BA
/
SerialCom
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
OmniWheels
by 
Gustav Atmel
Embed:
(wiki syntax)
Show/hide line numbers
ssl_srv.c
00001 /* 00002 * SSLv3/TLSv1 server-side functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 00022 #if !defined(MBEDTLS_CONFIG_FILE) 00023 #include "mbedtls/config.h" 00024 #else 00025 #include MBEDTLS_CONFIG_FILE 00026 #endif 00027 00028 #if defined(MBEDTLS_SSL_SRV_C) 00029 00030 #if defined(MBEDTLS_PLATFORM_C) 00031 #include "mbedtls/platform.h" 00032 #else 00033 #include <stdlib.h> 00034 #define mbedtls_calloc calloc 00035 #define mbedtls_free free 00036 #endif 00037 00038 #include "mbedtls/debug.h" 00039 #include "mbedtls/ssl.h" 00040 #include "mbedtls/ssl_internal.h" 00041 00042 #include <string.h> 00043 00044 #if defined(MBEDTLS_ECP_C) 00045 #include "mbedtls/ecp.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_HAVE_TIME) 00049 #include "mbedtls/platform_time.h" 00050 #endif 00051 00052 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00053 /* Implementation that should never be optimized out by the compiler */ 00054 static void mbedtls_zeroize( void *v, size_t n ) { 00055 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00056 } 00057 #endif 00058 00059 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 00060 int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, 00061 const unsigned char *info, 00062 size_t ilen ) 00063 { 00064 if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) 00065 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00066 00067 mbedtls_free( ssl->cli_id ); 00068 00069 if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL ) 00070 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00071 00072 memcpy( ssl->cli_id, info, ilen ); 00073 ssl->cli_id_len = ilen; 00074 00075 return( 0 ); 00076 } 00077 00078 void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, 00079 mbedtls_ssl_cookie_write_t *f_cookie_write, 00080 mbedtls_ssl_cookie_check_t *f_cookie_check, 00081 void *p_cookie ) 00082 { 00083 conf->f_cookie_write = f_cookie_write; 00084 conf->f_cookie_check = f_cookie_check; 00085 conf->p_cookie = p_cookie; 00086 } 00087 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 00088 00089 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00090 static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, 00091 const unsigned char *buf, 00092 size_t len ) 00093 { 00094 int ret; 00095 size_t servername_list_size, hostname_len; 00096 const unsigned char *p; 00097 00098 MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) ); 00099 00100 servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00101 if( servername_list_size + 2 != len ) 00102 { 00103 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00104 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00105 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00106 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00107 } 00108 00109 p = buf + 2; 00110 while( servername_list_size > 0 ) 00111 { 00112 hostname_len = ( ( p[1] << 8 ) | p[2] ); 00113 if( hostname_len + 3 > servername_list_size ) 00114 { 00115 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00116 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00117 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00118 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00119 } 00120 00121 if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) 00122 { 00123 ret = ssl->conf->f_sni( ssl->conf->p_sni, 00124 ssl, p + 3, hostname_len ); 00125 if( ret != 0 ) 00126 { 00127 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); 00128 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00129 MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME ); 00130 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00131 } 00132 return( 0 ); 00133 } 00134 00135 servername_list_size -= hostname_len + 3; 00136 p += hostname_len + 3; 00137 } 00138 00139 if( servername_list_size != 0 ) 00140 { 00141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00142 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00143 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00144 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00145 } 00146 00147 return( 0 ); 00148 } 00149 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 00150 00151 static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, 00152 const unsigned char *buf, 00153 size_t len ) 00154 { 00155 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00156 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00157 { 00158 /* Check verify-data in constant-time. The length OTOH is no secret */ 00159 if( len != 1 + ssl->verify_data_len || 00160 buf[0] != ssl->verify_data_len || 00161 mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data, 00162 ssl->verify_data_len ) != 0 ) 00163 { 00164 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); 00165 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00166 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00167 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00168 } 00169 } 00170 else 00171 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00172 { 00173 if( len != 1 || buf[0] != 0x0 ) 00174 { 00175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); 00176 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00177 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00178 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00179 } 00180 00181 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 00182 } 00183 00184 return( 0 ); 00185 } 00186 00187 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00188 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00189 00190 /* 00191 * Status of the implementation of signature-algorithms extension: 00192 * 00193 * Currently, we are only considering the signature-algorithm extension 00194 * to pick a ciphersuite which allows us to send the ServerKeyExchange 00195 * message with a signature-hash combination that the user allows. 00196 * 00197 * We do *not* check whether all certificates in our certificate 00198 * chain are signed with an allowed signature-hash pair. 00199 * This needs to be done at a later stage. 00200 * 00201 */ 00202 static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl, 00203 const unsigned char *buf, 00204 size_t len ) 00205 { 00206 size_t sig_alg_list_size; 00207 00208 const unsigned char *p; 00209 const unsigned char *end = buf + len; 00210 00211 mbedtls_md_type_t md_cur; 00212 mbedtls_pk_type_t sig_cur; 00213 00214 sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00215 if( sig_alg_list_size + 2 != len || 00216 sig_alg_list_size % 2 != 0 ) 00217 { 00218 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00219 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00220 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00221 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00222 } 00223 00224 /* Currently we only guarantee signing the ServerKeyExchange message according 00225 * to the constraints specified in this extension (see above), so it suffices 00226 * to remember only one suitable hash for each possible signature algorithm. 00227 * 00228 * This will change when we also consider certificate signatures, 00229 * in which case we will need to remember the whole signature-hash 00230 * pair list from the extension. 00231 */ 00232 00233 for( p = buf + 2; p < end; p += 2 ) 00234 { 00235 /* Silently ignore unknown signature or hash algorithms. */ 00236 00237 if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE ) 00238 { 00239 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext" 00240 " unknown sig alg encoding %d", p[1] ) ); 00241 continue; 00242 } 00243 00244 /* Check if we support the hash the user proposes */ 00245 md_cur = mbedtls_ssl_md_alg_from_hash( p[0] ); 00246 if( md_cur == MBEDTLS_MD_NONE ) 00247 { 00248 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00249 " unknown hash alg encoding %d", p[0] ) ); 00250 continue; 00251 } 00252 00253 if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) 00254 { 00255 mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); 00256 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" 00257 " match sig %d and hash %d", 00258 sig_cur, md_cur ) ); 00259 } 00260 else 00261 { 00262 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: " 00263 "hash alg %d not supported", md_cur ) ); 00264 } 00265 } 00266 00267 return( 0 ); 00268 } 00269 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00270 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00271 00272 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 00273 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00274 static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, 00275 const unsigned char *buf, 00276 size_t len ) 00277 { 00278 size_t list_size, our_size; 00279 const unsigned char *p; 00280 const mbedtls_ecp_curve_info *curve_info, **curves; 00281 00282 list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); 00283 if( list_size + 2 != len || 00284 list_size % 2 != 0 ) 00285 { 00286 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00287 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00288 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00289 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00290 } 00291 00292 /* Should never happen unless client duplicates the extension */ 00293 if( ssl->handshake->curves != NULL ) 00294 { 00295 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00296 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00297 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00298 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00299 } 00300 00301 /* Don't allow our peer to make us allocate too much memory, 00302 * and leave room for a final 0 */ 00303 our_size = list_size / 2 + 1; 00304 if( our_size > MBEDTLS_ECP_DP_MAX ) 00305 our_size = MBEDTLS_ECP_DP_MAX; 00306 00307 if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL ) 00308 { 00309 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00310 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 00311 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00312 } 00313 00314 ssl->handshake->curves = curves; 00315 00316 p = buf + 2; 00317 while( list_size > 0 && our_size > 1 ) 00318 { 00319 curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] ); 00320 00321 if( curve_info != NULL ) 00322 { 00323 *curves++ = curve_info; 00324 our_size--; 00325 } 00326 00327 list_size -= 2; 00328 p += 2; 00329 } 00330 00331 return( 0 ); 00332 } 00333 00334 static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, 00335 const unsigned char *buf, 00336 size_t len ) 00337 { 00338 size_t list_size; 00339 const unsigned char *p; 00340 00341 list_size = buf[0]; 00342 if( list_size + 1 != len ) 00343 { 00344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00345 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00346 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00347 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00348 } 00349 00350 p = buf + 1; 00351 while( list_size > 0 ) 00352 { 00353 if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED || 00354 p[0] == MBEDTLS_ECP_PF_COMPRESSED ) 00355 { 00356 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00357 ssl->handshake->ecdh_ctx.point_format = p[0]; 00358 #endif 00359 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00360 ssl->handshake->ecjpake_ctx.point_format = p[0]; 00361 #endif 00362 MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); 00363 return( 0 ); 00364 } 00365 00366 list_size--; 00367 p++; 00368 } 00369 00370 return( 0 ); 00371 } 00372 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 00373 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00374 00375 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00376 static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, 00377 const unsigned char *buf, 00378 size_t len ) 00379 { 00380 int ret; 00381 00382 if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) 00383 { 00384 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); 00385 return( 0 ); 00386 } 00387 00388 if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, 00389 buf, len ) ) != 0 ) 00390 { 00391 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret ); 00392 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00393 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00394 return( ret ); 00395 } 00396 00397 /* Only mark the extension as OK when we're sure it is */ 00398 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; 00399 00400 return( 0 ); 00401 } 00402 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 00403 00404 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00405 static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, 00406 const unsigned char *buf, 00407 size_t len ) 00408 { 00409 if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ) 00410 { 00411 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00412 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00413 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00414 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00415 } 00416 00417 ssl->session_negotiate->mfl_code = buf[0]; 00418 00419 return( 0 ); 00420 } 00421 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00422 00423 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00424 static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, 00425 const unsigned char *buf, 00426 size_t len ) 00427 { 00428 if( len != 0 ) 00429 { 00430 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00431 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00432 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00433 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00434 } 00435 00436 ((void) buf); 00437 00438 if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00439 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; 00440 00441 return( 0 ); 00442 } 00443 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00444 00445 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00446 static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 00447 const unsigned char *buf, 00448 size_t len ) 00449 { 00450 if( len != 0 ) 00451 { 00452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00453 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00454 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00455 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00456 } 00457 00458 ((void) buf); 00459 00460 if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 00461 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00462 { 00463 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 00464 } 00465 00466 return( 0 ); 00467 } 00468 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 00469 00470 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00471 static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, 00472 const unsigned char *buf, 00473 size_t len ) 00474 { 00475 if( len != 0 ) 00476 { 00477 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00478 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00479 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00480 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00481 } 00482 00483 ((void) buf); 00484 00485 if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && 00486 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 00487 { 00488 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 00489 } 00490 00491 return( 0 ); 00492 } 00493 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 00494 00495 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 00496 static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, 00497 unsigned char *buf, 00498 size_t len ) 00499 { 00500 int ret; 00501 mbedtls_ssl_session session; 00502 00503 mbedtls_ssl_session_init( &session ); 00504 00505 if( ssl->conf->f_ticket_parse == NULL || 00506 ssl->conf->f_ticket_write == NULL ) 00507 { 00508 return( 0 ); 00509 } 00510 00511 /* Remember the client asked us to send a new ticket */ 00512 ssl->handshake->new_session_ticket = 1; 00513 00514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) ); 00515 00516 if( len == 0 ) 00517 return( 0 ); 00518 00519 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00520 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00521 { 00522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); 00523 return( 0 ); 00524 } 00525 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00526 00527 /* 00528 * Failures are ok: just ignore the ticket and proceed. 00529 */ 00530 if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session, 00531 buf, len ) ) != 0 ) 00532 { 00533 mbedtls_ssl_session_free( &session ); 00534 00535 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 00536 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) ); 00537 else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED ) 00538 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) ); 00539 else 00540 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret ); 00541 00542 return( 0 ); 00543 } 00544 00545 /* 00546 * Keep the session ID sent by the client, since we MUST send it back to 00547 * inform them we're accepting the ticket (RFC 5077 section 3.4) 00548 */ 00549 session.id_len = ssl->session_negotiate->id_len; 00550 memcpy( &session.id, ssl->session_negotiate->id, session.id_len ); 00551 00552 mbedtls_ssl_session_free( ssl->session_negotiate ); 00553 memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) ); 00554 00555 /* Zeroize instead of free as we copied the content */ 00556 mbedtls_zeroize( &session, sizeof( mbedtls_ssl_session ) ); 00557 00558 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) ); 00559 00560 ssl->handshake->resume = 1; 00561 00562 /* Don't send a new ticket after all, this one is OK */ 00563 ssl->handshake->new_session_ticket = 0; 00564 00565 return( 0 ); 00566 } 00567 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 00568 00569 #if defined(MBEDTLS_SSL_ALPN) 00570 static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, 00571 const unsigned char *buf, size_t len ) 00572 { 00573 size_t list_len, cur_len, ours_len; 00574 const unsigned char *theirs, *start, *end; 00575 const char **ours; 00576 00577 /* If ALPN not configured, just ignore the extension */ 00578 if( ssl->conf->alpn_list == NULL ) 00579 return( 0 ); 00580 00581 /* 00582 * opaque ProtocolName<1..2^8-1>; 00583 * 00584 * struct { 00585 * ProtocolName protocol_name_list<2..2^16-1> 00586 * } ProtocolNameList; 00587 */ 00588 00589 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */ 00590 if( len < 4 ) 00591 { 00592 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00593 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00594 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00595 } 00596 00597 list_len = ( buf[0] << 8 ) | buf[1]; 00598 if( list_len != len - 2 ) 00599 { 00600 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00601 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00602 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00603 } 00604 00605 /* 00606 * Validate peer's list (lengths) 00607 */ 00608 start = buf + 2; 00609 end = buf + len; 00610 for( theirs = start; theirs != end; theirs += cur_len ) 00611 { 00612 cur_len = *theirs++; 00613 00614 /* Current identifier must fit in list */ 00615 if( cur_len > (size_t)( end - theirs ) ) 00616 { 00617 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00618 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 00619 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00620 } 00621 00622 /* Empty strings MUST NOT be included */ 00623 if( cur_len == 0 ) 00624 { 00625 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00626 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); 00627 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00628 } 00629 } 00630 00631 /* 00632 * Use our order of preference 00633 */ 00634 for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) 00635 { 00636 ours_len = strlen( *ours ); 00637 for( theirs = start; theirs != end; theirs += cur_len ) 00638 { 00639 cur_len = *theirs++; 00640 00641 if( cur_len == ours_len && 00642 memcmp( theirs, *ours, cur_len ) == 0 ) 00643 { 00644 ssl->alpn_chosen = *ours; 00645 return( 0 ); 00646 } 00647 } 00648 } 00649 00650 /* If we get there, no match was found */ 00651 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00652 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL ); 00653 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00654 } 00655 #endif /* MBEDTLS_SSL_ALPN */ 00656 00657 /* 00658 * Auxiliary functions for ServerHello parsing and related actions 00659 */ 00660 00661 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00662 /* 00663 * Return 0 if the given key uses one of the acceptable curves, -1 otherwise 00664 */ 00665 #if defined(MBEDTLS_ECDSA_C) 00666 static int ssl_check_key_curve( mbedtls_pk_context *pk, 00667 const mbedtls_ecp_curve_info **curves ) 00668 { 00669 const mbedtls_ecp_curve_info **crv = curves; 00670 mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp .id ; 00671 00672 while( *crv != NULL ) 00673 { 00674 if( (*crv)->grp_id == grp_id ) 00675 return( 0 ); 00676 crv++; 00677 } 00678 00679 return( -1 ); 00680 } 00681 #endif /* MBEDTLS_ECDSA_C */ 00682 00683 /* 00684 * Try picking a certificate for this ciphersuite, 00685 * return 0 on success and -1 on failure. 00686 */ 00687 static int ssl_pick_cert( mbedtls_ssl_context *ssl, 00688 const mbedtls_ssl_ciphersuite_t * ciphersuite_info ) 00689 { 00690 mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; 00691 mbedtls_pk_type_t pk_alg = 00692 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 00693 uint32_t flags; 00694 00695 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 00696 if( ssl->handshake->sni_key_cert != NULL ) 00697 list = ssl->handshake->sni_key_cert; 00698 else 00699 #endif 00700 list = ssl->conf->key_cert; 00701 00702 if( pk_alg == MBEDTLS_PK_NONE ) 00703 return( 0 ); 00704 00705 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) ); 00706 00707 if( list == NULL ) 00708 { 00709 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) ); 00710 return( -1 ); 00711 } 00712 00713 for( cur = list; cur != NULL; cur = cur->next ) 00714 { 00715 MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", 00716 cur->cert ); 00717 00718 if( ! mbedtls_pk_can_do( cur->key, pk_alg ) ) 00719 { 00720 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) ); 00721 continue; 00722 } 00723 00724 /* 00725 * This avoids sending the client a cert it'll reject based on 00726 * keyUsage or other extensions. 00727 * 00728 * It also allows the user to provision different certificates for 00729 * different uses based on keyUsage, eg if they want to avoid signing 00730 * and decrypting with the same RSA key. 00731 */ 00732 if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, 00733 MBEDTLS_SSL_IS_SERVER, &flags ) != 0 ) 00734 { 00735 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " 00736 "(extended) key usage extension" ) ); 00737 continue; 00738 } 00739 00740 #if defined(MBEDTLS_ECDSA_C) 00741 if( pk_alg == MBEDTLS_PK_ECDSA && 00742 ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 ) 00743 { 00744 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); 00745 continue; 00746 } 00747 #endif 00748 00749 /* 00750 * Try to select a SHA-1 certificate for pre-1.2 clients, but still 00751 * present them a SHA-higher cert rather than failing if it's the only 00752 * one we got that satisfies the other conditions. 00753 */ 00754 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 && 00755 cur->cert->sig_md != MBEDTLS_MD_SHA1 ) 00756 { 00757 if( fallback == NULL ) 00758 fallback = cur; 00759 { 00760 MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: " 00761 "sha-2 with pre-TLS 1.2 client" ) ); 00762 continue; 00763 } 00764 } 00765 00766 /* If we get there, we got a winner */ 00767 break; 00768 } 00769 00770 if( cur == NULL ) 00771 cur = fallback; 00772 00773 /* Do not update ssl->handshake->key_cert unless there is a match */ 00774 if( cur != NULL ) 00775 { 00776 ssl->handshake->key_cert = cur; 00777 MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate", 00778 ssl->handshake->key_cert->cert ); 00779 return( 0 ); 00780 } 00781 00782 return( -1 ); 00783 } 00784 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00785 00786 /* 00787 * Check if a given ciphersuite is suitable for use with our config/keys/etc 00788 * Sets ciphersuite_info only if the suite matches. 00789 */ 00790 static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, 00791 const mbedtls_ssl_ciphersuite_t **ciphersuite_info ) 00792 { 00793 const mbedtls_ssl_ciphersuite_t *suite_info; 00794 00795 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00796 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00797 mbedtls_pk_type_t sig_type; 00798 #endif 00799 00800 suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); 00801 if( suite_info == NULL ) 00802 { 00803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00804 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00805 } 00806 00807 MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); 00808 00809 if( suite_info->min_minor_ver > ssl->minor_ver || 00810 suite_info->max_minor_ver < ssl->minor_ver ) 00811 { 00812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); 00813 return( 0 ); 00814 } 00815 00816 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00817 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 00818 ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) 00819 return( 0 ); 00820 #endif 00821 00822 #if defined(MBEDTLS_ARC4_C) 00823 if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && 00824 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) 00825 { 00826 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); 00827 return( 0 ); 00828 } 00829 #endif 00830 00831 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 00832 if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 00833 ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) 00834 { 00835 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " 00836 "not configured or ext missing" ) ); 00837 return( 0 ); 00838 } 00839 #endif 00840 00841 00842 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 00843 if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) && 00844 ( ssl->handshake->curves == NULL || 00845 ssl->handshake->curves[0] == NULL ) ) 00846 { 00847 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00848 "no common elliptic curve" ) ); 00849 return( 0 ); 00850 } 00851 #endif 00852 00853 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 00854 /* If the ciphersuite requires a pre-shared key and we don't 00855 * have one, skip it now rather than failing later */ 00856 if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && 00857 ssl->conf->f_psk == NULL && 00858 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 00859 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 00860 { 00861 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); 00862 return( 0 ); 00863 } 00864 #endif 00865 00866 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 00867 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 00868 /* If the ciphersuite requires signing, check whether 00869 * a suitable hash algorithm is present. */ 00870 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00871 { 00872 sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); 00873 if( sig_type != MBEDTLS_PK_NONE && 00874 mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) 00875 { 00876 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " 00877 "for signature algorithm %d", sig_type ) ); 00878 return( 0 ); 00879 } 00880 } 00881 00882 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 00883 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 00884 00885 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00886 /* 00887 * Final check: if ciphersuite requires us to have a 00888 * certificate/key of a particular type: 00889 * - select the appropriate certificate if we have one, or 00890 * - try the next ciphersuite if we don't 00891 * This must be done last since we modify the key_cert list. 00892 */ 00893 if( ssl_pick_cert( ssl, suite_info ) != 0 ) 00894 { 00895 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " 00896 "no suitable certificate" ) ); 00897 return( 0 ); 00898 } 00899 #endif 00900 00901 *ciphersuite_info = suite_info; 00902 return( 0 ); 00903 } 00904 00905 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 00906 static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) 00907 { 00908 int ret, got_common_suite; 00909 unsigned int i, j; 00910 size_t n; 00911 unsigned int ciph_len, sess_len, chal_len; 00912 unsigned char *buf, *p; 00913 const int *ciphersuites; 00914 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 00915 00916 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); 00917 00918 #if defined(MBEDTLS_SSL_RENEGOTIATION) 00919 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 00920 { 00921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); 00922 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00923 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 00924 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00925 } 00926 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 00927 00928 buf = ssl->in_hdr; 00929 00930 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 ); 00931 00932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d", 00933 buf[2] ) ); 00934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d", 00935 ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) ); 00936 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]", 00937 buf[3], buf[4] ) ); 00938 00939 /* 00940 * SSLv2 Client Hello 00941 * 00942 * Record layer: 00943 * 0 . 1 message length 00944 * 00945 * SSL layer: 00946 * 2 . 2 message type 00947 * 3 . 4 protocol version 00948 */ 00949 if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO || 00950 buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 ) 00951 { 00952 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00953 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00954 } 00955 00956 n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF; 00957 00958 if( n < 17 || n > 512 ) 00959 { 00960 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 00961 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 00962 } 00963 00964 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 00965 ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) 00966 ? buf[4] : ssl->conf->max_minor_ver; 00967 00968 if( ssl->minor_ver < ssl->conf->min_minor_ver ) 00969 { 00970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 00971 " [%d:%d] < [%d:%d]", 00972 ssl->major_ver, ssl->minor_ver, 00973 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 00974 00975 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 00976 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 00977 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 00978 } 00979 00980 ssl->handshake->max_major_ver = buf[3]; 00981 ssl->handshake->max_minor_ver = buf[4]; 00982 00983 if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 ) 00984 { 00985 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 00986 return( ret ); 00987 } 00988 00989 ssl->handshake->update_checksum( ssl, buf + 2, n ); 00990 00991 buf = ssl->in_msg; 00992 n = ssl->in_left - 5; 00993 00994 /* 00995 * 0 . 1 ciphersuitelist length 00996 * 2 . 3 session id length 00997 * 4 . 5 challenge length 00998 * 6 . .. ciphersuitelist 00999 * .. . .. session id 01000 * .. . .. challenge 01001 */ 01002 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n ); 01003 01004 ciph_len = ( buf[0] << 8 ) | buf[1]; 01005 sess_len = ( buf[2] << 8 ) | buf[3]; 01006 chal_len = ( buf[4] << 8 ) | buf[5]; 01007 01008 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d", 01009 ciph_len, sess_len, chal_len ) ); 01010 01011 /* 01012 * Make sure each parameter length is valid 01013 */ 01014 if( ciph_len < 3 || ( ciph_len % 3 ) != 0 ) 01015 { 01016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01017 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01018 } 01019 01020 if( sess_len > 32 ) 01021 { 01022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01023 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01024 } 01025 01026 if( chal_len < 8 || chal_len > 32 ) 01027 { 01028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01029 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01030 } 01031 01032 if( n != 6 + ciph_len + sess_len + chal_len ) 01033 { 01034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01035 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01036 } 01037 01038 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01039 buf + 6, ciph_len ); 01040 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", 01041 buf + 6 + ciph_len, sess_len ); 01042 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge", 01043 buf + 6 + ciph_len + sess_len, chal_len ); 01044 01045 p = buf + 6 + ciph_len; 01046 ssl->session_negotiate->id_len = sess_len; 01047 memset( ssl->session_negotiate->id, 0, 01048 sizeof( ssl->session_negotiate->id ) ); 01049 memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len ); 01050 01051 p += sess_len; 01052 memset( ssl->handshake->randbytes, 0, 64 ); 01053 memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ); 01054 01055 /* 01056 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01057 */ 01058 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01059 { 01060 if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01061 { 01062 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01063 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01064 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01065 { 01066 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01067 "during renegotiation" ) ); 01068 01069 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01070 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01071 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01072 } 01073 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01074 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01075 break; 01076 } 01077 } 01078 01079 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01080 for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 ) 01081 { 01082 if( p[0] == 0 && 01083 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01084 p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01085 { 01086 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); 01087 01088 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01089 { 01090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01091 01092 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01093 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01094 01095 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01096 } 01097 01098 break; 01099 } 01100 } 01101 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01102 01103 got_common_suite = 0; 01104 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01105 ciphersuite_info = NULL; 01106 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01107 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01108 for( i = 0; ciphersuites[i] != 0; i++ ) 01109 #else 01110 for( i = 0; ciphersuites[i] != 0; i++ ) 01111 for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) 01112 #endif 01113 { 01114 if( p[0] != 0 || 01115 p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01116 p[2] != ( ( ciphersuites[i] ) & 0xFF ) ) 01117 continue; 01118 01119 got_common_suite = 1; 01120 01121 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01122 &ciphersuite_info ) ) != 0 ) 01123 return( ret ); 01124 01125 if( ciphersuite_info != NULL ) 01126 goto have_ciphersuite_v2; 01127 } 01128 01129 if( got_common_suite ) 01130 { 01131 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01132 "but none of them usable" ) ); 01133 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01134 } 01135 else 01136 { 01137 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01138 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01139 } 01140 01141 have_ciphersuite_v2: 01142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01143 01144 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01145 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01146 01147 /* 01148 * SSLv2 Client Hello relevant renegotiation security checks 01149 */ 01150 if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01151 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01152 { 01153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01154 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01155 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01156 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01157 } 01158 01159 ssl->in_left = 0; 01160 ssl->state++; 01161 01162 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) ); 01163 01164 return( 0 ); 01165 } 01166 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ 01167 01168 /* This function doesn't alert on errors that happen early during 01169 ClientHello parsing because they might indicate that the client is 01170 not talking SSL/TLS at all and would not understand our alert. */ 01171 static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) 01172 { 01173 int ret, got_common_suite; 01174 size_t i, j; 01175 size_t ciph_offset, comp_offset, ext_offset; 01176 size_t msg_len, ciph_len, sess_len, comp_len, ext_len; 01177 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01178 size_t cookie_offset, cookie_len; 01179 #endif 01180 unsigned char *buf, *p, *ext; 01181 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01182 int renegotiation_info_seen = 0; 01183 #endif 01184 int handshake_failure = 0; 01185 const int *ciphersuites; 01186 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 01187 int major, minor; 01188 01189 /* If there is no signature-algorithm extension present, 01190 * we need to fall back to the default values for allowed 01191 * signature-hash pairs. */ 01192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01193 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01194 int sig_hash_alg_ext_present = 0; 01195 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01196 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01197 01198 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); 01199 01200 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01201 read_record_header: 01202 #endif 01203 /* 01204 * If renegotiating, then the input was read with mbedtls_ssl_read_record(), 01205 * otherwise read it ourselves manually in order to support SSLv2 01206 * ClientHello, which doesn't use the same record layer format. 01207 */ 01208 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01209 if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01210 #endif 01211 { 01212 if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) 01213 { 01214 /* No alert on a read error. */ 01215 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01216 return( ret ); 01217 } 01218 } 01219 01220 buf = ssl->in_hdr; 01221 01222 #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) 01223 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01224 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 01225 #endif 01226 if( ( buf[0] & 0x80 ) != 0 ) 01227 return( ssl_parse_client_hello_v2( ssl ) ); 01228 #endif 01229 01230 MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) ); 01231 01232 /* 01233 * SSLv3/TLS Client Hello 01234 * 01235 * Record layer: 01236 * 0 . 0 message type 01237 * 1 . 2 protocol version 01238 * 3 . 11 DTLS: epoch + record sequence number 01239 * 3 . 4 message length 01240 */ 01241 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d", 01242 buf[0] ) ); 01243 01244 if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE ) 01245 { 01246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01247 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01248 } 01249 01250 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d", 01251 ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) ); 01252 01253 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", 01254 buf[1], buf[2] ) ); 01255 01256 mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); 01257 01258 /* According to RFC 5246 Appendix E.1, the version here is typically 01259 * "{03,00}, the lowest version number supported by the client, [or] the 01260 * value of ClientHello.client_version", so the only meaningful check here 01261 * is the major version shouldn't be less than 3 */ 01262 if( major < MBEDTLS_SSL_MAJOR_VERSION_3 ) 01263 { 01264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01265 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01266 } 01267 01268 /* For DTLS if this is the initial handshake, remember the client sequence 01269 * number to use it in our next message (RFC 6347 4.2.1) */ 01270 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01271 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM 01272 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01273 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01274 #endif 01275 ) 01276 { 01277 /* Epoch should be 0 for initial handshakes */ 01278 if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) 01279 { 01280 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01281 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01282 } 01283 01284 memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 ); 01285 01286 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 01287 if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 01288 { 01289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) ); 01290 ssl->next_record_offset = 0; 01291 ssl->in_left = 0; 01292 goto read_record_header; 01293 } 01294 01295 /* No MAC to check yet, so we can update right now */ 01296 mbedtls_ssl_dtls_replay_update( ssl ); 01297 #endif 01298 } 01299 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01300 01301 msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 01302 01303 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01304 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 01305 { 01306 /* Set by mbedtls_ssl_read_record() */ 01307 msg_len = ssl->in_hslen; 01308 } 01309 else 01310 #endif 01311 { 01312 if( msg_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01313 { 01314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01315 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01316 } 01317 01318 if( ( ret = mbedtls_ssl_fetch_input( ssl, 01319 mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 ) 01320 { 01321 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 01322 return( ret ); 01323 } 01324 01325 /* Done reading this record, get ready for the next one */ 01326 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01327 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01328 ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); 01329 else 01330 #endif 01331 ssl->in_left = 0; 01332 } 01333 01334 buf = ssl->in_msg; 01335 01336 MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len ); 01337 01338 ssl->handshake->update_checksum( ssl, buf, msg_len ); 01339 01340 /* 01341 * Handshake layer: 01342 * 0 . 0 handshake type 01343 * 1 . 3 handshake length 01344 * 4 . 5 DTLS only: message seqence number 01345 * 6 . 8 DTLS only: fragment offset 01346 * 9 . 11 DTLS only: fragment length 01347 */ 01348 if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) ) 01349 { 01350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01351 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01352 } 01353 01354 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) ); 01355 01356 if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 01357 { 01358 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01359 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01360 } 01361 01362 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d", 01363 ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) ); 01364 01365 /* We don't support fragmentation of ClientHello (yet?) */ 01366 if( buf[1] != 0 || 01367 msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) ) 01368 { 01369 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01370 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01371 } 01372 01373 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01374 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01375 { 01376 /* 01377 * Copy the client's handshake message_seq on initial handshakes, 01378 * check sequence number on renego. 01379 */ 01380 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01381 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01382 { 01383 /* This couldn't be done in ssl_prepare_handshake_record() */ 01384 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01385 ssl->in_msg[5]; 01386 01387 if( cli_msg_seq != ssl->handshake->in_msg_seq ) 01388 { 01389 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: " 01390 "%d (expected %d)", cli_msg_seq, 01391 ssl->handshake->in_msg_seq ) ); 01392 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01393 } 01394 01395 ssl->handshake->in_msg_seq++; 01396 } 01397 else 01398 #endif 01399 { 01400 unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) | 01401 ssl->in_msg[5]; 01402 ssl->handshake->out_msg_seq = cli_msg_seq; 01403 ssl->handshake->in_msg_seq = cli_msg_seq + 1; 01404 } 01405 01406 /* 01407 * For now we don't support fragmentation, so make sure 01408 * fragment_offset == 0 and fragment_length == length 01409 */ 01410 if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 || 01411 memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 ) 01412 { 01413 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) ); 01414 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 01415 } 01416 } 01417 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01418 01419 buf += mbedtls_ssl_hs_hdr_len( ssl ); 01420 msg_len -= mbedtls_ssl_hs_hdr_len( ssl ); 01421 01422 /* 01423 * ClientHello layer: 01424 * 0 . 1 protocol version 01425 * 2 . 33 random bytes (starting with 4 bytes of Unix time) 01426 * 34 . 35 session id length (1 byte) 01427 * 35 . 34+x session id 01428 * 35+x . 35+x DTLS only: cookie length (1 byte) 01429 * 36+x . .. DTLS only: cookie 01430 * .. . .. ciphersuite list length (2 bytes) 01431 * .. . .. ciphersuite list 01432 * .. . .. compression alg. list length (1 byte) 01433 * .. . .. compression alg. list 01434 * .. . .. extensions length (2 bytes, optional) 01435 * .. . .. extensions (optional) 01436 */ 01437 01438 /* 01439 * Minimal length (with everything empty and extensions ommitted) is 01440 * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can 01441 * read at least up to session id length without worrying. 01442 */ 01443 if( msg_len < 38 ) 01444 { 01445 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01446 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01447 } 01448 01449 /* 01450 * Check and save the protocol version 01451 */ 01452 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); 01453 01454 mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, 01455 ssl->conf->transport, buf ); 01456 01457 ssl->handshake->max_major_ver = ssl->major_ver; 01458 ssl->handshake->max_minor_ver = ssl->minor_ver; 01459 01460 if( ssl->major_ver < ssl->conf->min_major_ver || 01461 ssl->minor_ver < ssl->conf->min_minor_ver ) 01462 { 01463 MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" 01464 " [%d:%d] < [%d:%d]", 01465 ssl->major_ver, ssl->minor_ver, 01466 ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); 01467 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01468 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01469 return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); 01470 } 01471 01472 if( ssl->major_ver > ssl->conf->max_major_ver ) 01473 { 01474 ssl->major_ver = ssl->conf->max_major_ver; 01475 ssl->minor_ver = ssl->conf->max_minor_ver; 01476 } 01477 else if( ssl->minor_ver > ssl->conf->max_minor_ver ) 01478 ssl->minor_ver = ssl->conf->max_minor_ver; 01479 01480 /* 01481 * Save client random (inc. Unix time) 01482 */ 01483 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 ); 01484 01485 memcpy( ssl->handshake->randbytes, buf + 2, 32 ); 01486 01487 /* 01488 * Check the session ID length and save session ID 01489 */ 01490 sess_len = buf[34]; 01491 01492 if( sess_len > sizeof( ssl->session_negotiate->id ) || 01493 sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */ 01494 { 01495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01496 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01497 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01498 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01499 } 01500 01501 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len ); 01502 01503 ssl->session_negotiate->id_len = sess_len; 01504 memset( ssl->session_negotiate->id, 0, 01505 sizeof( ssl->session_negotiate->id ) ); 01506 memcpy( ssl->session_negotiate->id, buf + 35, 01507 ssl->session_negotiate->id_len ); 01508 01509 /* 01510 * Check the cookie length and content 01511 */ 01512 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01513 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01514 { 01515 cookie_offset = 35 + sess_len; 01516 cookie_len = buf[cookie_offset]; 01517 01518 if( cookie_offset + 1 + cookie_len + 2 > msg_len ) 01519 { 01520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01521 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01522 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); 01523 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01524 } 01525 01526 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie", 01527 buf + cookie_offset + 1, cookie_len ); 01528 01529 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 01530 if( ssl->conf->f_cookie_check != NULL 01531 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01532 && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE 01533 #endif 01534 ) 01535 { 01536 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, 01537 buf + cookie_offset + 1, cookie_len, 01538 ssl->cli_id, ssl->cli_id_len ) != 0 ) 01539 { 01540 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) ); 01541 ssl->handshake->verify_cookie_len = 1; 01542 } 01543 else 01544 { 01545 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) ); 01546 ssl->handshake->verify_cookie_len = 0; 01547 } 01548 } 01549 else 01550 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 01551 { 01552 /* We know we didn't send a cookie, so it should be empty */ 01553 if( cookie_len != 0 ) 01554 { 01555 /* This may be an attacker's probe, so don't send an alert */ 01556 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01557 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01558 } 01559 01560 MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) ); 01561 } 01562 01563 /* 01564 * Check the ciphersuitelist length (will be parsed later) 01565 */ 01566 ciph_offset = cookie_offset + 1 + cookie_len; 01567 } 01568 else 01569 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 01570 ciph_offset = 35 + sess_len; 01571 01572 ciph_len = ( buf[ciph_offset + 0] << 8 ) 01573 | ( buf[ciph_offset + 1] ); 01574 01575 if( ciph_len < 2 || 01576 ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */ 01577 ( ciph_len % 2 ) != 0 ) 01578 { 01579 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01580 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01581 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01582 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01583 } 01584 01585 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", 01586 buf + ciph_offset + 2, ciph_len ); 01587 01588 /* 01589 * Check the compression algorithms length and pick one 01590 */ 01591 comp_offset = ciph_offset + 2 + ciph_len; 01592 01593 comp_len = buf[comp_offset]; 01594 01595 if( comp_len < 1 || 01596 comp_len > 16 || 01597 comp_len + comp_offset + 1 > msg_len ) 01598 { 01599 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01600 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01601 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01602 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01603 } 01604 01605 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression", 01606 buf + comp_offset + 1, comp_len ); 01607 01608 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01609 #if defined(MBEDTLS_ZLIB_SUPPORT) 01610 for( i = 0; i < comp_len; ++i ) 01611 { 01612 if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE ) 01613 { 01614 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE; 01615 break; 01616 } 01617 } 01618 #endif 01619 01620 /* See comments in ssl_write_client_hello() */ 01621 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01622 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01623 ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; 01624 #endif 01625 01626 /* Do not parse the extensions if the protocol is SSLv3 */ 01627 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01628 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 01629 { 01630 #endif 01631 /* 01632 * Check the extension length 01633 */ 01634 ext_offset = comp_offset + 1 + comp_len; 01635 if( msg_len > ext_offset ) 01636 { 01637 if( msg_len < ext_offset + 2 ) 01638 { 01639 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01640 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01641 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01642 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01643 } 01644 01645 ext_len = ( buf[ext_offset + 0] << 8 ) 01646 | ( buf[ext_offset + 1] ); 01647 01648 if( ( ext_len > 0 && ext_len < 4 ) || 01649 msg_len != ext_offset + 2 + ext_len ) 01650 { 01651 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01652 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01653 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01654 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01655 } 01656 } 01657 else 01658 ext_len = 0; 01659 01660 ext = buf + ext_offset + 2; 01661 MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); 01662 01663 while( ext_len != 0 ) 01664 { 01665 unsigned int ext_id = ( ( ext[0] << 8 ) 01666 | ( ext[1] ) ); 01667 unsigned int ext_size = ( ( ext[2] << 8 ) 01668 | ( ext[3] ) ); 01669 01670 if( ext_size + 4 > ext_len ) 01671 { 01672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01673 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01674 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01675 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01676 } 01677 switch( ext_id ) 01678 { 01679 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 01680 case MBEDTLS_TLS_EXT_SERVERNAME: 01681 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); 01682 if( ssl->conf->f_sni == NULL ) 01683 break; 01684 01685 ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); 01686 if( ret != 0 ) 01687 return( ret ); 01688 break; 01689 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 01690 01691 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: 01692 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); 01693 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01694 renegotiation_info_seen = 1; 01695 #endif 01696 01697 ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); 01698 if( ret != 0 ) 01699 return( ret ); 01700 break; 01701 01702 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01703 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01704 case MBEDTLS_TLS_EXT_SIG_ALG: 01705 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); 01706 01707 ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); 01708 if( ret != 0 ) 01709 return( ret ); 01710 01711 sig_hash_alg_ext_present = 1; 01712 break; 01713 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01714 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01715 01716 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 01717 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01718 case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: 01719 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); 01720 01721 ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); 01722 if( ret != 0 ) 01723 return( ret ); 01724 break; 01725 01726 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 01727 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); 01728 ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; 01729 01730 ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); 01731 if( ret != 0 ) 01732 return( ret ); 01733 break; 01734 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || 01735 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01736 01737 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 01738 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: 01739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); 01740 01741 ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); 01742 if( ret != 0 ) 01743 return( ret ); 01744 break; 01745 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 01746 01747 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 01748 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 01749 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); 01750 01751 ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); 01752 if( ret != 0 ) 01753 return( ret ); 01754 break; 01755 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 01756 01757 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 01758 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 01759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); 01760 01761 ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); 01762 if( ret != 0 ) 01763 return( ret ); 01764 break; 01765 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 01766 01767 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01768 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 01769 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); 01770 01771 ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); 01772 if( ret != 0 ) 01773 return( ret ); 01774 break; 01775 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01776 01777 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 01778 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 01779 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); 01780 01781 ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); 01782 if( ret != 0 ) 01783 return( ret ); 01784 break; 01785 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 01786 01787 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 01788 case MBEDTLS_TLS_EXT_SESSION_TICKET: 01789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); 01790 01791 ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); 01792 if( ret != 0 ) 01793 return( ret ); 01794 break; 01795 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01796 01797 #if defined(MBEDTLS_SSL_ALPN) 01798 case MBEDTLS_TLS_EXT_ALPN: 01799 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); 01800 01801 ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); 01802 if( ret != 0 ) 01803 return( ret ); 01804 break; 01805 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 01806 01807 default: 01808 MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", 01809 ext_id ) ); 01810 } 01811 01812 ext_len -= 4 + ext_size; 01813 ext += 4 + ext_size; 01814 01815 if( ext_len > 0 && ext_len < 4 ) 01816 { 01817 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); 01818 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01819 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 01820 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01821 } 01822 } 01823 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01824 } 01825 #endif 01826 01827 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) 01828 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01829 { 01830 if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && 01831 p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) 01832 { 01833 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); 01834 01835 if( ssl->minor_ver < ssl->conf->max_minor_ver ) 01836 { 01837 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); 01838 01839 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01840 MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); 01841 01842 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01843 } 01844 01845 break; 01846 } 01847 } 01848 #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ 01849 01850 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01851 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01852 01853 /* 01854 * Try to fall back to default hash SHA1 if the client 01855 * hasn't provided any preferred signature-hash combinations. 01856 */ 01857 if( sig_hash_alg_ext_present == 0 ) 01858 { 01859 mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1; 01860 01861 if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 ) 01862 md_default = MBEDTLS_MD_NONE; 01863 01864 mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default ); 01865 } 01866 01867 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 01868 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 01869 01870 /* 01871 * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV 01872 */ 01873 for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) 01874 { 01875 if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO ) 01876 { 01877 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); 01878 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01879 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 01880 { 01881 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " 01882 "during renegotiation" ) ); 01883 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01884 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01885 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01886 } 01887 #endif 01888 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION; 01889 break; 01890 } 01891 } 01892 01893 /* 01894 * Renegotiation security checks 01895 */ 01896 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && 01897 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) 01898 { 01899 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); 01900 handshake_failure = 1; 01901 } 01902 #if defined(MBEDTLS_SSL_RENEGOTIATION) 01903 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01904 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION && 01905 renegotiation_info_seen == 0 ) 01906 { 01907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) ); 01908 handshake_failure = 1; 01909 } 01910 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01911 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01912 ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) 01913 { 01914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); 01915 handshake_failure = 1; 01916 } 01917 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 01918 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 01919 renegotiation_info_seen == 1 ) 01920 { 01921 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); 01922 handshake_failure = 1; 01923 } 01924 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 01925 01926 if( handshake_failure == 1 ) 01927 { 01928 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01929 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01930 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 01931 } 01932 01933 /* 01934 * Search for a matching ciphersuite 01935 * (At the end because we need information from the EC-based extensions 01936 * and certificate from the SNI callback triggered by the SNI extension.) 01937 */ 01938 got_common_suite = 0; 01939 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; 01940 ciphersuite_info = NULL; 01941 #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) 01942 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01943 for( i = 0; ciphersuites[i] != 0; i++ ) 01944 #else 01945 for( i = 0; ciphersuites[i] != 0; i++ ) 01946 for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) 01947 #endif 01948 { 01949 if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) || 01950 p[1] != ( ( ciphersuites[i] ) & 0xFF ) ) 01951 continue; 01952 01953 got_common_suite = 1; 01954 01955 if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i], 01956 &ciphersuite_info ) ) != 0 ) 01957 return( ret ); 01958 01959 if( ciphersuite_info != NULL ) 01960 goto have_ciphersuite; 01961 } 01962 01963 if( got_common_suite ) 01964 { 01965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, " 01966 "but none of them usable" ) ); 01967 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01968 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01969 return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE ); 01970 } 01971 else 01972 { 01973 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) ); 01974 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 01975 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); 01976 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 01977 } 01978 01979 have_ciphersuite: 01980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); 01981 01982 ssl->session_negotiate->ciphersuite = ciphersuites[i]; 01983 ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; 01984 01985 ssl->state++; 01986 01987 #if defined(MBEDTLS_SSL_PROTO_DTLS) 01988 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 01989 mbedtls_ssl_recv_flight_completed( ssl ); 01990 #endif 01991 01992 /* Debugging-only output for testsuite */ 01993 #if defined(MBEDTLS_DEBUG_C) && \ 01994 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 01995 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 01996 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 01997 { 01998 mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); 01999 if( sig_alg != MBEDTLS_PK_NONE ) 02000 { 02001 mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 02002 sig_alg ); 02003 MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", 02004 mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); 02005 } 02006 else 02007 { 02008 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm " 02009 "%d - should not happen", sig_alg ) ); 02010 } 02011 } 02012 #endif 02013 02014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) ); 02015 02016 return( 0 ); 02017 } 02018 02019 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02020 static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, 02021 unsigned char *buf, 02022 size_t *olen ) 02023 { 02024 unsigned char *p = buf; 02025 02026 if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) 02027 { 02028 *olen = 0; 02029 return; 02030 } 02031 02032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) ); 02033 02034 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF ); 02035 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF ); 02036 02037 *p++ = 0x00; 02038 *p++ = 0x00; 02039 02040 *olen = 4; 02041 } 02042 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 02043 02044 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02045 static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, 02046 unsigned char *buf, 02047 size_t *olen ) 02048 { 02049 unsigned char *p = buf; 02050 const mbedtls_ssl_ciphersuite_t *suite = NULL; 02051 const mbedtls_cipher_info_t *cipher = NULL; 02052 02053 if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || 02054 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02055 { 02056 *olen = 0; 02057 return; 02058 } 02059 02060 /* 02061 * RFC 7366: "If a server receives an encrypt-then-MAC request extension 02062 * from a client and then selects a stream or Authenticated Encryption 02063 * with Associated Data (AEAD) ciphersuite, it MUST NOT send an 02064 * encrypt-then-MAC response extension back to the client." 02065 */ 02066 if( ( suite = mbedtls_ssl_ciphersuite_from_id( 02067 ssl->session_negotiate->ciphersuite ) ) == NULL || 02068 ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || 02069 cipher->mode != MBEDTLS_MODE_CBC ) 02070 { 02071 *olen = 0; 02072 return; 02073 } 02074 02075 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) ); 02076 02077 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF ); 02078 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF ); 02079 02080 *p++ = 0x00; 02081 *p++ = 0x00; 02082 02083 *olen = 4; 02084 } 02085 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 02086 02087 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02088 static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, 02089 unsigned char *buf, 02090 size_t *olen ) 02091 { 02092 unsigned char *p = buf; 02093 02094 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || 02095 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 02096 { 02097 *olen = 0; 02098 return; 02099 } 02100 02101 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret " 02102 "extension" ) ); 02103 02104 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF ); 02105 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF ); 02106 02107 *p++ = 0x00; 02108 *p++ = 0x00; 02109 02110 *olen = 4; 02111 } 02112 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 02113 02114 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02115 static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, 02116 unsigned char *buf, 02117 size_t *olen ) 02118 { 02119 unsigned char *p = buf; 02120 02121 if( ssl->handshake->new_session_ticket == 0 ) 02122 { 02123 *olen = 0; 02124 return; 02125 } 02126 02127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) ); 02128 02129 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF ); 02130 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF ); 02131 02132 *p++ = 0x00; 02133 *p++ = 0x00; 02134 02135 *olen = 4; 02136 } 02137 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02138 02139 static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, 02140 unsigned char *buf, 02141 size_t *olen ) 02142 { 02143 unsigned char *p = buf; 02144 02145 if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION ) 02146 { 02147 *olen = 0; 02148 return; 02149 } 02150 02151 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) ); 02152 02153 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); 02154 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); 02155 02156 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02157 if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ) 02158 { 02159 *p++ = 0x00; 02160 *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; 02161 *p++ = ssl->verify_data_len * 2 & 0xFF; 02162 02163 memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); 02164 p += ssl->verify_data_len; 02165 memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); 02166 p += ssl->verify_data_len; 02167 } 02168 else 02169 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 02170 { 02171 *p++ = 0x00; 02172 *p++ = 0x01; 02173 *p++ = 0x00; 02174 } 02175 02176 *olen = p - buf; 02177 } 02178 02179 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02180 static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, 02181 unsigned char *buf, 02182 size_t *olen ) 02183 { 02184 unsigned char *p = buf; 02185 02186 if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) 02187 { 02188 *olen = 0; 02189 return; 02190 } 02191 02192 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) ); 02193 02194 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF ); 02195 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF ); 02196 02197 *p++ = 0x00; 02198 *p++ = 1; 02199 02200 *p++ = ssl->session_negotiate->mfl_code; 02201 02202 *olen = 5; 02203 } 02204 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 02205 02206 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02207 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02208 static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, 02209 unsigned char *buf, 02210 size_t *olen ) 02211 { 02212 unsigned char *p = buf; 02213 ((void) ssl); 02214 02215 if( ( ssl->handshake->cli_exts & 02216 MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 ) 02217 { 02218 *olen = 0; 02219 return; 02220 } 02221 02222 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) ); 02223 02224 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF ); 02225 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF ); 02226 02227 *p++ = 0x00; 02228 *p++ = 2; 02229 02230 *p++ = 1; 02231 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED; 02232 02233 *olen = 6; 02234 } 02235 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02236 02237 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02238 static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, 02239 unsigned char *buf, 02240 size_t *olen ) 02241 { 02242 int ret; 02243 unsigned char *p = buf; 02244 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02245 size_t kkpp_len; 02246 02247 *olen = 0; 02248 02249 /* Skip costly computation if not needed */ 02250 if( ssl->transform_negotiate->ciphersuite_info->key_exchange != 02251 MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02252 return; 02253 02254 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); 02255 02256 if( end - p < 4 ) 02257 { 02258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) ); 02259 return; 02260 } 02261 02262 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF ); 02263 *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF ); 02264 02265 ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, 02266 p + 2, end - p - 2, &kkpp_len, 02267 ssl->conf->f_rng, ssl->conf->p_rng ); 02268 if( ret != 0 ) 02269 { 02270 MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); 02271 return; 02272 } 02273 02274 *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF ); 02275 *p++ = (unsigned char)( ( kkpp_len ) & 0xFF ); 02276 02277 *olen = kkpp_len + 4; 02278 } 02279 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02280 02281 #if defined(MBEDTLS_SSL_ALPN ) 02282 static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, 02283 unsigned char *buf, size_t *olen ) 02284 { 02285 if( ssl->alpn_chosen == NULL ) 02286 { 02287 *olen = 0; 02288 return; 02289 } 02290 02291 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) ); 02292 02293 /* 02294 * 0 . 1 ext identifier 02295 * 2 . 3 ext length 02296 * 4 . 5 protocol list length 02297 * 6 . 6 protocol name length 02298 * 7 . 7+n protocol name 02299 */ 02300 buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF ); 02301 buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF ); 02302 02303 *olen = 7 + strlen( ssl->alpn_chosen ); 02304 02305 buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF ); 02306 buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF ); 02307 02308 buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF ); 02309 buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF ); 02310 02311 buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF ); 02312 02313 memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 ); 02314 } 02315 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 02316 02317 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02318 static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) 02319 { 02320 int ret; 02321 unsigned char *p = ssl->out_msg + 4; 02322 unsigned char *cookie_len_byte; 02323 02324 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) ); 02325 02326 /* 02327 * struct { 02328 * ProtocolVersion server_version; 02329 * opaque cookie<0..2^8-1>; 02330 * } HelloVerifyRequest; 02331 */ 02332 02333 /* The RFC is not clear on this point, but sending the actual negotiated 02334 * version looks like the most interoperable thing to do. */ 02335 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02336 ssl->conf->transport, p ); 02337 MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); 02338 p += 2; 02339 02340 /* If we get here, f_cookie_check is not null */ 02341 if( ssl->conf->f_cookie_write == NULL ) 02342 { 02343 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); 02344 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02345 } 02346 02347 /* Skip length byte until we know the length */ 02348 cookie_len_byte = p++; 02349 02350 if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, 02351 &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, 02352 ssl->cli_id, ssl->cli_id_len ) ) != 0 ) 02353 { 02354 MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret ); 02355 return( ret ); 02356 } 02357 02358 *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) ); 02359 02360 MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte ); 02361 02362 ssl->out_msglen = p - ssl->out_msg; 02363 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02364 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 02365 02366 ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; 02367 02368 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02369 { 02370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02371 return( ret ); 02372 } 02373 02374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) ); 02375 02376 return( 0 ); 02377 } 02378 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02379 02380 static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) 02381 { 02382 #if defined(MBEDTLS_HAVE_TIME) 02383 mbedtls_time_t t; 02384 #endif 02385 int ret; 02386 size_t olen, ext_len = 0, n; 02387 unsigned char *buf, *p; 02388 02389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); 02390 02391 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) 02392 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02393 ssl->handshake->verify_cookie_len != 0 ) 02394 { 02395 MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); 02396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02397 02398 return( ssl_write_hello_verify_request( ssl ) ); 02399 } 02400 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ 02401 02402 if( ssl->conf->f_rng == NULL ) 02403 { 02404 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); 02405 return( MBEDTLS_ERR_SSL_NO_RNG ); 02406 } 02407 02408 /* 02409 * 0 . 0 handshake type 02410 * 1 . 3 handshake length 02411 * 4 . 5 protocol version 02412 * 6 . 9 UNIX time() 02413 * 10 . 37 random bytes 02414 */ 02415 buf = ssl->out_msg; 02416 p = buf + 4; 02417 02418 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02419 ssl->conf->transport, p ); 02420 p += 2; 02421 02422 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", 02423 buf[4], buf[5] ) ); 02424 02425 #if defined(MBEDTLS_HAVE_TIME) 02426 t = mbedtls_time( NULL ); 02427 *p++ = (unsigned char)( t >> 24 ); 02428 *p++ = (unsigned char)( t >> 16 ); 02429 *p++ = (unsigned char)( t >> 8 ); 02430 *p++ = (unsigned char)( t ); 02431 02432 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); 02433 #else 02434 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) 02435 return( ret ); 02436 02437 p += 4; 02438 #endif /* MBEDTLS_HAVE_TIME */ 02439 02440 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) 02441 return( ret ); 02442 02443 p += 28; 02444 02445 memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 ); 02446 02447 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); 02448 02449 /* 02450 * Resume is 0 by default, see ssl_handshake_init(). 02451 * It may be already set to 1 by ssl_parse_session_ticket_ext(). 02452 * If not, try looking up session ID in our cache. 02453 */ 02454 if( ssl->handshake->resume == 0 && 02455 #if defined(MBEDTLS_SSL_RENEGOTIATION) 02456 ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && 02457 #endif 02458 ssl->session_negotiate->id_len != 0 && 02459 ssl->conf->f_get_cache != NULL && 02460 ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) 02461 { 02462 MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); 02463 ssl->handshake->resume = 1; 02464 } 02465 02466 if( ssl->handshake->resume == 0 ) 02467 { 02468 /* 02469 * New session, create a new session id, 02470 * unless we're about to issue a session ticket 02471 */ 02472 ssl->state++; 02473 02474 #if defined(MBEDTLS_HAVE_TIME) 02475 ssl->session_negotiate->start = mbedtls_time( NULL ); 02476 #endif 02477 02478 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02479 if( ssl->handshake->new_session_ticket != 0 ) 02480 { 02481 ssl->session_negotiate->id_len = n = 0; 02482 memset( ssl->session_negotiate->id, 0, 32 ); 02483 } 02484 else 02485 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 02486 { 02487 ssl->session_negotiate->id_len = n = 32; 02488 if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 02489 n ) ) != 0 ) 02490 return( ret ); 02491 } 02492 } 02493 else 02494 { 02495 /* 02496 * Resuming a session 02497 */ 02498 n = ssl->session_negotiate->id_len; 02499 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; 02500 02501 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 02502 { 02503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 02504 return( ret ); 02505 } 02506 } 02507 02508 /* 02509 * 38 . 38 session id length 02510 * 39 . 38+n session id 02511 * 39+n . 40+n chosen ciphersuite 02512 * 41+n . 41+n chosen compression alg. 02513 * 42+n . 43+n extensions length 02514 * 44+n . 43+n+m extensions 02515 */ 02516 *p++ = (unsigned char) ssl->session_negotiate->id_len; 02517 memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len ); 02518 p += ssl->session_negotiate->id_len; 02519 02520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); 02521 MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); 02522 MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", 02523 ssl->handshake->resume ? "a" : "no" ) ); 02524 02525 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); 02526 *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); 02527 *p++ = (unsigned char)( ssl->session_negotiate->compression ); 02528 02529 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", 02530 mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) ); 02531 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", 02532 ssl->session_negotiate->compression ) ); 02533 02534 /* Do not write the extensions if the protocol is SSLv3 */ 02535 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02536 if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) 02537 { 02538 #endif 02539 02540 /* 02541 * First write extensions, then the total length 02542 */ 02543 ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); 02544 ext_len += olen; 02545 02546 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 02547 ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen ); 02548 ext_len += olen; 02549 #endif 02550 02551 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 02552 ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen ); 02553 ext_len += olen; 02554 #endif 02555 02556 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 02557 ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); 02558 ext_len += olen; 02559 #endif 02560 02561 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 02562 ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen ); 02563 ext_len += olen; 02564 #endif 02565 02566 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 02567 ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen ); 02568 ext_len += olen; 02569 #endif 02570 02571 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 02572 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02573 ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); 02574 ext_len += olen; 02575 #endif 02576 02577 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02578 ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); 02579 ext_len += olen; 02580 #endif 02581 02582 #if defined(MBEDTLS_SSL_ALPN) 02583 ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen ); 02584 ext_len += olen; 02585 #endif 02586 02587 MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) ); 02588 02589 if( ext_len > 0 ) 02590 { 02591 *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF ); 02592 *p++ = (unsigned char)( ( ext_len ) & 0xFF ); 02593 p += ext_len; 02594 } 02595 02596 #if defined(MBEDTLS_SSL_PROTO_SSL3) 02597 } 02598 #endif 02599 02600 ssl->out_msglen = p - buf; 02601 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02602 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; 02603 02604 ret = mbedtls_ssl_write_record( ssl ); 02605 02606 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); 02607 02608 return( ret ); 02609 } 02610 02611 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 02612 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 02613 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 02614 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 02615 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 02616 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 02617 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02618 { 02619 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02620 ssl->transform_negotiate->ciphersuite_info; 02621 02622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02623 02624 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02625 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02626 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02627 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02628 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02629 { 02630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02631 ssl->state++; 02632 return( 0 ); 02633 } 02634 02635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02636 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02637 } 02638 #else 02639 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) 02640 { 02641 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 02642 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02643 ssl->transform_negotiate->ciphersuite_info; 02644 size_t dn_size, total_dn_size; /* excluding length bytes */ 02645 size_t ct_len, sa_len; /* including length bytes */ 02646 unsigned char *buf, *p; 02647 const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02648 const mbedtls_x509_crt *crt; 02649 int authmode; 02650 02651 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); 02652 02653 ssl->state++; 02654 02655 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02656 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 02657 authmode = ssl->handshake->sni_authmode; 02658 else 02659 #endif 02660 authmode = ssl->conf->authmode; 02661 02662 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 02663 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 02664 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02665 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 02666 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 02667 authmode == MBEDTLS_SSL_VERIFY_NONE ) 02668 { 02669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); 02670 return( 0 ); 02671 } 02672 02673 /* 02674 * 0 . 0 handshake type 02675 * 1 . 3 handshake length 02676 * 4 . 4 cert type count 02677 * 5 .. m-1 cert types 02678 * m .. m+1 sig alg length (TLS 1.2 only) 02679 * m+1 .. n-1 SignatureAndHashAlgorithms (TLS 1.2 only) 02680 * n .. n+1 length of all DNs 02681 * n+2 .. n+3 length of DN 1 02682 * n+4 .. ... Distinguished Name #1 02683 * ... .. ... length of DN 2, etc. 02684 */ 02685 buf = ssl->out_msg; 02686 p = buf + 4; 02687 02688 /* 02689 * Supported certificate types 02690 * 02691 * ClientCertificateType certificate_types<1..2^8-1>; 02692 * enum { (255) } ClientCertificateType; 02693 */ 02694 ct_len = 0; 02695 02696 #if defined(MBEDTLS_RSA_C) 02697 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; 02698 #endif 02699 #if defined(MBEDTLS_ECDSA_C) 02700 p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN; 02701 #endif 02702 02703 p[0] = (unsigned char) ct_len++; 02704 p += ct_len; 02705 02706 sa_len = 0; 02707 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 02708 /* 02709 * Add signature_algorithms for verify (TLS 1.2) 02710 * 02711 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>; 02712 * 02713 * struct { 02714 * HashAlgorithm hash; 02715 * SignatureAlgorithm signature; 02716 * } SignatureAndHashAlgorithm; 02717 * 02718 * enum { (255) } HashAlgorithm; 02719 * enum { (255) } SignatureAlgorithm; 02720 */ 02721 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 02722 { 02723 const int *cur; 02724 02725 /* 02726 * Supported signature algorithms 02727 */ 02728 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 02729 { 02730 unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur ); 02731 02732 if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) 02733 continue; 02734 02735 #if defined(MBEDTLS_RSA_C) 02736 p[2 + sa_len++] = hash; 02737 p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA; 02738 #endif 02739 #if defined(MBEDTLS_ECDSA_C) 02740 p[2 + sa_len++] = hash; 02741 p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA; 02742 #endif 02743 } 02744 02745 p[0] = (unsigned char)( sa_len >> 8 ); 02746 p[1] = (unsigned char)( sa_len ); 02747 sa_len += 2; 02748 p += sa_len; 02749 } 02750 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 02751 02752 /* 02753 * DistinguishedName certificate_authorities<0..2^16-1>; 02754 * opaque DistinguishedName<1..2^16-1>; 02755 */ 02756 p += 2; 02757 02758 total_dn_size = 0; 02759 02760 if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) 02761 { 02762 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 02763 if( ssl->handshake->sni_ca_chain != NULL ) 02764 crt = ssl->handshake->sni_ca_chain; 02765 else 02766 #endif 02767 crt = ssl->conf->ca_chain; 02768 02769 while( crt != NULL && crt->version != 0 ) 02770 { 02771 dn_size = crt->subject_raw.len; 02772 02773 if( end < p || 02774 (size_t)( end - p ) < dn_size || 02775 (size_t)( end - p ) < 2 + dn_size ) 02776 { 02777 MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); 02778 break; 02779 } 02780 02781 *p++ = (unsigned char)( dn_size >> 8 ); 02782 *p++ = (unsigned char)( dn_size ); 02783 memcpy( p, crt->subject_raw.p, dn_size ); 02784 p += dn_size; 02785 02786 MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); 02787 02788 total_dn_size += 2 + dn_size; 02789 crt = crt->next; 02790 } 02791 } 02792 02793 ssl->out_msglen = p - buf; 02794 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 02795 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; 02796 ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 ); 02797 ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size ); 02798 02799 ret = mbedtls_ssl_write_record( ssl ); 02800 02801 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); 02802 02803 return( ret ); 02804 } 02805 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 02806 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 02807 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 02808 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 02809 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 02810 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 02811 02812 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 02813 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 02814 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) 02815 { 02816 int ret; 02817 02818 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) ) 02819 { 02820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); 02821 return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); 02822 } 02823 02824 if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, 02825 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ), 02826 MBEDTLS_ECDH_OURS ) ) != 0 ) 02827 { 02828 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret ); 02829 return( ret ); 02830 } 02831 02832 return( 0 ); 02833 } 02834 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || 02835 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 02836 02837 static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) 02838 { 02839 int ret; 02840 size_t n = 0; 02841 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 02842 ssl->transform_negotiate->ciphersuite_info; 02843 02844 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) 02845 unsigned char *p = ssl->out_msg + 4; 02846 size_t len; 02847 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02848 unsigned char *dig_signed = p; 02849 size_t dig_signed_len = 0; 02850 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 02851 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */ 02852 02853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); 02854 02855 /* 02856 * 02857 * Part 1: Extract static ECDH parameters and abort 02858 * if ServerKeyExchange not needed. 02859 * 02860 */ 02861 02862 /* For suites involving ECDH, extract DH parameters 02863 * from certificate at this point. */ 02864 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) 02865 if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) 02866 { 02867 ssl_get_ecdh_params_from_cert( ssl ); 02868 } 02869 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */ 02870 02871 /* Key exchanges not involving ephemeral keys don't use 02872 * ServerKeyExchange, so end here. */ 02873 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) 02874 if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) ) 02875 { 02876 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) ); 02877 ssl->state++; 02878 return( 0 ); 02879 } 02880 #endif /* MBEDTLS_KEY_EXCHANGE__NON_PFS__ENABLED */ 02881 02882 /* 02883 * 02884 * Part 2: Provide key exchange parameters for chosen ciphersuite. 02885 * 02886 */ 02887 02888 /* 02889 * - ECJPAKE key exchanges 02890 */ 02891 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 02892 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 02893 { 02894 const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN; 02895 02896 ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, 02897 p, end - p, &len, ssl->conf->f_rng, ssl->conf->p_rng ); 02898 if( ret != 0 ) 02899 { 02900 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); 02901 return( ret ); 02902 } 02903 02904 p += len; 02905 n += len; 02906 } 02907 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 02908 02909 /* 02910 * For (EC)DHE key exchanges with PSK, parameters are prefixed by support 02911 * identity hint (RFC 4279, Sec. 3). Until someone needs this feature, 02912 * we use empty support identity hints here. 02913 **/ 02914 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ 02915 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 02916 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 02917 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 02918 { 02919 *(p++) = 0x00; 02920 *(p++) = 0x00; 02921 02922 n += 2; 02923 } 02924 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || 02925 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 02926 02927 /* 02928 * - DHE key exchanges 02929 */ 02930 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) 02931 if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) 02932 { 02933 if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) 02934 { 02935 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); 02936 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02937 } 02938 02939 /* 02940 * Ephemeral DH parameters: 02941 * 02942 * struct { 02943 * opaque dh_p<1..2^16-1>; 02944 * opaque dh_g<1..2^16-1>; 02945 * opaque dh_Ys<1..2^16-1>; 02946 * } ServerDHParams; 02947 */ 02948 if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, 02949 &ssl->conf->dhm_P, 02950 &ssl->conf->dhm_G ) ) != 0 ) 02951 { 02952 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); 02953 return( ret ); 02954 } 02955 02956 if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, 02957 (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), 02958 p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 02959 { 02960 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); 02961 return( ret ); 02962 } 02963 02964 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 02965 dig_signed = p; 02966 dig_signed_len = len; 02967 #endif 02968 02969 p += len; 02970 n += len; 02971 02972 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); 02973 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P ); 02974 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G ); 02975 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); 02976 } 02977 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ 02978 02979 /* 02980 * - ECDHE key exchanges 02981 */ 02982 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) 02983 if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) 02984 { 02985 /* 02986 * Ephemeral ECDH parameters: 02987 * 02988 * struct { 02989 * ECParameters curve_params; 02990 * ECPoint public; 02991 * } ServerECDHParams; 02992 */ 02993 const mbedtls_ecp_curve_info **curve = NULL; 02994 const mbedtls_ecp_group_id *gid; 02995 02996 /* Match our preference list against the offered curves */ 02997 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 02998 for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) 02999 if( (*curve)->grp_id == *gid ) 03000 goto curve_matching_done; 03001 03002 curve_matching_done: 03003 if( curve == NULL || *curve == NULL ) 03004 { 03005 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) ); 03006 return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN ); 03007 } 03008 03009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) ); 03010 03011 if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp, 03012 (*curve)->grp_id ) ) != 0 ) 03013 { 03014 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret ); 03015 return( ret ); 03016 } 03017 03018 if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, 03019 p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, 03020 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03021 { 03022 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); 03023 return( ret ); 03024 } 03025 03026 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03027 dig_signed = p; 03028 dig_signed_len = len; 03029 #endif 03030 03031 p += len; 03032 n += len; 03033 03034 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q ); 03035 } 03036 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ 03037 03038 /* 03039 * 03040 * Part 3: For key exchanges involving the server signing the 03041 * exchange parameters, compute and add the signature here. 03042 * 03043 */ 03044 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) 03045 if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) 03046 { 03047 size_t signature_len = 0; 03048 unsigned int hashlen = 0; 03049 unsigned char hash[64]; 03050 03051 /* 03052 * 3.1: Choose hash algorithm: 03053 * A: For TLS 1.2, obey signature-hash-algorithm extension 03054 * to choose appropriate hash. 03055 * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 03056 * (RFC 4492, Sec. 5.4) 03057 * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) 03058 */ 03059 03060 mbedtls_md_type_t md_alg; 03061 03062 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03063 mbedtls_pk_type_t sig_alg = 03064 mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); 03065 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03066 { 03067 /* A: For TLS 1.2, obey signature-hash-algorithm extension 03068 * (RFC 5246, Sec. 7.4.1.4.1). */ 03069 if( sig_alg == MBEDTLS_PK_NONE || 03070 ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, 03071 sig_alg ) ) == MBEDTLS_MD_NONE ) 03072 { 03073 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03074 /* (... because we choose a cipher suite 03075 * only if there is a matching hash.) */ 03076 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03077 } 03078 } 03079 else 03080 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03081 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03082 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03083 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) 03084 { 03085 /* B: Default hash SHA1 */ 03086 md_alg = MBEDTLS_MD_SHA1; 03087 } 03088 else 03089 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03090 MBEDTLS_SSL_PROTO_TLS1_1 */ 03091 { 03092 /* C: MD5 + SHA1 */ 03093 md_alg = MBEDTLS_MD_NONE; 03094 } 03095 03096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); 03097 03098 /* 03099 * 3.2: Compute the hash to be signed 03100 */ 03101 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03102 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03103 if( md_alg == MBEDTLS_MD_NONE ) 03104 { 03105 hashlen = 36; 03106 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, 03107 dig_signed, 03108 dig_signed_len ); 03109 if( ret != 0 ) 03110 return( ret ); 03111 } 03112 else 03113 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 03114 MBEDTLS_SSL_PROTO_TLS1_1 */ 03115 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03116 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03117 if( md_alg != MBEDTLS_MD_NONE ) 03118 { 03119 /* Info from md_alg will be used instead */ 03120 hashlen = 0; 03121 ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, 03122 dig_signed, 03123 dig_signed_len, 03124 md_alg ); 03125 if( ret != 0 ) 03126 return( ret ); 03127 } 03128 else 03129 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 03130 MBEDTLS_SSL_PROTO_TLS1_2 */ 03131 { 03132 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03133 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03134 } 03135 03136 MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen != 0 ? hashlen : 03137 (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); 03138 03139 /* 03140 * 3.3: Compute and add the signature 03141 */ 03142 if( mbedtls_ssl_own_key( ssl ) == NULL ) 03143 { 03144 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) ); 03145 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03146 } 03147 03148 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03149 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03150 { 03151 /* 03152 * For TLS 1.2, we need to specify signature and hash algorithm 03153 * explicitly through a prefix to the signature. 03154 * 03155 * struct { 03156 * HashAlgorithm hash; 03157 * SignatureAlgorithm signature; 03158 * } SignatureAndHashAlgorithm; 03159 * 03160 * struct { 03161 * SignatureAndHashAlgorithm algorithm; 03162 * opaque signature<0..2^16-1>; 03163 * } DigitallySigned; 03164 * 03165 */ 03166 03167 *(p++) = mbedtls_ssl_hash_from_md_alg( md_alg ); 03168 *(p++) = mbedtls_ssl_sig_from_pk_alg( sig_alg ); 03169 03170 n += 2; 03171 } 03172 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03173 03174 if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, 03175 p + 2 , &signature_len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03176 { 03177 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); 03178 return( ret ); 03179 } 03180 03181 *(p++) = (unsigned char)( signature_len >> 8 ); 03182 *(p++) = (unsigned char)( signature_len ); 03183 n += 2; 03184 03185 MBEDTLS_SSL_DEBUG_BUF( 3, "my signature", p, signature_len ); 03186 03187 n += signature_len; 03188 } 03189 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ 03190 03191 /* Done with actual work; add header and send. */ 03192 03193 ssl->out_msglen = 4 + n; 03194 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03195 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; 03196 03197 ssl->state++; 03198 03199 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03200 { 03201 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03202 return( ret ); 03203 } 03204 03205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) ); 03206 03207 return( 0 ); 03208 } 03209 03210 static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) 03211 { 03212 int ret; 03213 03214 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) ); 03215 03216 ssl->out_msglen = 4; 03217 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03218 ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE; 03219 03220 ssl->state++; 03221 03222 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03223 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03224 mbedtls_ssl_send_flight_completed( ssl ); 03225 #endif 03226 03227 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03228 { 03229 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03230 return( ret ); 03231 } 03232 03233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) ); 03234 03235 return( 0 ); 03236 } 03237 03238 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ 03239 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03240 static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p, 03241 const unsigned char *end ) 03242 { 03243 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03244 size_t n; 03245 03246 /* 03247 * Receive G^Y mod P, premaster = (G^Y)^X mod P 03248 */ 03249 if( *p + 2 > end ) 03250 { 03251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03252 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03253 } 03254 03255 n = ( (*p)[0] << 8 ) | (*p)[1]; 03256 *p += 2; 03257 03258 if( *p + n > end ) 03259 { 03260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03261 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03262 } 03263 03264 if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 ) 03265 { 03266 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret ); 03267 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03268 } 03269 03270 *p += n; 03271 03272 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY ); 03273 03274 return( ret ); 03275 } 03276 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || 03277 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03278 03279 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ 03280 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03281 static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, 03282 const unsigned char *p, 03283 const unsigned char *end, 03284 size_t pms_offset ) 03285 { 03286 int ret; 03287 size_t len = mbedtls_pk_get_len( mbedtls_ssl_own_key( ssl ) ); 03288 unsigned char *pms = ssl->handshake->premaster + pms_offset; 03289 unsigned char ver[2]; 03290 unsigned char fake_pms[48], peer_pms[48]; 03291 unsigned char mask; 03292 size_t i, peer_pmslen; 03293 unsigned int diff; 03294 03295 if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_RSA ) ) 03296 { 03297 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) ); 03298 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03299 } 03300 03301 /* 03302 * Decrypt the premaster using own private RSA key 03303 */ 03304 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03305 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03306 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 03307 { 03308 if( *p++ != ( ( len >> 8 ) & 0xFF ) || 03309 *p++ != ( ( len ) & 0xFF ) ) 03310 { 03311 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03312 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03313 } 03314 } 03315 #endif 03316 03317 if( p + len != end ) 03318 { 03319 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03320 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03321 } 03322 03323 mbedtls_ssl_write_version( ssl->handshake->max_major_ver, 03324 ssl->handshake->max_minor_ver, 03325 ssl->conf->transport, ver ); 03326 03327 /* 03328 * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding 03329 * must not cause the connection to end immediately; instead, send a 03330 * bad_record_mac later in the handshake. 03331 * Also, avoid data-dependant branches here to protect against 03332 * timing-based variants. 03333 */ 03334 ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); 03335 if( ret != 0 ) 03336 return( ret ); 03337 03338 ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, 03339 peer_pms, &peer_pmslen, 03340 sizeof( peer_pms ), 03341 ssl->conf->f_rng, ssl->conf->p_rng ); 03342 03343 diff = (unsigned int) ret; 03344 diff |= peer_pmslen ^ 48; 03345 diff |= peer_pms[0] ^ ver[0]; 03346 diff |= peer_pms[1] ^ ver[1]; 03347 03348 #if defined(MBEDTLS_SSL_DEBUG_ALL) 03349 if( diff != 0 ) 03350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03351 #endif 03352 03353 if( sizeof( ssl->handshake->premaster ) < pms_offset || 03354 sizeof( ssl->handshake->premaster ) - pms_offset < 48 ) 03355 { 03356 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03357 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03358 } 03359 ssl->handshake->pmslen = 48; 03360 03361 /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ 03362 /* MSVC has a warning about unary minus on unsigned, but this is 03363 * well-defined and precisely what we want to do here */ 03364 #if defined(_MSC_VER) 03365 #pragma warning( push ) 03366 #pragma warning( disable : 4146 ) 03367 #endif 03368 mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) ); 03369 #if defined(_MSC_VER) 03370 #pragma warning( pop ) 03371 #endif 03372 03373 for( i = 0; i < ssl->handshake->pmslen; i++ ) 03374 pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] ); 03375 03376 return( 0 ); 03377 } 03378 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || 03379 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03380 03381 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 03382 static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p, 03383 const unsigned char *end ) 03384 { 03385 int ret = 0; 03386 size_t n; 03387 03388 if( ssl->conf->f_psk == NULL && 03389 ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || 03390 ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) 03391 { 03392 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); 03393 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); 03394 } 03395 03396 /* 03397 * Receive client pre-shared key identity name 03398 */ 03399 if( end - *p < 2 ) 03400 { 03401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03402 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03403 } 03404 03405 n = ( (*p)[0] << 8 ) | (*p)[1]; 03406 *p += 2; 03407 03408 if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) 03409 { 03410 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03411 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03412 } 03413 03414 if( ssl->conf->f_psk != NULL ) 03415 { 03416 if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) 03417 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03418 } 03419 else 03420 { 03421 /* Identity is not a big secret since clients send it in the clear, 03422 * but treat it carefully anyway, just in case */ 03423 if( n != ssl->conf->psk_identity_len || 03424 mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) 03425 { 03426 ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; 03427 } 03428 } 03429 03430 if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ) 03431 { 03432 MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n ); 03433 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03434 MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); 03435 return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); 03436 } 03437 03438 *p += n; 03439 03440 return( 0 ); 03441 } 03442 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 03443 03444 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) 03445 { 03446 int ret; 03447 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 03448 unsigned char *p, *end; 03449 03450 ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 03451 03452 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); 03453 03454 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 03455 { 03456 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 03457 return( ret ); 03458 } 03459 03460 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); 03461 end = ssl->in_msg + ssl->in_hslen; 03462 03463 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 03464 { 03465 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03466 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03467 } 03468 03469 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE ) 03470 { 03471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); 03472 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03473 } 03474 03475 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) 03476 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) 03477 { 03478 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03479 { 03480 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03481 return( ret ); 03482 } 03483 03484 if( p != end ) 03485 { 03486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03487 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03488 } 03489 03490 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 03491 ssl->handshake->premaster, 03492 MBEDTLS_PREMASTER_SIZE, 03493 &ssl->handshake->pmslen, 03494 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03495 { 03496 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 03497 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03498 } 03499 03500 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 03501 } 03502 else 03503 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 03504 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ 03505 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ 03506 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ 03507 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 03508 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || 03509 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || 03510 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || 03511 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) 03512 { 03513 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03514 p, end - p) ) != 0 ) 03515 { 03516 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03517 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03518 } 03519 03520 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03521 03522 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, 03523 &ssl->handshake->pmslen, 03524 ssl->handshake->premaster, 03525 MBEDTLS_MPI_MAX_SIZE, 03526 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 03527 { 03528 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 03529 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); 03530 } 03531 03532 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z ); 03533 } 03534 else 03535 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || 03536 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || 03537 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || 03538 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 03539 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 03540 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) 03541 { 03542 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03543 { 03544 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03545 return( ret ); 03546 } 03547 03548 if( p != end ) 03549 { 03550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03551 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03552 } 03553 03554 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03555 ciphersuite_info->key_exchange ) ) != 0 ) 03556 { 03557 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03558 return( ret ); 03559 } 03560 } 03561 else 03562 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 03563 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 03564 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 03565 { 03566 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03567 { 03568 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03569 return( ret ); 03570 } 03571 03572 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 ) 03573 { 03574 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret ); 03575 return( ret ); 03576 } 03577 03578 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03579 ciphersuite_info->key_exchange ) ) != 0 ) 03580 { 03581 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03582 return( ret ); 03583 } 03584 } 03585 else 03586 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 03587 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 03588 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 03589 { 03590 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03591 { 03592 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03593 return( ret ); 03594 } 03595 if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) 03596 { 03597 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret ); 03598 return( ret ); 03599 } 03600 03601 if( p != end ) 03602 { 03603 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) ); 03604 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); 03605 } 03606 03607 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03608 ciphersuite_info->key_exchange ) ) != 0 ) 03609 { 03610 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03611 return( ret ); 03612 } 03613 } 03614 else 03615 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 03616 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 03617 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 03618 { 03619 if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) 03620 { 03621 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); 03622 return( ret ); 03623 } 03624 03625 if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, 03626 p, end - p ) ) != 0 ) 03627 { 03628 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret ); 03629 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP ); 03630 } 03631 03632 MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp ); 03633 03634 if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, 03635 ciphersuite_info->key_exchange ) ) != 0 ) 03636 { 03637 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); 03638 return( ret ); 03639 } 03640 } 03641 else 03642 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 03643 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) 03644 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) 03645 { 03646 if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) 03647 { 03648 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret ); 03649 return( ret ); 03650 } 03651 } 03652 else 03653 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ 03654 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 03655 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03656 { 03657 ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, 03658 p, end - p ); 03659 if( ret != 0 ) 03660 { 03661 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret ); 03662 return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 03663 } 03664 03665 ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, 03666 ssl->handshake->premaster, 32, &ssl->handshake->pmslen, 03667 ssl->conf->f_rng, ssl->conf->p_rng ); 03668 if( ret != 0 ) 03669 { 03670 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); 03671 return( ret ); 03672 } 03673 } 03674 else 03675 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 03676 { 03677 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03678 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03679 } 03680 03681 if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) 03682 { 03683 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); 03684 return( ret ); 03685 } 03686 03687 ssl->state++; 03688 03689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) ); 03690 03691 return( 0 ); 03692 } 03693 03694 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 03695 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 03696 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 03697 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 03698 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \ 03699 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 03700 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03701 { 03702 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03703 ssl->transform_negotiate->ciphersuite_info; 03704 03705 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03706 03707 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03710 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03711 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 03712 { 03713 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03714 ssl->state++; 03715 return( 0 ); 03716 } 03717 03718 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03719 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03720 } 03721 #else 03722 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) 03723 { 03724 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 03725 size_t i, sig_len; 03726 unsigned char hash[48]; 03727 unsigned char *hash_start = hash; 03728 size_t hashlen; 03729 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03730 mbedtls_pk_type_t pk_alg; 03731 #endif 03732 mbedtls_md_type_t md_alg; 03733 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 03734 ssl->transform_negotiate->ciphersuite_info; 03735 03736 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); 03737 03738 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 03739 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || 03740 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 03741 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 03742 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE || 03743 ssl->session_negotiate->peer_cert == NULL ) 03744 { 03745 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); 03746 ssl->state++; 03747 return( 0 ); 03748 } 03749 03750 /* Read the message without adding it to the checksum */ 03751 do { 03752 03753 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 ) 03754 { 03755 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03756 return( ret ); 03757 } 03758 03759 ret = mbedtls_ssl_handle_message_type( ssl ); 03760 03761 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ); 03762 03763 if( 0 != ret ) 03764 { 03765 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 03766 return( ret ); 03767 } 03768 03769 ssl->state++; 03770 03771 /* Process the message contents */ 03772 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE || 03773 ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY ) 03774 { 03775 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03776 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03777 } 03778 03779 i = mbedtls_ssl_hs_hdr_len( ssl ); 03780 03781 /* 03782 * struct { 03783 * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only 03784 * opaque signature<0..2^16-1>; 03785 * } DigitallySigned; 03786 */ 03787 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 03788 defined(MBEDTLS_SSL_PROTO_TLS1_1) 03789 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 03790 { 03791 md_alg = MBEDTLS_MD_NONE; 03792 hashlen = 36; 03793 03794 /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ 03795 if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, 03796 MBEDTLS_PK_ECDSA ) ) 03797 { 03798 hash_start += 16; 03799 hashlen -= 16; 03800 md_alg = MBEDTLS_MD_SHA1; 03801 } 03802 } 03803 else 03804 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || 03805 MBEDTLS_SSL_PROTO_TLS1_1 */ 03806 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 03807 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 03808 { 03809 if( i + 2 > ssl->in_hslen ) 03810 { 03811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03812 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03813 } 03814 03815 /* 03816 * Hash 03817 */ 03818 md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] ); 03819 03820 if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) ) 03821 { 03822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03823 " for verify message" ) ); 03824 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03825 } 03826 03827 #if !defined(MBEDTLS_MD_SHA1) 03828 if( MBEDTLS_MD_SHA1 == md_alg ) 03829 hash_start += 16; 03830 #endif 03831 03832 /* Info from md_alg will be used instead */ 03833 hashlen = 0; 03834 03835 i++; 03836 03837 /* 03838 * Signature 03839 */ 03840 if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) ) 03841 == MBEDTLS_PK_NONE ) 03842 { 03843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" 03844 " for verify message" ) ); 03845 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03846 } 03847 03848 /* 03849 * Check the certificate's key type matches the signature alg 03850 */ 03851 if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) 03852 { 03853 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); 03854 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03855 } 03856 03857 i++; 03858 } 03859 else 03860 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 03861 { 03862 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03863 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03864 } 03865 03866 if( i + 2 > ssl->in_hslen ) 03867 { 03868 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03869 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03870 } 03871 03872 sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; 03873 i += 2; 03874 03875 if( i + sig_len != ssl->in_hslen ) 03876 { 03877 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); 03878 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); 03879 } 03880 03881 /* Calculate hash and verify signature */ 03882 ssl->handshake->calc_verify( ssl, hash ); 03883 03884 if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, 03885 md_alg, hash_start, hashlen, 03886 ssl->in_msg + i, sig_len ) ) != 0 ) 03887 { 03888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); 03889 return( ret ); 03890 } 03891 03892 mbedtls_ssl_update_handshake_status( ssl ); 03893 03894 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); 03895 03896 return( ret ); 03897 } 03898 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED && 03899 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED && 03900 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED && 03901 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED && 03902 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED && 03903 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ 03904 03905 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 03906 static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) 03907 { 03908 int ret; 03909 size_t tlen; 03910 uint32_t lifetime; 03911 03912 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); 03913 03914 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 03915 ssl->out_msg[0] = MBEDTLS_SSL_HS_NEW_SESSION_TICKET; 03916 03917 /* 03918 * struct { 03919 * uint32 ticket_lifetime_hint; 03920 * opaque ticket<0..2^16-1>; 03921 * } NewSessionTicket; 03922 * 03923 * 4 . 7 ticket_lifetime_hint (0 = unspecified) 03924 * 8 . 9 ticket_len (n) 03925 * 10 . 9+n ticket content 03926 */ 03927 03928 if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket, 03929 ssl->session_negotiate, 03930 ssl->out_msg + 10, 03931 ssl->out_msg + MBEDTLS_SSL_MAX_CONTENT_LEN, 03932 &tlen, &lifetime ) ) != 0 ) 03933 { 03934 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret ); 03935 tlen = 0; 03936 } 03937 03938 ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF; 03939 ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF; 03940 ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF; 03941 ssl->out_msg[7] = ( lifetime ) & 0xFF; 03942 03943 ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF ); 03944 ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF ); 03945 03946 ssl->out_msglen = 10 + tlen; 03947 03948 /* 03949 * Morally equivalent to updating ssl->state, but NewSessionTicket and 03950 * ChangeCipherSpec share the same state. 03951 */ 03952 ssl->handshake->new_session_ticket = 0; 03953 03954 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 03955 { 03956 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 03957 return( ret ); 03958 } 03959 03960 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) ); 03961 03962 return( 0 ); 03963 } 03964 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 03965 03966 /* 03967 * SSL handshake -- server side -- single step 03968 */ 03969 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) 03970 { 03971 int ret = 0; 03972 03973 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) 03974 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03975 03976 MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) ); 03977 03978 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 03979 return( ret ); 03980 03981 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03982 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03983 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 03984 { 03985 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03986 return( ret ); 03987 } 03988 #endif 03989 03990 switch( ssl->state ) 03991 { 03992 case MBEDTLS_SSL_HELLO_REQUEST: 03993 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 03994 break; 03995 03996 /* 03997 * <== ClientHello 03998 */ 03999 case MBEDTLS_SSL_CLIENT_HELLO: 04000 ret = ssl_parse_client_hello( ssl ); 04001 break; 04002 04003 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04004 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: 04005 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 04006 #endif 04007 04008 /* 04009 * ==> ServerHello 04010 * Certificate 04011 * ( ServerKeyExchange ) 04012 * ( CertificateRequest ) 04013 * ServerHelloDone 04014 */ 04015 case MBEDTLS_SSL_SERVER_HELLO: 04016 ret = ssl_write_server_hello( ssl ); 04017 break; 04018 04019 case MBEDTLS_SSL_SERVER_CERTIFICATE: 04020 ret = mbedtls_ssl_write_certificate( ssl ); 04021 break; 04022 04023 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE: 04024 ret = ssl_write_server_key_exchange( ssl ); 04025 break; 04026 04027 case MBEDTLS_SSL_CERTIFICATE_REQUEST: 04028 ret = ssl_write_certificate_request( ssl ); 04029 break; 04030 04031 case MBEDTLS_SSL_SERVER_HELLO_DONE: 04032 ret = ssl_write_server_hello_done( ssl ); 04033 break; 04034 04035 /* 04036 * <== ( Certificate/Alert ) 04037 * ClientKeyExchange 04038 * ( CertificateVerify ) 04039 * ChangeCipherSpec 04040 * Finished 04041 */ 04042 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 04043 ret = mbedtls_ssl_parse_certificate( ssl ); 04044 break; 04045 04046 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE: 04047 ret = ssl_parse_client_key_exchange( ssl ); 04048 break; 04049 04050 case MBEDTLS_SSL_CERTIFICATE_VERIFY: 04051 ret = ssl_parse_certificate_verify( ssl ); 04052 break; 04053 04054 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC: 04055 ret = mbedtls_ssl_parse_change_cipher_spec( ssl ); 04056 break; 04057 04058 case MBEDTLS_SSL_CLIENT_FINISHED: 04059 ret = mbedtls_ssl_parse_finished( ssl ); 04060 break; 04061 04062 /* 04063 * ==> ( NewSessionTicket ) 04064 * ChangeCipherSpec 04065 * Finished 04066 */ 04067 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC: 04068 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 04069 if( ssl->handshake->new_session_ticket != 0 ) 04070 ret = ssl_write_new_session_ticket( ssl ); 04071 else 04072 #endif 04073 ret = mbedtls_ssl_write_change_cipher_spec( ssl ); 04074 break; 04075 04076 case MBEDTLS_SSL_SERVER_FINISHED: 04077 ret = mbedtls_ssl_write_finished( ssl ); 04078 break; 04079 04080 case MBEDTLS_SSL_FLUSH_BUFFERS: 04081 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) ); 04082 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 04083 break; 04084 04085 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: 04086 mbedtls_ssl_handshake_wrapup( ssl ); 04087 break; 04088 04089 default: 04090 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); 04091 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04092 } 04093 04094 return( ret ); 04095 } 04096 #endif /* MBEDTLS_SSL_SRV_C */
Generated on Fri Jul 22 2022 04:54:01 by
1.7.2