BA
/
SerialCom
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
OmniWheels
by 
Gustav Atmel
Embed:
(wiki syntax)
Show/hide line numbers
ssl_cli.c
00001 /* 00002 * SSLv3/TLSv1 client-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_CLI_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #include <stdint.h> 00045 00046 #if defined(MBEDTLS_HAVE_TIME) 00047 #include "mbedtls/platform_time.h" 00048 #endif 00049 00050 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 #endif 00056 00057 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00058 static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, 00059 unsigned char *buf, 00060 size_t *olen ) 00061 { 00062 unsigned char *p = buf; 00063 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00064 size_t hostname_len; 00065 00066 *olen = 0; 00067 00068 if( ssl->hostname == NULL ) 00069 return; 00070 00071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", 00072 ssl->hostname ) ); 00073 00074 hostname_len = strlen( ssl->hostname ); 00075 00076 if( end < p || (size_t)( end - p ) < hostname_len + 9 ) 00077 { 00078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00079 return; 00080 } 00081 00082 /* 00083 * Sect. 3, RFC 6066 (TLS Extensions Definitions) 00084 * 00085 * In order to provide any of the server names, clients MAY include an 00086 * extension of type "server_name" in the (extended) client hello. The 00087 * "extension_data" field of this extension SHALL contain 00088 * "ServerNameList" where: 00089 * 00090 * struct { 00091 * NameType name_type; 00092 * select (name_type) { 00093 * case host_name: HostName; 00094 * } name; 00095 * } ServerName; 00096 * 00097 * enum { 00098 * host_name(0), (255) 00099 * } NameType; 00100 * 00101 * opaque HostName<1..2^16-1>; 00102 * 00103 * struct { 00104 * ServerName server_name_list<1..2^16-1> 00105 * } ServerNameList; 00106 * 00107 */ 00108 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); 00109 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); 00110 00111 *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); 00112 *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); 00113 00114 *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); 00115 *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); 00116 00117 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); 00118 *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); 00119 *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); 00120 00121 memcpy( p, ssl->hostname, hostname_len ); 00122 00123 *olen = hostname_len + 9; 00124 } 00125 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00126 00127 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00128 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 00129 unsigned char *buf, 00130 size_t *olen ) 00131 { 00132 unsigned char *p = buf; 00133 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00134 00135 *olen = 0; 00136 00137 /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the 00138 * initial ClientHello, in which case also adding the renegotiation 00139 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */ 00140 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 00141 return; 00142 00143 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) ); 00144 00145 if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len ) 00146 { 00147 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00148 return; 00149 } 00150 00151 /* 00152 * Secure renegotiation 00153 */ 00154 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 00155 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 00156 00157 *p++ = 0x00; 00158 *p++ = ( ssl->verify_data_len + 1 ) & 0xFF; 00159 *p++ = ssl->verify_data_len & 0xFF; 00160 00161 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 00162 00163 *olen = 5 + ssl->verify_data_len; 00164 } 00165 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00166 00167 /* 00168 * Only if we handle at least one key exchange that needs signatures. 00169 */ 00170 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00171 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00172 static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00173 unsigned char *buf, 00174 size_t *olen ) 00175 { 00176 unsigned char *p = buf; 00177 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00178 size_t sig_alg_len = 0; 00179 const int *md; 00180 #if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) 00181 unsigned char *sig_alg_list = buf + 6; 00182 #endif 00183 00184 *olen = 0; 00185 00186 if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 00187 return; 00188 00189 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); 00190 00191 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00192 { 00193 #if defined(MBEDTLS_ECDSA_C) 00194 sig_alg_len += 2; 00195 #endif 00196 #if defined(MBEDTLS_RSA_C) 00197 sig_alg_len += 2; 00198 #endif 00199 } 00200 00201 if( end < p || (size_t)( end - p ) < sig_alg_len + 6 ) 00202 { 00203 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00204 return; 00205 } 00206 00207 /* 00208 * Prepare signature_algorithms extension (TLS 1.2) 00209 */ 00210 sig_alg_len = 0; 00211 00212 for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ ) 00213 { 00214 #if defined(MBEDTLS_ECDSA_C) 00215 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00216 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA; 00217 #endif 00218 #if defined(MBEDTLS_RSA_C) 00219 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md ); 00220 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA; 00221 #endif 00222 } 00223 00224 /* 00225 * enum { 00226 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 00227 * sha512(6), (255) 00228 * } HashAlgorithm; 00229 * 00230 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 00231 * SignatureAlgorithm; 00232 * 00233 * struct { 00234 * HashAlgorithm hash; 00235 * SignatureAlgorithm signature; 00236 * } SignatureAndHashAlgorithm; 00237 * 00238 * SignatureAndHashAlgorithm 00239 * supported_signature_algorithms<2..2^16-2>; 00240 */ 00241 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF ); 00242 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF ); 00243 00244 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF ); 00245 *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF ); 00246 00247 *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF ); 00248 *p++ = (unsigned char)( ( sig_alg_len ) & 0xFF ); 00249 00250 *olen = 6 + sig_alg_len; 00251 } 00252 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00253 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00254 00255 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00256 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00257 static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, 00258 unsigned char *buf, 00259 size_t *olen ) 00260 { 00261 unsigned char *p = buf; 00262 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00263 unsigned char *elliptic_curve_list = p + 6; 00264 size_t elliptic_curve_len = 0; 00265 const mbedtls_ecp_curve_info *info; 00266 #if defined(MBEDTLS_ECP_C) 00267 const mbedtls_ecp_group_id *grp_id; 00268 #else 00269 ((void) ssl); 00270 #endif 00271 00272 *olen = 0; 00273 00274 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); 00275 00276 #if defined(MBEDTLS_ECP_C) 00277 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00278 #else 00279 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00280 #endif 00281 { 00282 #if defined(MBEDTLS_ECP_C) 00283 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00284 #endif 00285 if( info == NULL ) 00286 { 00287 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); 00288 return; 00289 } 00290 00291 elliptic_curve_len += 2; 00292 } 00293 00294 if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) 00295 { 00296 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00297 return; 00298 } 00299 00300 elliptic_curve_len = 0; 00301 00302 #if defined(MBEDTLS_ECP_C) 00303 for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) 00304 #else 00305 for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ ) 00306 #endif 00307 { 00308 #if defined(MBEDTLS_ECP_C) 00309 info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); 00310 #endif 00311 elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; 00312 elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; 00313 } 00314 00315 if( elliptic_curve_len == 0 ) 00316 return; 00317 00318 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); 00319 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); 00320 00321 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF ); 00322 *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF ); 00323 00324 *p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF ); 00325 *p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF ); 00326 00327 *olen = 6 + elliptic_curve_len; 00328 } 00329 00330 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 00331 unsigned char *buf, 00332 size_t *olen ) 00333 { 00334 unsigned char *p = buf; 00335 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00336 00337 *olen = 0; 00338 00339 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) ); 00340 00341 if( end < p || (size_t)( end - p ) < 6 ) 00342 { 00343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00344 return; 00345 } 00346 00347 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 00348 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 00349 00350 *p++ = 0x00; 00351 *p++ = 2; 00352 00353 *p++ = 1; 00354 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 00355 00356 *olen = 6; 00357 } 00358 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00359 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00360 00361 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00362 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 00363 unsigned char *buf, 00364 size_t *olen ) 00365 { 00366 int ret; 00367 unsigned char *p = buf; 00368 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00369 size_t kkpp_len; 00370 00371 *olen = 0; 00372 00373 /* Skip costly extension if we can't use EC J-PAKE anyway */ 00374 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00375 return; 00376 00377 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); 00378 00379 if( end - p < 4 ) 00380 { 00381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00382 return; 00383 } 00384 00385 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 00386 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 00387 00388 /* 00389 * We may need to send ClientHello multiple times for Hello verification. 00390 * We don't want to compute fresh values every time (both for performance 00391 * and consistency reasons), so cache the extension content. 00392 */ 00393 if( ssl->handshake->ecjpake_cache == NULL || 00394 ssl->handshake->ecjpake_cache_len == 0 ) 00395 { 00396 MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); 00397 00398 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 00399 p + 2, end - p - 2, &kkpp_len, 00400 ssl->conf->f_rng, ssl->conf->p_rng ); 00401 if( ret != 0 ) 00402 { 00403 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 00404 return; 00405 } 00406 00407 ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); 00408 if( ssl->handshake->ecjpake_cache == NULL ) 00409 { 00410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) ); 00411 return; 00412 } 00413 00414 memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len ); 00415 ssl->handshake->ecjpake_cache_len = kkpp_len; 00416 } 00417 else 00418 { 00419 MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) ); 00420 00421 kkpp_len = ssl->handshake->ecjpake_cache_len; 00422 00423 if( (size_t)( end - p - 2 ) < kkpp_len ) 00424 { 00425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00426 return; 00427 } 00428 00429 memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len ); 00430 } 00431 00432 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 00433 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 00434 00435 *olen = kkpp_len + 4; 00436 } 00437 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00438 00439 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00440 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00441 unsigned char *buf, 00442 size_t *olen ) 00443 { 00444 unsigned char *p = buf; 00445 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00446 00447 *olen = 0; 00448 00449 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { 00450 return; 00451 } 00452 00453 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) ); 00454 00455 if( end < p || (size_t)( end - p ) < 5 ) 00456 { 00457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00458 return; 00459 } 00460 00461 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 00462 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 00463 00464 *p++ = 0x00; 00465 *p++ = 1; 00466 00467 *p++ = ssl->conf->mfl_code; 00468 00469 *olen = 5; 00470 } 00471 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00472 00473 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00474 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00475 unsigned char *buf, size_t *olen ) 00476 { 00477 unsigned char *p = buf; 00478 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00479 00480 *olen = 0; 00481 00482 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 00483 { 00484 return; 00485 } 00486 00487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) ); 00488 00489 if( end < p || (size_t)( end - p ) < 4 ) 00490 { 00491 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00492 return; 00493 } 00494 00495 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 00496 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 00497 00498 *p++ = 0x00; 00499 *p++ = 0x00; 00500 00501 *olen = 4; 00502 } 00503 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00504 00505 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00506 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00507 unsigned char *buf, size_t *olen ) 00508 { 00509 unsigned char *p = buf; 00510 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00511 00512 *olen = 0; 00513 00514 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 00515 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00516 { 00517 return; 00518 } 00519 00520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac " 00521 "extension" ) ); 00522 00523 if( end < p || (size_t)( end - p ) < 4 ) 00524 { 00525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00526 return; 00527 } 00528 00529 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 00530 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 00531 00532 *p++ = 0x00; 00533 *p++ = 0x00; 00534 00535 *olen = 4; 00536 } 00537 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00538 00539 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00540 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 00541 unsigned char *buf, size_t *olen ) 00542 { 00543 unsigned char *p = buf; 00544 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00545 00546 *olen = 0; 00547 00548 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 00549 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00550 { 00551 return; 00552 } 00553 00554 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret " 00555 "extension" ) ); 00556 00557 if( end < p || (size_t)( end - p ) < 4 ) 00558 { 00559 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00560 return; 00561 } 00562 00563 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 00564 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 00565 00566 *p++ = 0x00; 00567 *p++ = 0x00; 00568 00569 *olen = 4; 00570 } 00571 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00572 00573 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00574 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 00575 unsigned char *buf, size_t *olen ) 00576 { 00577 unsigned char *p = buf; 00578 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00579 size_t tlen = ssl->session_negotiate->ticket_len; 00580 00581 *olen = 0; 00582 00583 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) 00584 { 00585 return; 00586 } 00587 00588 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) ); 00589 00590 if( end < p || (size_t)( end - p ) < 4 + tlen ) 00591 { 00592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00593 return; 00594 } 00595 00596 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 00597 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 00598 00599 *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 00600 *p++ = (unsigned char)( ( tlen ) & 0xFF ); 00601 00602 *olen = 4; 00603 00604 if( ssl->session_negotiate->ticket == NULL || tlen == 0 ) 00605 { 00606 return; 00607 } 00608 00609 MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) ); 00610 00611 memcpy( p, ssl->session_negotiate->ticket, tlen ); 00612 00613 *olen += tlen; 00614 } 00615 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00616 00617 #if defined(MBEDTLS_SSL_ALPN) 00618 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 00619 unsigned char *buf, size_t *olen ) 00620 { 00621 unsigned char *p = buf; 00622 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 00623 size_t alpnlen = 0; 00624 const char **cur; 00625 00626 *olen = 0; 00627 00628 if( ssl->conf->alpn_list == NULL ) 00629 { 00630 return; 00631 } 00632 00633 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); 00634 00635 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00636 alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; 00637 00638 if( end < p || (size_t)( end - p ) < 6 + alpnlen ) 00639 { 00640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 00641 return; 00642 } 00643 00644 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 00645 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 00646 00647 /* 00648 * opaque ProtocolName<1..2^8-1>; 00649 * 00650 * struct { 00651 * ProtocolName protocol_name_list<2..2^16-1> 00652 * } ProtocolNameList; 00653 */ 00654 00655 /* Skip writing extension and list length for now */ 00656 p += 4; 00657 00658 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) 00659 { 00660 *p = (unsigned char)( strlen( *cur ) & 0xFF ); 00661 memcpy( p + 1, *cur, *p ); 00662 p += 1 + *p; 00663 } 00664 00665 *olen = p - buf; 00666 00667 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */ 00668 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 00669 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 00670 00671 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */ 00672 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 00673 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 00674 } 00675 #endif /* MBEDTLS_SSL_ALPN */ 00676 00677 /* 00678 * Generate random bytes for ClientHello 00679 */ 00680 static int ssl_generate_random( mbedtls_ssl_context *ssl ) 00681 { 00682 int ret; 00683 unsigned char *p = ssl->handshake->randbytes; 00684 #if defined(MBEDTLS_HAVE_TIME) 00685 mbedtls_time_t t; 00686 #endif 00687 00688 /* 00689 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) 00690 */ 00691 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00692 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00693 ssl->handshake->verify_cookie != NULL ) 00694 { 00695 return( 0 ); 00696 } 00697 #endif 00698 00699 #if defined(MBEDTLS_HAVE_TIME) 00700 t = mbedtls_time( NULL ); 00701 *p++ = (unsigned char)( t >> 24 ); 00702 *p++ = (unsigned char)( t >> 16 ); 00703 *p++ = (unsigned char)( t >> 8 ); 00704 *p++ = (unsigned char)( t ); 00705 00706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); 00707 #else 00708 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 00709 return( ret ); 00710 00711 p += 4; 00712 #endif /* MBEDTLS_HAVE_TIME */ 00713 00714 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 00715 return( ret ); 00716 00717 return( 0 ); 00718 } 00719 00720 static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) 00721 { 00722 int ret; 00723 size_t i, n, olen, ext_len = 0; 00724 unsigned char *buf; 00725 unsigned char *p, *q; 00726 unsigned char offer_compress; 00727 const int *ciphersuites; 00728 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00729 00730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); 00731 00732 if( ssl->conf->f_rng == NULL ) 00733 { 00734 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 00735 return( MBEDTLS_ERR_SSL_NO_RNG ); 00736 } 00737 00738 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00739 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00740 #endif 00741 { 00742 ssl->major_ver = ssl->conf->min_major_ver; 00743 ssl->minor_ver = ssl->conf->min_minor_ver; 00744 } 00745 00746 if( ssl->conf->max_major_ver == 0 ) 00747 { 00748 MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " 00749 "consider using mbedtls_ssl_config_defaults()" ) ); 00750 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00751 } 00752 00753 /* 00754 * 0 . 0 handshake type 00755 * 1 . 3 handshake length 00756 * 4 . 5 highest version supported 00757 * 6 . 9 current UNIX time 00758 * 10 . 37 random bytes 00759 */ 00760 buf = ssl->out_msg; 00761 p = buf + 4; 00762 00763 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 00764 ssl->conf->transport, p ); 00765 p += 2; 00766 00767 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", 00768 buf[4], buf[5] ) ); 00769 00770 if( ( ret = ssl_generate_random( ssl ) ) != 0 ) 00771 { 00772 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret ); 00773 return( ret ); 00774 } 00775 00776 memcpy( p, ssl->handshake->randbytes, 32 ); 00777 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 ); 00778 p += 32; 00779 00780 /* 00781 * 38 . 38 session id length 00782 * 39 . 39+n session id 00783 * 39+n . 39+n DTLS only: cookie length (1 byte) 00784 * 40+n . .. DTSL only: cookie 00785 * .. . .. ciphersuitelist length (2 bytes) 00786 * .. . .. ciphersuitelist 00787 * .. . .. compression methods length (1 byte) 00788 * .. . .. compression methods 00789 * .. . .. extensions length (2 bytes) 00790 * .. . .. extensions 00791 */ 00792 n = ssl->session_negotiate->id_len; 00793 00794 if( n < 16 || n > 32 || 00795 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00796 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 00797 #endif 00798 ssl->handshake->resume == 0 ) 00799 { 00800 n = 0; 00801 } 00802 00803 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00804 /* 00805 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY 00806 * generate and include a Session ID in the TLS ClientHello." 00807 */ 00808 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00809 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00810 #endif 00811 { 00812 if( ssl->session_negotiate->ticket != NULL && 00813 ssl->session_negotiate->ticket_len != 0 ) 00814 { 00815 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); 00816 00817 if( ret != 0 ) 00818 return( ret ); 00819 00820 ssl->session_negotiate->id_len = n = 32; 00821 } 00822 } 00823 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00824 00825 *p++ = (unsigned char) n; 00826 00827 for( i = 0; i < n; i++ ) 00828 *p++ = ssl->session_negotiate->id[i]; 00829 00830 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); 00831 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); 00832 00833 /* 00834 * DTLS cookie 00835 */ 00836 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00837 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00838 { 00839 if( ssl->handshake->verify_cookie == NULL ) 00840 { 00841 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) ); 00842 *p++ = 0; 00843 } 00844 else 00845 { 00846 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 00847 ssl->handshake->verify_cookie, 00848 ssl->handshake->verify_cookie_len ); 00849 00850 *p++ = ssl->handshake->verify_cookie_len; 00851 memcpy( p, ssl->handshake->verify_cookie, 00852 ssl->handshake->verify_cookie_len ); 00853 p += ssl->handshake->verify_cookie_len; 00854 } 00855 } 00856 #endif 00857 00858 /* 00859 * Ciphersuite list 00860 */ 00861 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 00862 00863 /* Skip writing ciphersuite length for now */ 00864 n = 0; 00865 q = p; 00866 p += 2; 00867 00868 for( i = 0; ciphersuites[i] != 0; i++ ) 00869 { 00870 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); 00871 00872 if( ciphersuite_info == NULL ) 00873 continue; 00874 00875 if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || 00876 ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) 00877 continue; 00878 00879 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00880 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00881 ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00882 continue; 00883 #endif 00884 00885 #if defined(MBEDTLS_ARC4_C) 00886 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00887 ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00888 continue; 00889 #endif 00890 00891 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00892 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00893 mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00894 continue; 00895 #endif 00896 00897 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", 00898 ciphersuites[i] ) ); 00899 00900 n++; 00901 *p++ = (unsigned char)( ciphersuites[i] >> 8 ); 00902 *p++ = (unsigned char)( ciphersuites[i] ); 00903 } 00904 00905 /* 00906 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV 00907 */ 00908 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00909 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00910 #endif 00911 { 00912 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); 00913 *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ); 00914 n++; 00915 } 00916 00917 /* Some versions of OpenSSL don't handle it correctly if not at end */ 00918 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 00919 if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) 00920 { 00921 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); 00922 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); 00923 *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); 00924 n++; 00925 } 00926 #endif 00927 00928 *q++ = (unsigned char)( n >> 7 ); 00929 *q++ = (unsigned char)( n << 1 ); 00930 00931 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); 00932 00933 #if defined(MBEDTLS_ZLIB_SUPPORT) 00934 offer_compress = 1; 00935 #else 00936 offer_compress = 0; 00937 #endif 00938 00939 /* 00940 * We don't support compression with DTLS right now: is many records come 00941 * in the same datagram, uncompressing one could overwrite the next one. 00942 * We don't want to add complexity for handling that case unless there is 00943 * an actual need for it. 00944 */ 00945 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00946 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00947 offer_compress = 0; 00948 #endif 00949 00950 if( offer_compress ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); 00953 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", 00954 MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) ); 00955 00956 *p++ = 2; 00957 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE; 00958 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00959 } 00960 else 00961 { 00962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) ); 00963 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", 00964 MBEDTLS_SSL_COMPRESS_NULL ) ); 00965 00966 *p++ = 1; 00967 *p++ = MBEDTLS_SSL_COMPRESS_NULL; 00968 } 00969 00970 // First write extensions, then the total length 00971 // 00972 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00973 ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); 00974 ext_len += olen; 00975 #endif 00976 00977 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added 00978 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */ 00979 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00980 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 00981 ext_len += olen; 00982 #endif 00983 00984 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00985 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00986 ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); 00987 ext_len += olen; 00988 #endif 00989 00990 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00991 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00992 ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); 00993 ext_len += olen; 00994 00995 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 00996 ext_len += olen; 00997 #endif 00998 00999 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01000 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 01001 ext_len += olen; 01002 #endif 01003 01004 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01005 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 01006 ext_len += olen; 01007 #endif 01008 01009 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01010 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 01011 ext_len += olen; 01012 #endif 01013 01014 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01015 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 01016 ext_len += olen; 01017 #endif 01018 01019 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01020 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 01021 ext_len += olen; 01022 #endif 01023 01024 #if defined(MBEDTLS_SSL_ALPN) 01025 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 01026 ext_len += olen; 01027 #endif 01028 01029 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01030 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 01031 ext_len += olen; 01032 #endif 01033 01034 /* olen unused if all extensions are disabled */ 01035 ((void) olen); 01036 01037 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d", 01038 ext_len ) ); 01039 01040 if( ext_len > 0 ) 01041 { 01042 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 01043 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 01044 p += ext_len; 01045 } 01046 01047 ssl->out_msglen = p - buf; 01048 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 01049 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO; 01050 01051 ssl->state++; 01052 01053 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01054 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01055 mbedtls_ssl_send_flight_completed( ssl ); 01056 #endif 01057 01058 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 01059 { 01060 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 01061 return( ret ); 01062 } 01063 01064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) ); 01065 01066 return( 0 ); 01067 } 01068 01069 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 01070 const unsigned char *buf, 01071 size_t len ) 01072 { 01073 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01074 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01075 { 01076 /* Check verify-data in constant-time. The length OTOH is no secret */ 01077 if( len != 1 + ssl->verify_data_len * 2 || 01078 buf[0] != ssl->verify_data_len * 2 || 01079 mbedtls_ssl_safer_memcmp( buf + 1, 01080 ssl->own_verify_data, ssl->verify_data_len ) != 0 || 01081 mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len, 01082 ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) 01083 { 01084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 01085 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01086 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01087 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01088 } 01089 } 01090 else 01091 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01092 { 01093 if( len != 1 || buf[0] != 0x00 ) 01094 { 01095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 01096 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01097 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01098 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01099 } 01100 01101 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01102 } 01103 01104 return( 0 ); 01105 } 01106 01107 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01108 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 01109 const unsigned char *buf, 01110 size_t len ) 01111 { 01112 /* 01113 * server should use the extension only if we did, 01114 * and if so the server's value should match ours (and len is always 1) 01115 */ 01116 if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || 01117 len != 1 || 01118 buf[0] != ssl->conf->mfl_code ) 01119 { 01120 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) ); 01121 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01122 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01123 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01124 } 01125 01126 return( 0 ); 01127 } 01128 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01129 01130 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01131 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 01132 const unsigned char *buf, 01133 size_t len ) 01134 { 01135 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || 01136 len != 0 ) 01137 { 01138 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) ); 01139 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01140 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01141 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01142 } 01143 01144 ((void) buf); 01145 01146 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 01147 01148 return( 0 ); 01149 } 01150 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01151 01152 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01153 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 01154 const unsigned char *buf, 01155 size_t len ) 01156 { 01157 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 01158 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01159 len != 0 ) 01160 { 01161 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) ); 01162 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01163 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01164 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01165 } 01166 01167 ((void) buf); 01168 01169 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 01170 01171 return( 0 ); 01172 } 01173 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01174 01175 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01176 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 01177 const unsigned char *buf, 01178 size_t len ) 01179 { 01180 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 01181 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 01182 len != 0 ) 01183 { 01184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) ); 01185 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01186 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01187 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01188 } 01189 01190 ((void) buf); 01191 01192 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 01193 01194 return( 0 ); 01195 } 01196 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01197 01198 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01199 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 01200 const unsigned char *buf, 01201 size_t len ) 01202 { 01203 if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || 01204 len != 0 ) 01205 { 01206 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) ); 01207 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01208 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01209 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01210 } 01211 01212 ((void) buf); 01213 01214 ssl->handshake->new_session_ticket = 1; 01215 01216 return( 0 ); 01217 } 01218 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01219 01220 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01221 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01222 static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, 01223 const unsigned char *buf, 01224 size_t len ) 01225 { 01226 size_t list_size; 01227 const unsigned char *p; 01228 01229 list_size = buf[0]; 01230 if( list_size + 1 != len ) 01231 { 01232 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01233 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01234 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01235 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01236 } 01237 01238 p = buf + 1; 01239 while( list_size > 0 ) 01240 { 01241 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 01242 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 01243 { 01244 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 01245 ssl->handshake->ecdh_ctx.point_format = p[0]; 01246 #endif 01247 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01248 ssl->handshake->ecjpake_ctx.point_format = p[0]; 01249 #endif 01250 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 01251 return( 0 ); 01252 } 01253 01254 list_size--; 01255 p++; 01256 } 01257 01258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) ); 01259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01260 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01261 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01262 } 01263 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01264 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01265 01266 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01267 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 01268 const unsigned char *buf, 01269 size_t len ) 01270 { 01271 int ret; 01272 01273 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 01274 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 01275 { 01276 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 01277 return( 0 ); 01278 } 01279 01280 /* If we got here, we no longer need our cached extension */ 01281 mbedtls_free( ssl->handshake->ecjpake_cache ); 01282 ssl->handshake->ecjpake_cache = NULL; 01283 ssl->handshake->ecjpake_cache_len = 0; 01284 01285 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 01286 buf, len ) ) != 0 ) 01287 { 01288 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 01289 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01290 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01291 return( ret ); 01292 } 01293 01294 return( 0 ); 01295 } 01296 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01297 01298 #if defined(MBEDTLS_SSL_ALPN) 01299 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 01300 const unsigned char *buf, size_t len ) 01301 { 01302 size_t list_len, name_len; 01303 const char **p; 01304 01305 /* If we didn't send it, the server shouldn't send it */ 01306 if( ssl->conf->alpn_list == NULL ) 01307 { 01308 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) ); 01309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01310 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01311 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01312 } 01313 01314 /* 01315 * opaque ProtocolName<1..2^8-1>; 01316 * 01317 * struct { 01318 * ProtocolName protocol_name_list<2..2^16-1> 01319 * } ProtocolNameList; 01320 * 01321 * the "ProtocolNameList" MUST contain exactly one "ProtocolName" 01322 */ 01323 01324 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 01325 if( len < 4 ) 01326 { 01327 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01328 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01329 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01330 } 01331 01332 list_len = ( buf[0] << 8 ) | buf[1]; 01333 if( list_len != len - 2 ) 01334 { 01335 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01336 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01337 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01338 } 01339 01340 name_len = buf[2]; 01341 if( name_len != list_len - 1 ) 01342 { 01343 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01344 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01345 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01346 } 01347 01348 /* Check that the server chosen protocol was in our list and save it */ 01349 for( p = ssl->conf->alpn_list; *p != NULL; p++ ) 01350 { 01351 if( name_len == strlen( *p ) && 01352 memcmp( buf + 3, *p, name_len ) == 0 ) 01353 { 01354 ssl->alpn_chosen = *p; 01355 return( 0 ); 01356 } 01357 } 01358 01359 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) ); 01360 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01361 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01362 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01363 } 01364 #endif /* MBEDTLS_SSL_ALPN */ 01365 01366 /* 01367 * Parse HelloVerifyRequest. Only called after verifying the HS type. 01368 */ 01369 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01370 static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) 01371 { 01372 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 01373 int major_ver, minor_ver; 01374 unsigned char cookie_len; 01375 01376 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) ); 01377 01378 /* 01379 * struct { 01380 * ProtocolVersion server_version; 01381 * opaque cookie<0..2^8-1>; 01382 * } HelloVerifyRequest; 01383 */ 01384 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 01385 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); 01386 p += 2; 01387 01388 /* 01389 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) 01390 * even is lower than our min version. 01391 */ 01392 if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || 01393 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || 01394 major_ver > ssl->conf->max_major_ver || 01395 minor_ver > ssl->conf->max_minor_ver ) 01396 { 01397 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); 01398 01399 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01400 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01401 01402 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01403 } 01404 01405 cookie_len = *p++; 01406 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len ); 01407 01408 if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len ) 01409 { 01410 MBEDTLS_SSL_DEBUG_MSG( 1, 01411 ( "cookie length does not match incoming message size" ) ); 01412 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01413 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01414 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01415 } 01416 01417 mbedtls_free( ssl->handshake->verify_cookie ); 01418 01419 ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len ); 01420 if( ssl->handshake->verify_cookie == NULL ) 01421 { 01422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) ); 01423 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 01424 } 01425 01426 memcpy( ssl->handshake->verify_cookie, p, cookie_len ); 01427 ssl->handshake->verify_cookie_len = cookie_len; 01428 01429 /* Start over at ClientHello */ 01430 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 01431 mbedtls_ssl_reset_checksum( ssl ); 01432 01433 mbedtls_ssl_recv_flight_completed( ssl ); 01434 01435 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) ); 01436 01437 return( 0 ); 01438 } 01439 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01440 01441 static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) 01442 { 01443 int ret, i; 01444 size_t n; 01445 size_t ext_len; 01446 unsigned char *buf, *ext; 01447 unsigned char comp; 01448 #if defined(MBEDTLS_ZLIB_SUPPORT) 01449 int accept_comp; 01450 #endif 01451 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01452 int renegotiation_info_seen = 0; 01453 #endif 01454 int handshake_failure = 0; 01455 const mbedtls_ssl_ciphersuite_t *suite_info; 01456 01457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); 01458 01459 buf = ssl->in_msg; 01460 01461 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 01462 { 01463 /* No alert on a read error. */ 01464 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 01465 return( ret ); 01466 } 01467 01468 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 01469 { 01470 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01471 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01472 { 01473 ssl->renego_records_seen++; 01474 01475 if( ssl->conf->renego_max_records >= 0 && 01476 ssl->renego_records_seen > ssl->conf->renego_max_records ) 01477 { 01478 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 01479 "but not honored by server" ) ); 01480 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01481 } 01482 01483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); 01484 01485 ssl->keep_current_message = 1; 01486 return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); 01487 } 01488 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01489 01490 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01491 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01492 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 01493 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 01494 } 01495 01496 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01497 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01498 { 01499 if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 01500 { 01501 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) ); 01502 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01503 return( ssl_parse_hello_verify_request( ssl ) ); 01504 } 01505 else 01506 { 01507 /* We made it through the verification process */ 01508 mbedtls_free( ssl->handshake->verify_cookie ); 01509 ssl->handshake->verify_cookie = NULL; 01510 ssl->handshake->verify_cookie_len = 0; 01511 } 01512 } 01513 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01514 01515 if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) || 01516 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) 01517 { 01518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01519 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01520 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01521 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01522 } 01523 01524 /* 01525 * 0 . 1 server_version 01526 * 2 . 33 random (maybe including 4 bytes of Unix time) 01527 * 34 . 34 session_id length = n 01528 * 35 . 34+n session_id 01529 * 35+n . 36+n cipher_suite 01530 * 37+n . 37+n compression_method 01531 * 01532 * 38+n . 39+n extensions length (optional) 01533 * 40+n . .. extensions 01534 */ 01535 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01536 01537 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); 01538 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01539 ssl->conf->transport, buf + 0 ); 01540 01541 if( ssl->major_ver < ssl->conf->min_major_ver || 01542 ssl->minor_ver < ssl->conf->min_minor_ver || 01543 ssl->major_ver > ssl->conf->max_major_ver || 01544 ssl->minor_ver > ssl->conf->max_minor_ver ) 01545 { 01546 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " 01547 " min: [%d:%d], server: [%d:%d], max: [%d:%d]", 01548 ssl->conf->min_major_ver, ssl->conf->min_minor_ver, 01549 ssl->major_ver, ssl->minor_ver, 01550 ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); 01551 01552 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01553 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01554 01555 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01556 } 01557 01558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", 01559 ( (uint32_t) buf[2] << 24 ) | 01560 ( (uint32_t) buf[3] << 16 ) | 01561 ( (uint32_t) buf[4] << 8 ) | 01562 ( (uint32_t) buf[5] ) ) ); 01563 01564 memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 ); 01565 01566 n = buf[34]; 01567 01568 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 ); 01569 01570 if( n > 32 ) 01571 { 01572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01573 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01574 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01575 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01576 } 01577 01578 if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n ) 01579 { 01580 ext_len = ( ( buf[38 + n] << 8 ) 01581 | ( buf[39 + n] ) ); 01582 01583 if( ( ext_len > 0 && ext_len < 4 ) || 01584 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len ) 01585 { 01586 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01587 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01588 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01589 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01590 } 01591 } 01592 else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n ) 01593 { 01594 ext_len = 0; 01595 } 01596 else 01597 { 01598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01599 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01600 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01601 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01602 } 01603 01604 /* ciphersuite (used later) */ 01605 i = ( buf[35 + n] << 8 ) | buf[36 + n]; 01606 01607 /* 01608 * Read and check compression 01609 */ 01610 comp = buf[37 + n]; 01611 01612 #if defined(MBEDTLS_ZLIB_SUPPORT) 01613 /* See comments in ssl_write_client_hello() */ 01614 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01615 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01616 accept_comp = 0; 01617 else 01618 #endif 01619 accept_comp = 1; 01620 01621 if( comp != MBEDTLS_SSL_COMPRESS_NULL && 01622 ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) 01623 #else /* MBEDTLS_ZLIB_SUPPORT */ 01624 if( comp != MBEDTLS_SSL_COMPRESS_NULL ) 01625 #endif/* MBEDTLS_ZLIB_SUPPORT */ 01626 { 01627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) ); 01628 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01629 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01630 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01631 } 01632 01633 /* 01634 * Initialize update checksum functions 01635 */ 01636 ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); 01637 01638 if( ssl->transform_negotiate->ciphersuite_info == NULL ) 01639 { 01640 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); 01641 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01642 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01644 } 01645 01646 mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); 01647 01648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 01649 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); 01650 01651 /* 01652 * Check if the session can be resumed 01653 */ 01654 if( ssl->handshake->resume == 0 || n == 0 || 01655 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01656 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || 01657 #endif 01658 ssl->session_negotiate->ciphersuite != i || 01659 ssl->session_negotiate->compression != comp || 01660 ssl->session_negotiate->id_len != n || 01661 memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) 01662 { 01663 ssl->state++; 01664 ssl->handshake->resume = 0; 01665 #if defined(MBEDTLS_HAVE_TIME) 01666 ssl->session_negotiate->start = mbedtls_time( NULL ); 01667 #endif 01668 ssl->session_negotiate->ciphersuite = i; 01669 ssl->session_negotiate->compression = comp; 01670 ssl->session_negotiate->id_len = n; 01671 memcpy( ssl->session_negotiate->id, buf + 35, n ); 01672 } 01673 else 01674 { 01675 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 01676 01677 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 01678 { 01679 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 01680 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01681 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 01682 return( ret ); 01683 } 01684 } 01685 01686 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 01687 ssl->handshake->resume ? "a" : "no" ) ); 01688 01689 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); 01690 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); 01691 01692 suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); 01693 if( suite_info == NULL 01694 #if defined(MBEDTLS_ARC4_C) 01695 || ( ssl->conf->arc4_disabled && 01696 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 01697 #endif 01698 ) 01699 { 01700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01701 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01702 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01703 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01704 } 01705 01706 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); 01707 01708 i = 0; 01709 while( 1 ) 01710 { 01711 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) 01712 { 01713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01714 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01715 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01716 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01717 } 01718 01719 if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == 01720 ssl->session_negotiate->ciphersuite ) 01721 { 01722 break; 01723 } 01724 } 01725 01726 if( comp != MBEDTLS_SSL_COMPRESS_NULL 01727 #if defined(MBEDTLS_ZLIB_SUPPORT) 01728 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE 01729 #endif 01730 ) 01731 { 01732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01733 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01734 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 01735 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01736 } 01737 ssl->session_negotiate->compression = comp; 01738 01739 ext = buf + 40 + n; 01740 01741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) ); 01742 01743 while( ext_len ) 01744 { 01745 unsigned int ext_id = ( ( ext[0] << 8 ) 01746 | ( ext[1] ) ); 01747 unsigned int ext_size = ( ( ext[2] << 8 ) 01748 | ( ext[3] ) ); 01749 01750 if( ext_size + 4 > ext_len ) 01751 { 01752 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01753 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01754 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01755 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01756 } 01757 01758 switch( ext_id ) 01759 { 01760 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01761 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01762 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01763 renegotiation_info_seen = 1; 01764 #endif 01765 01766 if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, 01767 ext_size ) ) != 0 ) 01768 return( ret ); 01769 01770 break; 01771 01772 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01773 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01774 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) ); 01775 01776 if( ( ret = ssl_parse_max_fragment_length_ext( ssl, 01777 ext + 4, ext_size ) ) != 0 ) 01778 { 01779 return( ret ); 01780 } 01781 01782 break; 01783 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01784 01785 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01786 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01787 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) ); 01788 01789 if( ( ret = ssl_parse_truncated_hmac_ext( ssl, 01790 ext + 4, ext_size ) ) != 0 ) 01791 { 01792 return( ret ); 01793 } 01794 01795 break; 01796 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01797 01798 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01799 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01800 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) ); 01801 01802 if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl, 01803 ext + 4, ext_size ) ) != 0 ) 01804 { 01805 return( ret ); 01806 } 01807 01808 break; 01809 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01810 01811 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01812 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01813 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) ); 01814 01815 if( ( ret = ssl_parse_extended_ms_ext( ssl, 01816 ext + 4, ext_size ) ) != 0 ) 01817 { 01818 return( ret ); 01819 } 01820 01821 break; 01822 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01823 01824 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01825 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01826 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) ); 01827 01828 if( ( ret = ssl_parse_session_ticket_ext( ssl, 01829 ext + 4, ext_size ) ) != 0 ) 01830 { 01831 return( ret ); 01832 } 01833 01834 break; 01835 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01836 01837 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01838 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01839 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01840 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) ); 01841 01842 if( ( ret = ssl_parse_supported_point_formats_ext( ssl, 01843 ext + 4, ext_size ) ) != 0 ) 01844 { 01845 return( ret ); 01846 } 01847 01848 break; 01849 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01850 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01851 01852 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01853 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01854 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) ); 01855 01856 if( ( ret = ssl_parse_ecjpake_kkpp( ssl, 01857 ext + 4, ext_size ) ) != 0 ) 01858 { 01859 return( ret ); 01860 } 01861 01862 break; 01863 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01864 01865 #if defined(MBEDTLS_SSL_ALPN) 01866 case MBEDTLS_TLS_EXT_ALPN: 01867 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01868 01869 if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 ) 01870 return( ret ); 01871 01872 break; 01873 #endif /* MBEDTLS_SSL_ALPN */ 01874 01875 default: 01876 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01877 ext_id ) ); 01878 } 01879 01880 ext_len -= 4 + ext_size; 01881 ext += 4 + ext_size; 01882 01883 if( ext_len > 0 && ext_len < 4 ) 01884 { 01885 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); 01886 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01887 } 01888 } 01889 01890 /* 01891 * Renegotiation security checks 01892 */ 01893 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01894 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01895 { 01896 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01897 handshake_failure = 1; 01898 } 01899 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01900 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01901 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01902 renegotiation_info_seen == 0 ) 01903 { 01904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01905 handshake_failure = 1; 01906 } 01907 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01908 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01909 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01910 { 01911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01912 handshake_failure = 1; 01913 } 01914 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01915 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01916 renegotiation_info_seen == 1 ) 01917 { 01918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01919 handshake_failure = 1; 01920 } 01921 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01922 01923 if( handshake_failure == 1 ) 01924 { 01925 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01926 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01927 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); 01928 } 01929 01930 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) ); 01931 01932 return( 0 ); 01933 } 01934 01935 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 01936 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01937 static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p, 01938 unsigned char *end ) 01939 { 01940 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 01941 01942 /* 01943 * Ephemeral DH parameters: 01944 * 01945 * struct { 01946 * opaque dh_p<1..2^16-1>; 01947 * opaque dh_g<1..2^16-1>; 01948 * opaque dh_Ys<1..2^16-1>; 01949 * } ServerDHParams; 01950 */ 01951 if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 ) 01952 { 01953 MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret ); 01954 return( ret ); 01955 } 01956 01957 if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) 01958 { 01959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", 01960 ssl->handshake->dhm_ctx.len * 8, 01961 ssl->conf->dhm_min_bitlen ) ); 01962 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 01963 } 01964 01965 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 01966 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 01967 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 01968 01969 return( ret ); 01970 } 01971 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 01972 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01973 01974 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 01975 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 01976 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 01977 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 01978 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 01979 static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) 01980 { 01981 const mbedtls_ecp_curve_info *curve_info; 01982 01983 curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id ); 01984 if( curve_info == NULL ) 01985 { 01986 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01987 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01988 } 01989 01990 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); 01991 01992 #if defined(MBEDTLS_ECP_C) 01993 if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 ) 01994 #else 01995 if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || 01996 ssl->handshake->ecdh_ctx.grp.nbits > 521 ) 01997 #endif 01998 return( -1 ); 01999 02000 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp ); 02001 02002 return( 0 ); 02003 } 02004 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02005 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02006 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02007 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02008 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02009 02010 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02011 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02012 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02013 static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl, 02014 unsigned char **p, 02015 unsigned char *end ) 02016 { 02017 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02018 02019 /* 02020 * Ephemeral ECDH parameters: 02021 * 02022 * struct { 02023 * ECParameters curve_params; 02024 * ECPoint public; 02025 * } ServerECDHParams; 02026 */ 02027 if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx, 02028 (const unsigned char **) p, end ) ) != 0 ) 02029 { 02030 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret ); 02031 return( ret ); 02032 } 02033 02034 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02035 { 02036 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) ); 02037 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02038 } 02039 02040 return( ret ); 02041 } 02042 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02043 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02044 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02045 02046 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02047 static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl, 02048 unsigned char **p, 02049 unsigned char *end ) 02050 { 02051 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02052 size_t len; 02053 ((void) ssl); 02054 02055 /* 02056 * PSK parameters: 02057 * 02058 * opaque psk_identity_hint<0..2^16-1>; 02059 */ 02060 len = (*p)[0] << 8 | (*p)[1]; 02061 *p += 2; 02062 02063 if( (*p) + len > end ) 02064 { 02065 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message " 02066 "(psk_identity_hint length)" ) ); 02067 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02068 } 02069 02070 /* 02071 * Note: we currently ignore the PKS identity hint, as we only allow one 02072 * PSK to be provisionned on the client. This could be changed later if 02073 * someone needs that feature. 02074 */ 02075 *p += len; 02076 ret = 0; 02077 02078 return( ret ); 02079 } 02080 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02081 02082 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 02083 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02084 /* 02085 * Generate a pre-master secret and encrypt it with the server's RSA key 02086 */ 02087 static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, 02088 size_t offset, size_t *olen, 02089 size_t pms_offset ) 02090 { 02091 int ret; 02092 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; 02093 unsigned char *p = ssl->handshake->premaster + pms_offset; 02094 02095 if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02096 { 02097 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); 02098 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02099 } 02100 02101 /* 02102 * Generate (part of) the pre-master as 02103 * struct { 02104 * ProtocolVersion client_version; 02105 * opaque random[46]; 02106 * } PreMasterSecret; 02107 */ 02108 mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, 02109 ssl->conf->transport, p ); 02110 02111 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) 02112 { 02113 MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); 02114 return( ret ); 02115 } 02116 02117 ssl->handshake->pmslen = 48; 02118 02119 if( ssl->session_negotiate->peer_cert == NULL ) 02120 { 02121 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02122 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02123 } 02124 02125 /* 02126 * Now write it out, encrypted 02127 */ 02128 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02129 MBEDTLS_PK_RSA ) ) 02130 { 02131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); 02132 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02133 } 02134 02135 if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, 02136 p, ssl->handshake->pmslen, 02137 ssl->out_msg + offset + len_bytes, olen, 02138 MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, 02139 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02140 { 02141 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); 02142 return( ret ); 02143 } 02144 02145 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02146 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02147 if( len_bytes == 2 ) 02148 { 02149 ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); 02150 ssl->out_msg[offset+1] = (unsigned char)( *olen ); 02151 *olen += 2; 02152 } 02153 #endif 02154 02155 return( 0 ); 02156 } 02157 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 02158 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02159 02160 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02161 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02162 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02163 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02164 static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, 02165 unsigned char **p, 02166 unsigned char *end, 02167 mbedtls_md_type_t *md_alg, 02168 mbedtls_pk_type_t *pk_alg ) 02169 { 02170 ((void) ssl); 02171 *md_alg = MBEDTLS_MD_NONE; 02172 *pk_alg = MBEDTLS_PK_NONE; 02173 02174 /* Only in TLS 1.2 */ 02175 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 02176 { 02177 return( 0 ); 02178 } 02179 02180 if( (*p) + 2 > end ) 02181 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02182 02183 /* 02184 * Get hash algorithm 02185 */ 02186 if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE ) 02187 { 02188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported " 02189 "HashAlgorithm %d", *(p)[0] ) ); 02190 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02191 } 02192 02193 /* 02194 * Get signature algorithm 02195 */ 02196 if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE ) 02197 { 02198 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported " 02199 "SignatureAlgorithm %d", (*p)[1] ) ); 02200 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02201 } 02202 02203 /* 02204 * Check if the hash is acceptable 02205 */ 02206 if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) 02207 { 02208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", 02209 *(p)[0] ) ); 02210 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02211 } 02212 02213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); 02214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) ); 02215 *p += 2; 02216 02217 return( 0 ); 02218 } 02219 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02220 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02221 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02222 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02223 02224 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02225 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02226 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02227 { 02228 int ret; 02229 const mbedtls_ecp_keypair *peer_key; 02230 02231 if( ssl->session_negotiate->peer_cert == NULL ) 02232 { 02233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02234 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02235 } 02236 02237 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 02238 MBEDTLS_PK_ECKEY ) ) 02239 { 02240 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02241 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02242 } 02243 02244 peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); 02245 02246 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, 02247 MBEDTLS_ECDH_THEIRS ) ) != 0 ) 02248 { 02249 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02250 return( ret ); 02251 } 02252 02253 if( ssl_check_server_ecdh_params( ssl ) != 0 ) 02254 { 02255 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) ); 02256 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 02257 } 02258 02259 return( ret ); 02260 } 02261 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02262 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02263 02264 static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) 02265 { 02266 int ret; 02267 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02268 ssl->transform_negotiate->ciphersuite_info; 02269 unsigned char *p = NULL, *end = NULL; 02270 02271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); 02272 02273 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02274 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02275 { 02276 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02277 ssl->state++; 02278 return( 0 ); 02279 } 02280 ((void) p); 02281 ((void) end); 02282 #endif 02283 02284 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02285 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02286 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02287 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02288 { 02289 if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) 02290 { 02291 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); 02292 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02293 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02294 return( ret ); 02295 } 02296 02297 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); 02298 ssl->state++; 02299 return( 0 ); 02300 } 02301 ((void) p); 02302 ((void) end); 02303 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02304 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02305 02306 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02307 { 02308 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02309 return( ret ); 02310 } 02311 02312 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02313 { 02314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02315 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02316 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02317 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02318 } 02319 02320 /* 02321 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server 02322 * doesn't use a psk_identity_hint 02323 */ 02324 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) 02325 { 02326 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02327 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02328 { 02329 /* Current message is probably either 02330 * CertificateRequest or ServerHelloDone */ 02331 ssl->keep_current_message = 1; 02332 goto exit; 02333 } 02334 02335 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must " 02336 "not be skipped" ) ); 02337 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02338 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02339 02340 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02341 } 02342 02343 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02344 end = ssl->in_msg + ssl->in_hslen; 02345 MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); 02346 02347 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02348 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02349 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02350 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02351 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02352 { 02353 if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) 02354 { 02355 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02356 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02357 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02358 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02359 } 02360 } /* FALLTROUGH */ 02361 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02362 02363 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ 02364 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02365 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02366 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02367 ; /* nothing more to do */ 02368 else 02369 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || 02370 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 02371 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 02372 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02373 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || 02374 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02375 { 02376 if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) 02377 { 02378 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02379 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02380 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02381 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02382 } 02383 } 02384 else 02385 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 02386 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02387 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02388 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ 02389 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02390 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02391 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02392 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 02393 { 02394 if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) 02395 { 02396 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02397 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02398 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02399 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02400 } 02401 } 02402 else 02403 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02404 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || 02405 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02406 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02407 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02408 { 02409 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 02410 p, end - p ); 02411 if( ret != 0 ) 02412 { 02413 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 02414 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02415 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02416 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02417 } 02418 } 02419 else 02420 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02421 { 02422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02423 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02424 } 02425 02426 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02427 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 02428 { 02429 size_t sig_len, hashlen; 02430 unsigned char hash[64]; 02431 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 02432 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; 02433 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 02434 size_t params_len = p - params; 02435 02436 /* 02437 * Handle the digitally-signed structure 02438 */ 02439 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02440 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02441 { 02442 if( ssl_parse_signature_algorithm( ssl, &p, end, 02443 &md_alg, &pk_alg ) != 0 ) 02444 { 02445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02446 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02447 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02448 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02449 } 02450 02451 if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) 02452 { 02453 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02454 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02455 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 02456 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02457 } 02458 } 02459 else 02460 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02461 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02462 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02463 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 02464 { 02465 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 02466 02467 /* Default hash for ECDSA is SHA-1 */ 02468 if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) 02469 md_alg = MBEDTLS_MD_SHA1; 02470 } 02471 else 02472 #endif 02473 { 02474 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02475 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02476 } 02477 02478 /* 02479 * Read signature 02480 */ 02481 sig_len = ( p[0] << 8 ) | p[1]; 02482 p += 2; 02483 02484 if( end != p + sig_len ) 02485 { 02486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02487 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02488 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02489 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 02490 } 02491 02492 MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len ); 02493 02494 /* 02495 * Compute the hash that has been signed 02496 */ 02497 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 02498 defined(MBEDTLS_SSL_PROTO_TLS1_1) 02499 if( md_alg == MBEDTLS_MD_NONE ) 02500 { 02501 hashlen = 36; 02502 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, 02503 params_len ); 02504 if( ret != 0 ) 02505 return( ret ); 02506 } 02507 else 02508 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 02509 MBEDTLS_SSL_PROTO_TLS1_1 */ 02510 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 02511 defined(MBEDTLS_SSL_PROTO_TLS1_2) 02512 if( md_alg != MBEDTLS_MD_NONE ) 02513 { 02514 /* Info from md_alg will be used instead */ 02515 hashlen = 0; 02516 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params, 02517 params_len, md_alg ); 02518 if( ret != 0 ) 02519 return( ret ); 02520 } 02521 else 02522 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02523 MBEDTLS_SSL_PROTO_TLS1_2 */ 02524 { 02525 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02526 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02527 } 02528 02529 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 02530 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 02531 02532 if( ssl->session_negotiate->peer_cert == NULL ) 02533 { 02534 MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) ); 02535 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02536 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02537 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02538 } 02539 02540 /* 02541 * Verify signature 02542 */ 02543 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 02544 { 02545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); 02546 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02547 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 02548 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02549 } 02550 02551 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 02552 md_alg, hash, hashlen, p, sig_len ) ) != 0 ) 02553 { 02554 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02555 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); 02556 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 02557 return( ret ); 02558 } 02559 } 02560 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02561 02562 exit: 02563 ssl->state++; 02564 02565 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) ); 02566 02567 return( 0 ); 02568 } 02569 02570 #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) 02571 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02572 { 02573 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02574 ssl->transform_negotiate->ciphersuite_info; 02575 02576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02577 02578 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02579 { 02580 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02581 ssl->state++; 02582 return( 0 ); 02583 } 02584 02585 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02586 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02587 } 02588 #else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02589 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) 02590 { 02591 int ret; 02592 unsigned char *buf; 02593 size_t n = 0; 02594 size_t cert_type_len = 0, dn_len = 0; 02595 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02596 ssl->transform_negotiate->ciphersuite_info; 02597 02598 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); 02599 02600 if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) 02601 { 02602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) ); 02603 ssl->state++; 02604 return( 0 ); 02605 } 02606 02607 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02608 { 02609 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02610 return( ret ); 02611 } 02612 02613 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02614 { 02615 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02616 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02617 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 02618 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02619 } 02620 02621 ssl->state++; 02622 ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); 02623 02624 MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", 02625 ssl->client_auth ? "a" : "no" ) ); 02626 02627 if( ssl->client_auth == 0 ) 02628 { 02629 /* Current message is probably the ServerHelloDone */ 02630 ssl->keep_current_message = 1; 02631 goto exit; 02632 } 02633 02634 /* 02635 * struct { 02636 * ClientCertificateType certificate_types<1..2^8-1>; 02637 * SignatureAndHashAlgorithm 02638 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only 02639 * DistinguishedName certificate_authorities<0..2^16-1>; 02640 * } CertificateRequest; 02641 * 02642 * Since we only support a single certificate on clients, let's just 02643 * ignore all the information that's supposed to help us pick a 02644 * certificate. 02645 * 02646 * We could check that our certificate matches the request, and bail out 02647 * if it doesn't, but it's simpler to just send the certificate anyway, 02648 * and give the server the opportunity to decide if it should terminate 02649 * the connection when it doesn't like our certificate. 02650 * 02651 * Same goes for the hash in TLS 1.2's signature_algorithms: at this 02652 * point we only have one hash available (see comments in 02653 * write_certificate_verify), so let's just use what we have. 02654 * 02655 * However, we still minimally parse the message to check it is at least 02656 * superficially sane. 02657 */ 02658 buf = ssl->in_msg; 02659 02660 /* certificate_types */ 02661 cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )]; 02662 n = cert_type_len; 02663 02664 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02665 { 02666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02667 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02668 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02669 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02670 } 02671 02672 /* supported_signature_algorithms */ 02673 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02674 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02675 { 02676 size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02677 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02678 #if defined(MBEDTLS_DEBUG_C) 02679 unsigned char* sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; 02680 size_t i; 02681 02682 for( i = 0; i < sig_alg_len; i += 2 ) 02683 { 02684 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d" 02685 ",%d", sig_alg[i], sig_alg[i + 1] ) ); 02686 } 02687 #endif 02688 02689 n += 2 + sig_alg_len; 02690 02691 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n ) 02692 { 02693 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02694 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02695 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02696 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02697 } 02698 } 02699 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02700 02701 /* certificate_authorities */ 02702 dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) 02703 | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); 02704 02705 n += dn_len; 02706 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n ) 02707 { 02708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); 02709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02710 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02711 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST ); 02712 } 02713 02714 exit: 02715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) ); 02716 02717 return( 0 ); 02718 } 02719 #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ 02720 02721 static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) 02722 { 02723 int ret; 02724 02725 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) ); 02726 02727 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 02728 { 02729 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 02730 return( ret ); 02731 } 02732 02733 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 02734 { 02735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02736 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 02737 } 02738 02739 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) || 02740 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE ) 02741 { 02742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) ); 02743 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 02744 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 02745 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE ); 02746 } 02747 02748 ssl->state++; 02749 02750 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02751 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02752 mbedtls_ssl_recv_flight_completed( ssl ); 02753 #endif 02754 02755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) ); 02756 02757 return( 0 ); 02758 } 02759 02760 static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) 02761 { 02762 int ret; 02763 size_t i, n; 02764 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02765 ssl->transform_negotiate->ciphersuite_info; 02766 02767 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); 02768 02769 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 02770 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 02771 { 02772 /* 02773 * DHM key exchange -- send G^X mod P 02774 */ 02775 n = ssl->handshake->dhm_ctx.len; 02776 02777 ssl->out_msg[4] = (unsigned char)( n >> 8 ); 02778 ssl->out_msg[5] = (unsigned char)( n ); 02779 i = 6; 02780 02781 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02782 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02783 &ssl->out_msg[i], n, 02784 ssl->conf->f_rng, ssl->conf->p_rng ); 02785 if( ret != 0 ) 02786 { 02787 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02788 return( ret ); 02789 } 02790 02791 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02792 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02793 02794 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 02795 ssl->handshake->premaster, 02796 MBEDTLS_PREMASTER_SIZE, 02797 &ssl->handshake->pmslen, 02798 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02799 { 02800 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 02801 return( ret ); 02802 } 02803 02804 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 02805 } 02806 else 02807 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 02808 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 02809 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 02810 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02811 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02812 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 02813 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 02814 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 02815 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 02816 { 02817 /* 02818 * ECDH key exchange -- send client public value 02819 */ 02820 i = 4; 02821 02822 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, 02823 &n, 02824 &ssl->out_msg[i], 1000, 02825 ssl->conf->f_rng, ssl->conf->p_rng ); 02826 if( ret != 0 ) 02827 { 02828 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02829 return( ret ); 02830 } 02831 02832 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02833 02834 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 02835 &ssl->handshake->pmslen, 02836 ssl->handshake->premaster, 02837 MBEDTLS_MPI_MAX_SIZE, 02838 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02839 { 02840 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 02841 return( ret ); 02842 } 02843 02844 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 02845 } 02846 else 02847 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 02848 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 02849 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 02850 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02851 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 02852 if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) 02853 { 02854 /* 02855 * opaque psk_identity<0..2^16-1>; 02856 */ 02857 if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) 02858 { 02859 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); 02860 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 02861 } 02862 02863 i = 4; 02864 n = ssl->conf->psk_identity_len; 02865 02866 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02867 { 02868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " 02869 "SSL buffer too short" ) ); 02870 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02871 } 02872 02873 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02874 ssl->out_msg[i++] = (unsigned char)( n ); 02875 02876 memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); 02877 i += ssl->conf->psk_identity_len; 02878 02879 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 02880 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 02881 { 02882 n = 0; 02883 } 02884 else 02885 #endif 02886 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 02887 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 02888 { 02889 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) 02890 return( ret ); 02891 } 02892 else 02893 #endif 02894 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 02895 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 02896 { 02897 /* 02898 * ClientDiffieHellmanPublic public (DHM send G^X mod P) 02899 */ 02900 n = ssl->handshake->dhm_ctx.len; 02901 02902 if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02903 { 02904 MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" 02905 " or SSL buffer too short" ) ); 02906 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 02907 } 02908 02909 ssl->out_msg[i++] = (unsigned char)( n >> 8 ); 02910 ssl->out_msg[i++] = (unsigned char)( n ); 02911 02912 ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, 02913 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02914 &ssl->out_msg[i], n, 02915 ssl->conf->f_rng, ssl->conf->p_rng ); 02916 if( ret != 0 ) 02917 { 02918 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); 02919 return( ret ); 02920 } 02921 } 02922 else 02923 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 02924 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02925 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02926 { 02927 /* 02928 * ClientECDiffieHellmanPublic public; 02929 */ 02930 ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, 02931 &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, 02932 ssl->conf->f_rng, ssl->conf->p_rng ); 02933 if( ret != 0 ) 02934 { 02935 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); 02936 return( ret ); 02937 } 02938 02939 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q ); 02940 } 02941 else 02942 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02943 { 02944 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02945 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02946 } 02947 02948 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 02949 ciphersuite_info->key_exchange ) ) != 0 ) 02950 { 02951 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 02952 return( ret ); 02953 } 02954 } 02955 else 02956 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 02957 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 02958 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 02959 { 02960 i = 4; 02961 if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) 02962 return( ret ); 02963 } 02964 else 02965 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02966 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02967 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02968 { 02969 i = 4; 02970 02971 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02972 ssl->out_msg + i, MBEDTLS_SSL_MAX_CONTENT_LEN - i, &n, 02973 ssl->conf->f_rng, ssl->conf->p_rng ); 02974 if( ret != 0 ) 02975 { 02976 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02977 return( ret ); 02978 } 02979 02980 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 02981 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 02982 ssl->conf->f_rng, ssl->conf->p_rng ); 02983 if( ret != 0 ) 02984 { 02985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 02986 return( ret ); 02987 } 02988 } 02989 else 02990 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 02991 { 02992 ((void) ciphersuite_info); 02993 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02994 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02995 } 02996 02997 ssl->out_msglen = i + n; 02998 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02999 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; 03000 03001 ssl->state++; 03002 03003 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03004 { 03005 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03006 return( ret ); 03007 } 03008 03009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); 03010 03011 return( 0 ); 03012 } 03013 03014 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03015 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03016 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03017 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03018 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03019 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03020 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03021 { 03022 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03023 ssl->transform_negotiate->ciphersuite_info; 03024 int ret; 03025 03026 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03027 03028 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03029 { 03030 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03031 return( ret ); 03032 } 03033 03034 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03035 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03036 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03037 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03038 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03039 { 03040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03041 ssl->state++; 03042 return( 0 ); 03043 } 03044 03045 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03046 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03047 } 03048 #else 03049 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) 03050 { 03051 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03052 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03053 ssl->transform_negotiate->ciphersuite_info; 03054 size_t n = 0, offset = 0; 03055 unsigned char hash[48]; 03056 unsigned char *hash_start = hash; 03057 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; 03058 unsigned int hashlen; 03059 03060 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); 03061 03062 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03063 { 03064 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03065 return( ret ); 03066 } 03067 03068 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03069 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03070 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03071 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03072 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03073 { 03074 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03075 ssl->state++; 03076 return( 0 ); 03077 } 03078 03079 if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) 03080 { 03081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); 03082 ssl->state++; 03083 return( 0 ); 03084 } 03085 03086 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03087 { 03088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) ); 03089 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03090 } 03091 03092 /* 03093 * Make an RSA signature of the handshake digests 03094 */ 03095 ssl->handshake->calc_verify( ssl, hash ); 03096 03097 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03098 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03099 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03100 { 03101 /* 03102 * digitally-signed struct { 03103 * opaque md5_hash[16]; 03104 * opaque sha_hash[20]; 03105 * }; 03106 * 03107 * md5_hash 03108 * MD5(handshake_messages); 03109 * 03110 * sha_hash 03111 * SHA(handshake_messages); 03112 */ 03113 hashlen = 36; 03114 md_alg = MBEDTLS_MD_NONE; 03115 03116 /* 03117 * For ECDSA, default hash is SHA-1 only 03118 */ 03119 if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) 03120 { 03121 hash_start += 16; 03122 hashlen -= 16; 03123 md_alg = MBEDTLS_MD_SHA1; 03124 } 03125 } 03126 else 03127 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03128 MBEDTLS_SSL_PROTO_TLS1_1 */ 03129 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03130 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03131 { 03132 /* 03133 * digitally-signed struct { 03134 * opaque handshake_messages[handshake_messages_length]; 03135 * }; 03136 * 03137 * Taking shortcut here. We assume that the server always allows the 03138 * PRF Hash function and has sent it in the allowed signature 03139 * algorithms list received in the Certificate Request message. 03140 * 03141 * Until we encounter a server that does not, we will take this 03142 * shortcut. 03143 * 03144 * Reason: Otherwise we should have running hashes for SHA512 and SHA224 03145 * in order to satisfy 'weird' needs from the server side. 03146 */ 03147 if( ssl->transform_negotiate->ciphersuite_info->mac == 03148 MBEDTLS_MD_SHA384 ) 03149 { 03150 md_alg = MBEDTLS_MD_SHA384; 03151 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; 03152 } 03153 else 03154 { 03155 md_alg = MBEDTLS_MD_SHA256; 03156 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256; 03157 } 03158 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) ); 03159 03160 /* Info from md_alg will be used instead */ 03161 hashlen = 0; 03162 offset = 2; 03163 } 03164 else 03165 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03166 { 03167 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03168 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03169 } 03170 03171 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, 03172 ssl->out_msg + 6 + offset, &n, 03173 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03174 { 03175 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03176 return( ret ); 03177 } 03178 03179 ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 ); 03180 ssl->out_msg[5 + offset] = (unsigned char)( n ); 03181 03182 ssl->out_msglen = 6 + n + offset; 03183 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03184 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY; 03185 03186 ssl->state++; 03187 03188 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03189 { 03190 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03191 return( ret ); 03192 } 03193 03194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) ); 03195 03196 return( ret ); 03197 } 03198 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03199 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03200 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03201 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03202 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03203 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03204 03205 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03206 static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) 03207 { 03208 int ret; 03209 uint32_t lifetime; 03210 size_t ticket_len; 03211 unsigned char *ticket; 03212 const unsigned char *msg; 03213 03214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) ); 03215 03216 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03217 { 03218 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03219 return( ret ); 03220 } 03221 03222 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03223 { 03224 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03225 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03226 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03227 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 03228 } 03229 03230 /* 03231 * struct { 03232 * uint32 ticket_lifetime_hint; 03233 * opaque ticket<0..2^16-1>; 03234 * } NewSessionTicket; 03235 * 03236 * 0 . 3 ticket_lifetime_hint 03237 * 4 . 5 ticket_len (n) 03238 * 6 . 5+n ticket content 03239 */ 03240 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET || 03241 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) ) 03242 { 03243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03244 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03245 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03246 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03247 } 03248 03249 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03250 03251 lifetime = ( msg[0] << 24 ) | ( msg[1] << 16 ) | 03252 ( msg[2] << 8 ) | ( msg[3] ); 03253 03254 ticket_len = ( msg[4] << 8 ) | ( msg[5] ); 03255 03256 if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen ) 03257 { 03258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) ); 03259 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03260 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 03261 return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET ); 03262 } 03263 03264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) ); 03265 03266 /* We're not waiting for a NewSessionTicket message any more */ 03267 ssl->handshake->new_session_ticket = 0; 03268 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 03269 03270 /* 03271 * Zero-length ticket means the server changed his mind and doesn't want 03272 * to send a ticket after all, so just forget it 03273 */ 03274 if( ticket_len == 0 ) 03275 return( 0 ); 03276 03277 mbedtls_zeroize( ssl->session_negotiate->ticket, 03278 ssl->session_negotiate->ticket_len ); 03279 mbedtls_free( ssl->session_negotiate->ticket ); 03280 ssl->session_negotiate->ticket = NULL; 03281 ssl->session_negotiate->ticket_len = 0; 03282 03283 if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL ) 03284 { 03285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) ); 03286 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03287 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 03288 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03289 } 03290 03291 memcpy( ticket, msg + 6, ticket_len ); 03292 03293 ssl->session_negotiate->ticket = ticket; 03294 ssl->session_negotiate->ticket_len = ticket_len; 03295 ssl->session_negotiate->ticket_lifetime = lifetime; 03296 03297 /* 03298 * RFC 5077 section 3.4: 03299 * "If the client receives a session ticket from the server, then it 03300 * discards any Session ID that was sent in the ServerHello." 03301 */ 03302 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) ); 03303 ssl->session_negotiate->id_len = 0; 03304 03305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) ); 03306 03307 return( 0 ); 03308 } 03309 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03310 03311 /* 03312 * SSL handshake -- client side -- single step 03313 */ 03314 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) 03315 { 03316 int ret = 0; 03317 03318 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03319 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03320 03321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) ); 03322 03323 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03324 return( ret ); 03325 03326 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03327 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03328 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03329 { 03330 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03331 return( ret ); 03332 } 03333 #endif 03334 03335 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used 03336 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */ 03337 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03338 if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC && 03339 ssl->handshake->new_session_ticket != 0 ) 03340 { 03341 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET; 03342 } 03343 #endif 03344 03345 switch( ssl->state ) 03346 { 03347 case MBEDTLS_SSL_HELLO_REQUEST: 03348 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03349 break; 03350 03351 /* 03352 * ==> ClientHello 03353 */ 03354 case MBEDTLS_SSL_CLIENT_HELLO: 03355 ret = ssl_write_client_hello( ssl ); 03356 break; 03357 03358 /* 03359 * <== ServerHello 03360 * Certificate 03361 * ( ServerKeyExchange ) 03362 * ( CertificateRequest ) 03363 * ServerHelloDone 03364 */ 03365 case MBEDTLS_SSL_SERVER_HELLO: 03366 ret = ssl_parse_server_hello( ssl ); 03367 break; 03368 03369 case MBEDTLS_SSL_SERVER_CERTIFICATE: 03370 ret = mbedtls_ssl_parse_certificate( ssl ); 03371 break; 03372 03373 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 03374 ret = ssl_parse_server_key_exchange( ssl ); 03375 break; 03376 03377 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 03378 ret = ssl_parse_certificate_request( ssl ); 03379 break; 03380 03381 case MBEDTLS_SSL_SERVER_HELLO_DONE: 03382 ret = ssl_parse_server_hello_done( ssl ); 03383 break; 03384 03385 /* 03386 * ==> ( Certificate/Alert ) 03387 * ClientKeyExchange 03388 * ( CertificateVerify ) 03389 * ChangeCipherSpec 03390 * Finished 03391 */ 03392 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 03393 ret = mbedtls_ssl_write_certificate( ssl ); 03394 break; 03395 03396 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 03397 ret = ssl_write_client_key_exchange( ssl ); 03398 break; 03399 03400 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 03401 ret = ssl_write_certificate_verify( ssl ); 03402 break; 03403 03404 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 03405 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 03406 break; 03407 03408 case MBEDTLS_SSL_CLIENT_FINISHED: 03409 ret = mbedtls_ssl_write_finished( ssl ); 03410 break; 03411 03412 /* 03413 * <== ( NewSessionTicket ) 03414 * ChangeCipherSpec 03415 * Finished 03416 */ 03417 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03418 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET: 03419 ret = ssl_parse_new_session_ticket( ssl ); 03420 break; 03421 #endif 03422 03423 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 03424 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 03425 break; 03426 03427 case MBEDTLS_SSL_SERVER_FINISHED: 03428 ret = mbedtls_ssl_parse_finished( ssl ); 03429 break; 03430 03431 case MBEDTLS_SSL_FLUSH_BUFFERS: 03432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 03433 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 03434 break; 03435 03436 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 03437 mbedtls_ssl_handshake_wrapup( ssl ); 03438 break; 03439 03440 default: 03441 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 03442 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03443 } 03444 03445 return( ret ); 03446 } 03447 #endif /* MBEDTLS_SSL_CLI_C */
Generated on Fri Jul 22 2022 04:54:01 by
1.7.2