550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03551 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03552 } 03553 03554 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03555 ciphersuite_info->key_exchange ) ) != 0 ) 03556 { 03557 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03558 return( ret ); 03559 } 03560 } 03561 else 03562 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03563 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03564 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03565 { 03566 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03567 { 03568 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03569 return( ret ); 03570 } 03571 03572 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03573 { 03574 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03575 return( ret ); 03576 } 03577 03578 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03579 ciphersuite_info->key_exchange ) ) != 0 ) 03580 { 03581 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03582 return( ret ); 03583 } 03584 } 03585 else 03586 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03587 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03588 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03589 { 03590 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03591 { 03592 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03593 return( ret ); 03594 } 03595 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03596 { 03597 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03598 return( ret ); 03599 } 03600 03601 if( p != end ) 03602 { 03603 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03604 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03605 } 03606 03607 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03608 ciphersuite_info->key_exchange ) ) != 0 ) 03609 { 03610 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03611 return( ret ); 03612 } 03613 } 03614 else 03615 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03616 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03617 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03618 { 03619 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03620 { 03621 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03622 return( ret ); 03623 } 03624 03625 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03626 p, end - p ) ) != 0 ) 03627 { 03628 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03629 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03630 } 03631 03632 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03633 03634 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03635 ciphersuite_info->key_exchange ) ) != 0 ) 03636 { 03637 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03638 return( ret ); 03639 } 03640 } 03641 else 03642 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03643 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03644 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03645 { 03646 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 03647 { 03648 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03649 return( ret ); 03650 } 03651 } 03652 else 03653 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03654 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03655 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03656 { 03657 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 03658 p, end - p ); 03659 if( ret != 0 ) 03660 { 03661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 03662 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 03663 } 03664 03665 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03666 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03667 ssl->conf->f_rng, ssl->conf->p_rng ); 03668 if( ret != 0 ) 03669 { 03670 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03671 return( ret ); 03672 } 03673 } 03674 else 03675 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03676 { 03677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03678 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03679 } 03680 03681 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03682 { 03683 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03684 return( ret ); 03685 } 03686 03687 ssl->state++; 03688 03689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03690 03691 return( 0 ); 03692 } 03693 03694 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03695 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03696 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03697 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03698 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03699 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03700 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03701 { 03702 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03703 ssl->transform_negotiate->ciphersuite_info; 03704 03705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03706 03707 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03710 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03711 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03712 { 03713 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03714 ssl->state++; 03715 return( 0 ); 03716 } 03717 03718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03720 } 03721 #else 03722 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03723 { 03724 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03725 size_t i, sig_len; 03726 unsigned char hash[48]; 03727 unsigned char *hash_start = hash; 03728 size_t hashlen; 03729 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03730 mbedtls_pk_type_t pk_alg; 03731 #endif 03732 mbedtls_md_type_t md_alg; 03733 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03734 ssl->transform_negotiate->ciphersuite_info; 03735 03736 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03737 03738 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03739 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03740 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03741 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03742 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 03743 ssl->session_negotiate->peer_cert == NULL ) 03744 { 03745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03746 ssl->state++; 03747 return( 0 ); 03748 } 03749 03750 /* Read the message without adding it to the checksum */ 03751 do { 03752 03753 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 ) 03754 { 03755 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03756 return( ret ); 03757 } 03758 03759 ret = mbedtls_ssl_handle_message_type( ssl ); 03760 03761 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ); 03762 03763 if( 0 != ret ) 03764 { 03765 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 03766 return( ret ); 03767 } 03768 03769 ssl->state++; 03770 03771 /* Process the message contents */ 03772 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 03773 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 03774 { 03775 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03776 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03777 } 03778 03779 i = mbedtls_ssl_hs_hdr_len( ssl ); 03780 03781 /* 03782 * struct { 03783 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 03784 * opaque signature<0..2^16-1>; 03785 * } DigitallySigned; 03786 */ 03787 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03788 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03789 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03790 { 03791 md_alg = MBEDTLS_MD_NONE; 03792 hashlen = 36; 03793 03794 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03795 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03796 MBEDTLS_PK_ECDSA ) ) 03797 { 03798 hash_start += 16; 03799 hashlen -= 16; 03800 md_alg = MBEDTLS_MD_SHA1; 03801 } 03802 } 03803 else 03804 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 03805 MBEDTLS_SSL_PROTO_TLS1_1 */ 03806 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03807 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03808 { 03809 if( i + 2 > ssl->in_hslen ) 03810 { 03811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03812 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03813 } 03814 03815 /* 03816 * Hash 03817 */ 03818 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); 03819 03820 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) 03821 { 03822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03823 " for verify message" ) ); 03824 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03825 } 03826 03827 #if !defined(MBEDTLS_MD_SHA1) 03828 if( MBEDTLS_MD_SHA1 == md_alg ) 03829 hash_start += 16; 03830 #endif 03831 03832 /* Info from md_alg will be used instead */ 03833 hashlen = 0; 03834 03835 i++; 03836 03837 /* 03838 * Signature 03839 */ 03840 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 03841 == MBEDTLS_PK_NONE ) 03842 { 03843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03844 " for verify message" ) ); 03845 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03846 } 03847 03848 /* 03849 * Check the certificate's key type matches the signature alg 03850 */ 03851 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03852 { 03853 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03854 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03855 } 03856 03857 i++; 03858 } 03859 else 03860 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03861 { 03862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03863 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03864 } 03865 03866 if( i + 2 > ssl->in_hslen ) 03867 { 03868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03869 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03870 } 03871 03872 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 03873 i += 2; 03874 03875 if( i + sig_len != ssl->in_hslen ) 03876 { 03877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03878 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03879 } 03880 03881 /* Calculate hash and verify signature */ 03882 ssl->handshake->calc_verify( ssl, hash ); 03883 03884 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 03885 md_alg, hash_start, hashlen, 03886 ssl->in_msg + i, sig_len ) ) != 0 ) 03887 { 03888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 03889 return( ret ); 03890 } 03891 03892 mbedtls_ssl_update_handshake_status( ssl ); 03893 03894 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03895 03896 return( ret ); 03897 } 03898 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03899 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03900 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03901 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03902 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03903 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03904 03905 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03906 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 03907 { 03908 int ret; 03909 size_t tlen; 03910 uint32_t lifetime; 03911 03912 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03913 03914 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03915 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 03916 03917 /* 03918 * struct { 03919 * uint32 ticket_lifetime_hint; 03920 * opaque ticket<0..2^16-1>; 03921 * } NewSessionTicket; 03922 * 03923 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03924 * 8 . 9 ticket_len (n) 03925 * 10 . 9+n ticket content 03926 */ 03927 03928 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 03929 ssl->session_negotiate, 03930 ssl->out_msg + 10, 03931 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, 03932 &tlen, &lifetime ) ) != 0 ) 03933 { 03934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 03935 tlen = 0; 03936 } 03937 03938 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03939 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03940 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03941 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03942 03943 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03944 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03945 03946 ssl->out_msglen = 10 + tlen; 03947 03948 /* 03949 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03950 * ChangeCipherSpec share the same state. 03951 */ 03952 ssl->handshake->new_session_ticket = 0; 03953 03954 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03955 { 03956 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03957 return( ret ); 03958 } 03959 03960 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03961 03962 return( 0 ); 03963 } 03964 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03965 03966 /* 03967 * SSL handshake -- server side -- single step 03968 */ 03969 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 03970 { 03971 int ret = 0; 03972 03973 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03974 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03975 03976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03977 03978 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03979 return( ret ); 03980 03981 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03982 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03983 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03984 { 03985 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03986 return( ret ); 03987 } 03988 #endif 03989 03990 switch( ssl->state ) 03991 { 03992 case MBEDTLS_SSL_HELLO_REQUEST: 03993 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03994 break; 03995 03996 /* 03997 * <== ClientHello 03998 */ 03999 case MBEDTLS_SSL_CLIENT_HELLO: 04000 ret = ssl_parse_client_hello( ssl ); 04001 break; 04002 04003 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04004 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 04005 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 04006 #endif 04007 04008 /* 04009 * ==> ServerHello 04010 * Certificate 04011 * ( ServerKeyExchange ) 04012 * ( CertificateRequest ) 04013 * ServerHelloDone 04014 */ 04015 case MBEDTLS_SSL_SERVER_HELLO: 04016 ret = ssl_write_server_hello( ssl ); 04017 break; 04018 04019 case MBEDTLS_SSL_SERVER_CERTIFICATE: 04020 ret = mbedtls_ssl_write_certificate( ssl ); 04021 break; 04022 04023 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 04024 ret = ssl_write_server_key_exchange( ssl ); 04025 break; 04026 04027 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 04028 ret = ssl_write_certificate_request( ssl ); 04029 break; 04030 04031 case MBEDTLS_SSL_SERVER_HELLO_DONE: 04032 ret = ssl_write_server_hello_done( ssl ); 04033 break; 04034 04035 /* 04036 * <== ( Certificate/Alert ) 04037 * ClientKeyExchange 04038 * ( CertificateVerify ) 04039 * ChangeCipherSpec 04040 * Finished 04041 */ 04042 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 04043 ret = mbedtls_ssl_parse_certificate( ssl ); 04044 break; 04045 04046 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 04047 ret = ssl_parse_client_key_exchange( ssl ); 04048 break; 04049 04050 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 04051 ret = ssl_parse_certificate_verify( ssl ); 04052 break; 04053 04054 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 04055 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04056 break; 04057 04058 case MBEDTLS_SSL_CLIENT_FINISHED: 04059 ret = mbedtls_ssl_parse_finished( ssl ); 04060 break; 04061 04062 /* 04063 * ==> ( NewSessionTicket ) 04064 * ChangeCipherSpec 04065 * Finished 04066 */ 04067 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04068 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04069 if( ssl->handshake->new_session_ticket != 0 ) 04070 ret = ssl_write_new_session_ticket( ssl ); 04071 else 04072 #endif 04073 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04074 break; 04075 04076 case MBEDTLS_SSL_SERVER_FINISHED: 04077 ret = mbedtls_ssl_write_finished( ssl ); 04078 break; 04079 04080 case MBEDTLS_SSL_FLUSH_BUFFERS: 04081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04082 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04083 break; 04084 04085 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04086 mbedtls_ssl_handshake_wrapup( ssl ); 04087 break; 04088 04089 default: 04090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04091 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04092 } 04093 04094 return( ret ); 04095 } 04096 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Tue Jul 12 2022 12:22:22 by
1.7.2