BA
/
SerialCom
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Fork of
OmniWheels
by 
Gustav Atmel
Embed:
(wiki syntax)
Show/hide line numbers
ssl_tls.c
00001 /* 00002 * SSLv3/TLSv1 shared functions 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The SSL 3.0 specification was drafted by Netscape in 1996, 00023 * and became an IETF standard in 1999. 00024 * 00025 * http://wp.netscape.com/eng/ssl3/ 00026 * http://www.ietf.org/rfc/rfc2246.txt 00027 * http://www.ietf.org/rfc/rfc4346.txt 00028 */ 00029 00030 #if !defined(MBEDTLS_CONFIG_FILE) 00031 #include "mbedtls/config.h" 00032 #else 00033 #include MBEDTLS_CONFIG_FILE 00034 #endif 00035 00036 #if defined(MBEDTLS_SSL_TLS_C) 00037 00038 #if defined(MBEDTLS_PLATFORM_C) 00039 #include "mbedtls/platform.h" 00040 #else 00041 #include <stdlib.h> 00042 #define mbedtls_calloc calloc 00043 #define mbedtls_free free 00044 #endif 00045 00046 #include "mbedtls/debug.h" 00047 #include "mbedtls/ssl.h" 00048 #include "mbedtls/ssl_internal.h" 00049 00050 #include <string.h> 00051 00052 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00053 #include "mbedtls/oid.h" 00054 #endif 00055 00056 /* Implementation that should never be optimized out by the compiler */ 00057 static void mbedtls_zeroize( void *v, size_t n ) { 00058 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00059 } 00060 00061 /* Length of the "epoch" field in the record header */ 00062 static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) 00063 { 00064 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00065 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 00066 return( 2 ); 00067 #else 00068 ((void) ssl); 00069 #endif 00070 return( 0 ); 00071 } 00072 00073 /* 00074 * Start a timer. 00075 * Passing millisecs = 0 cancels a running timer. 00076 */ 00077 static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 00078 { 00079 if( ssl->f_set_timer == NULL ) 00080 return; 00081 00082 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 00083 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 00084 } 00085 00086 /* 00087 * Return -1 is timer is expired, 0 if it isn't. 00088 */ 00089 static int ssl_check_timer( mbedtls_ssl_context *ssl ) 00090 { 00091 if( ssl->f_get_timer == NULL ) 00092 return( 0 ); 00093 00094 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 00095 { 00096 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 00097 return( -1 ); 00098 } 00099 00100 return( 0 ); 00101 } 00102 00103 #if defined(MBEDTLS_SSL_PROTO_DTLS) 00104 /* 00105 * Double the retransmit timeout value, within the allowed range, 00106 * returning -1 if the maximum value has already been reached. 00107 */ 00108 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 00109 { 00110 uint32_t new_timeout; 00111 00112 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 00113 return( -1 ); 00114 00115 new_timeout = 2 * ssl->handshake->retransmit_timeout; 00116 00117 /* Avoid arithmetic overflow and range overflow */ 00118 if( new_timeout < ssl->handshake->retransmit_timeout || 00119 new_timeout > ssl->conf->hs_timeout_max ) 00120 { 00121 new_timeout = ssl->conf->hs_timeout_max; 00122 } 00123 00124 ssl->handshake->retransmit_timeout = new_timeout; 00125 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00126 ssl->handshake->retransmit_timeout ) ); 00127 00128 return( 0 ); 00129 } 00130 00131 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 00132 { 00133 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 00134 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", 00135 ssl->handshake->retransmit_timeout ) ); 00136 } 00137 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 00138 00139 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 00140 /* 00141 * Convert max_fragment_length codes to length. 00142 * RFC 6066 says: 00143 * enum{ 00144 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 00145 * } MaxFragmentLength; 00146 * and we add 0 -> extension unused 00147 */ 00148 static unsigned int mfl_code_to_length[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID] = 00149 { 00150 MBEDTLS_SSL_MAX_CONTENT_LEN, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */ 00151 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */ 00152 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */ 00153 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */ 00154 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */ 00155 }; 00156 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 00157 00158 #if defined(MBEDTLS_SSL_CLI_C) 00159 static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src ) 00160 { 00161 mbedtls_ssl_session_free( dst ); 00162 memcpy( dst, src, sizeof( mbedtls_ssl_session ) ); 00163 00164 #if defined(MBEDTLS_X509_CRT_PARSE_C) 00165 if( src->peer_cert != NULL ) 00166 { 00167 int ret; 00168 00169 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); 00170 if( dst->peer_cert == NULL ) 00171 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00172 00173 mbedtls_x509_crt_init( dst->peer_cert ); 00174 00175 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p, 00176 src->peer_cert->raw.len ) ) != 0 ) 00177 { 00178 mbedtls_free( dst->peer_cert ); 00179 dst->peer_cert = NULL; 00180 return( ret ); 00181 } 00182 } 00183 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 00184 00185 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 00186 if( src->ticket != NULL ) 00187 { 00188 dst->ticket = mbedtls_calloc( 1, src->ticket_len ); 00189 if( dst->ticket == NULL ) 00190 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00191 00192 memcpy( dst->ticket, src->ticket, src->ticket_len ); 00193 } 00194 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 00195 00196 return( 0 ); 00197 } 00198 #endif /* MBEDTLS_SSL_CLI_C */ 00199 00200 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00201 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 00202 const unsigned char *key_enc, const unsigned char *key_dec, 00203 size_t keylen, 00204 const unsigned char *iv_enc, const unsigned char *iv_dec, 00205 size_t ivlen, 00206 const unsigned char *mac_enc, const unsigned char *mac_dec, 00207 size_t maclen ) = NULL; 00208 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 00209 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 00210 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 00211 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 00212 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 00213 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00214 00215 /* 00216 * Key material generation 00217 */ 00218 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00219 static int ssl3_prf( const unsigned char *secret, size_t slen, 00220 const char *label, 00221 const unsigned char *random, size_t rlen, 00222 unsigned char *dstbuf, size_t dlen ) 00223 { 00224 int ret = 0; 00225 size_t i; 00226 mbedtls_md5_context md5; 00227 mbedtls_sha1_context sha1; 00228 unsigned char padding[16]; 00229 unsigned char sha1sum[20]; 00230 ((void)label); 00231 00232 mbedtls_md5_init( &md5 ); 00233 mbedtls_sha1_init( &sha1 ); 00234 00235 /* 00236 * SSLv3: 00237 * block = 00238 * MD5( secret + SHA1( 'A' + secret + random ) ) + 00239 * MD5( secret + SHA1( 'BB' + secret + random ) ) + 00240 * MD5( secret + SHA1( 'CCC' + secret + random ) ) + 00241 * ... 00242 */ 00243 for( i = 0; i < dlen / 16; i++ ) 00244 { 00245 memset( padding, (unsigned char) ('A' + i), 1 + i ); 00246 00247 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 ) 00248 goto exit; 00249 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 ) 00250 goto exit; 00251 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 ) 00252 goto exit; 00253 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 ) 00254 goto exit; 00255 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 ) 00256 goto exit; 00257 00258 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 ) 00259 goto exit; 00260 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 ) 00261 goto exit; 00262 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 ) 00263 goto exit; 00264 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 ) 00265 goto exit; 00266 } 00267 00268 exit: 00269 mbedtls_md5_free( &md5 ); 00270 mbedtls_sha1_free( &sha1 ); 00271 00272 mbedtls_zeroize( padding, sizeof( padding ) ); 00273 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 00274 00275 return( ret ); 00276 } 00277 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00278 00279 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00280 static int tls1_prf( const unsigned char *secret, size_t slen, 00281 const char *label, 00282 const unsigned char *random, size_t rlen, 00283 unsigned char *dstbuf, size_t dlen ) 00284 { 00285 size_t nb, hs; 00286 size_t i, j, k; 00287 const unsigned char *S1, *S2; 00288 unsigned char tmp[128]; 00289 unsigned char h_i[20]; 00290 const mbedtls_md_info_t *md_info; 00291 mbedtls_md_context_t md_ctx; 00292 int ret; 00293 00294 mbedtls_md_init( &md_ctx ); 00295 00296 if( sizeof( tmp ) < 20 + strlen( label ) + rlen ) 00297 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00298 00299 hs = ( slen + 1 ) / 2; 00300 S1 = secret; 00301 S2 = secret + slen - hs; 00302 00303 nb = strlen( label ); 00304 memcpy( tmp + 20, label, nb ); 00305 memcpy( tmp + 20 + nb, random, rlen ); 00306 nb += rlen; 00307 00308 /* 00309 * First compute P_md5(secret,label+random)[0..dlen] 00310 */ 00311 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) 00312 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00313 00314 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00315 return( ret ); 00316 00317 mbedtls_md_hmac_starts( &md_ctx, S1, hs ); 00318 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00319 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00320 00321 for( i = 0; i < dlen; i += 16 ) 00322 { 00323 mbedtls_md_hmac_reset ( &md_ctx ); 00324 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); 00325 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00326 00327 mbedtls_md_hmac_reset ( &md_ctx ); 00328 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); 00329 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); 00330 00331 k = ( i + 16 > dlen ) ? dlen % 16 : 16; 00332 00333 for( j = 0; j < k; j++ ) 00334 dstbuf[i + j] = h_i[j]; 00335 } 00336 00337 mbedtls_md_free( &md_ctx ); 00338 00339 /* 00340 * XOR out with P_sha1(secret,label+random)[0..dlen] 00341 */ 00342 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) 00343 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00344 00345 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00346 return( ret ); 00347 00348 mbedtls_md_hmac_starts( &md_ctx, S2, hs ); 00349 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); 00350 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00351 00352 for( i = 0; i < dlen; i += 20 ) 00353 { 00354 mbedtls_md_hmac_reset ( &md_ctx ); 00355 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); 00356 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00357 00358 mbedtls_md_hmac_reset ( &md_ctx ); 00359 mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); 00360 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00361 00362 k = ( i + 20 > dlen ) ? dlen % 20 : 20; 00363 00364 for( j = 0; j < k; j++ ) 00365 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); 00366 } 00367 00368 mbedtls_md_free( &md_ctx ); 00369 00370 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00371 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00372 00373 return( 0 ); 00374 } 00375 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ 00376 00377 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00378 static int tls_prf_generic( mbedtls_md_type_t md_type, 00379 const unsigned char *secret, size_t slen, 00380 const char *label, 00381 const unsigned char *random, size_t rlen, 00382 unsigned char *dstbuf, size_t dlen ) 00383 { 00384 size_t nb; 00385 size_t i, j, k, md_len; 00386 unsigned char tmp[128]; 00387 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 00388 const mbedtls_md_info_t *md_info; 00389 mbedtls_md_context_t md_ctx; 00390 int ret; 00391 00392 mbedtls_md_init( &md_ctx ); 00393 00394 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL ) 00395 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00396 00397 md_len = mbedtls_md_get_size( md_info ); 00398 00399 if( sizeof( tmp ) < md_len + strlen( label ) + rlen ) 00400 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00401 00402 nb = strlen( label ); 00403 memcpy( tmp + md_len, label, nb ); 00404 memcpy( tmp + md_len + nb, random, rlen ); 00405 nb += rlen; 00406 00407 /* 00408 * Compute P_<hash>(secret, label + random)[0..dlen] 00409 */ 00410 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) 00411 return( ret ); 00412 00413 mbedtls_md_hmac_starts( &md_ctx, secret, slen ); 00414 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb ); 00415 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00416 00417 for( i = 0; i < dlen; i += md_len ) 00418 { 00419 mbedtls_md_hmac_reset ( &md_ctx ); 00420 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb ); 00421 mbedtls_md_hmac_finish( &md_ctx, h_i ); 00422 00423 mbedtls_md_hmac_reset ( &md_ctx ); 00424 mbedtls_md_hmac_update( &md_ctx, tmp, md_len ); 00425 mbedtls_md_hmac_finish( &md_ctx, tmp ); 00426 00427 k = ( i + md_len > dlen ) ? dlen % md_len : md_len; 00428 00429 for( j = 0; j < k; j++ ) 00430 dstbuf[i + j] = h_i[j]; 00431 } 00432 00433 mbedtls_md_free( &md_ctx ); 00434 00435 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00436 mbedtls_zeroize( h_i, sizeof( h_i ) ); 00437 00438 return( 0 ); 00439 } 00440 00441 #if defined(MBEDTLS_SHA256_C) 00442 static int tls_prf_sha256( const unsigned char *secret, size_t slen, 00443 const char *label, 00444 const unsigned char *random, size_t rlen, 00445 unsigned char *dstbuf, size_t dlen ) 00446 { 00447 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen, 00448 label, random, rlen, dstbuf, dlen ) ); 00449 } 00450 #endif /* MBEDTLS_SHA256_C */ 00451 00452 #if defined(MBEDTLS_SHA512_C) 00453 static int tls_prf_sha384( const unsigned char *secret, size_t slen, 00454 const char *label, 00455 const unsigned char *random, size_t rlen, 00456 unsigned char *dstbuf, size_t dlen ) 00457 { 00458 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen, 00459 label, random, rlen, dstbuf, dlen ) ); 00460 } 00461 #endif /* MBEDTLS_SHA512_C */ 00462 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00463 00464 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); 00465 00466 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 00467 defined(MBEDTLS_SSL_PROTO_TLS1_1) 00468 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); 00469 #endif 00470 00471 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00472 static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * ); 00473 static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int ); 00474 #endif 00475 00476 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00477 static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * ); 00478 static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); 00479 #endif 00480 00481 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00482 #if defined(MBEDTLS_SHA256_C) 00483 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); 00484 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * ); 00485 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int ); 00486 #endif 00487 00488 #if defined(MBEDTLS_SHA512_C) 00489 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t ); 00490 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * ); 00491 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); 00492 #endif 00493 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00494 00495 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) 00496 { 00497 int ret = 0; 00498 unsigned char tmp[64]; 00499 unsigned char keyblk[256]; 00500 unsigned char *key1; 00501 unsigned char *key2; 00502 unsigned char *mac_enc; 00503 unsigned char *mac_dec; 00504 size_t mac_key_len; 00505 size_t iv_copy_len; 00506 const mbedtls_cipher_info_t *cipher_info; 00507 const mbedtls_md_info_t *md_info; 00508 00509 mbedtls_ssl_session *session = ssl->session_negotiate; 00510 mbedtls_ssl_transform *transform = ssl->transform_negotiate; 00511 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 00512 00513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); 00514 00515 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher ); 00516 if( cipher_info == NULL ) 00517 { 00518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", 00519 transform->ciphersuite_info->cipher ) ); 00520 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00521 } 00522 00523 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac ); 00524 if( md_info == NULL ) 00525 { 00526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", 00527 transform->ciphersuite_info->mac ) ); 00528 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 00529 } 00530 00531 /* 00532 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions 00533 */ 00534 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00535 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00536 { 00537 handshake->tls_prf = ssl3_prf; 00538 handshake->calc_verify = ssl_calc_verify_ssl; 00539 handshake->calc_finished = ssl_calc_finished_ssl; 00540 } 00541 else 00542 #endif 00543 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 00544 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 00545 { 00546 handshake->tls_prf = tls1_prf; 00547 handshake->calc_verify = ssl_calc_verify_tls; 00548 handshake->calc_finished = ssl_calc_finished_tls; 00549 } 00550 else 00551 #endif 00552 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00553 #if defined(MBEDTLS_SHA512_C) 00554 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && 00555 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 00556 { 00557 handshake->tls_prf = tls_prf_sha384; 00558 handshake->calc_verify = ssl_calc_verify_tls_sha384; 00559 handshake->calc_finished = ssl_calc_finished_tls_sha384; 00560 } 00561 else 00562 #endif 00563 #if defined(MBEDTLS_SHA256_C) 00564 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00565 { 00566 handshake->tls_prf = tls_prf_sha256; 00567 handshake->calc_verify = ssl_calc_verify_tls_sha256; 00568 handshake->calc_finished = ssl_calc_finished_tls_sha256; 00569 } 00570 else 00571 #endif 00572 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00573 { 00574 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00575 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00576 } 00577 00578 /* 00579 * SSLv3: 00580 * master = 00581 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) + 00582 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) + 00583 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) ) 00584 * 00585 * TLSv1+: 00586 * master = PRF( premaster, "master secret", randbytes )[0..47] 00587 */ 00588 if( handshake->resume == 0 ) 00589 { 00590 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, 00591 handshake->pmslen ); 00592 00593 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 00594 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED ) 00595 { 00596 unsigned char session_hash[48]; 00597 size_t hash_len; 00598 00599 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) ); 00600 00601 ssl->handshake->calc_verify( ssl, session_hash ); 00602 00603 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 00604 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00605 { 00606 #if defined(MBEDTLS_SHA512_C) 00607 if( ssl->transform_negotiate->ciphersuite_info->mac == 00608 MBEDTLS_MD_SHA384 ) 00609 { 00610 hash_len = 48; 00611 } 00612 else 00613 #endif 00614 hash_len = 32; 00615 } 00616 else 00617 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 00618 hash_len = 36; 00619 00620 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len ); 00621 00622 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00623 "extended master secret", 00624 session_hash, hash_len, 00625 session->master, 48 ); 00626 if( ret != 0 ) 00627 { 00628 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00629 return( ret ); 00630 } 00631 00632 } 00633 else 00634 #endif 00635 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, 00636 "master secret", 00637 handshake->randbytes, 64, 00638 session->master, 48 ); 00639 if( ret != 0 ) 00640 { 00641 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00642 return( ret ); 00643 } 00644 00645 mbedtls_zeroize( handshake->premaster, sizeof(handshake->premaster) ); 00646 } 00647 else 00648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); 00649 00650 /* 00651 * Swap the client and server random values. 00652 */ 00653 memcpy( tmp, handshake->randbytes, 64 ); 00654 memcpy( handshake->randbytes, tmp + 32, 32 ); 00655 memcpy( handshake->randbytes + 32, tmp, 32 ); 00656 mbedtls_zeroize( tmp, sizeof( tmp ) ); 00657 00658 /* 00659 * SSLv3: 00660 * key block = 00661 * MD5( master + SHA1( 'A' + master + randbytes ) ) + 00662 * MD5( master + SHA1( 'BB' + master + randbytes ) ) + 00663 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) + 00664 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) + 00665 * ... 00666 * 00667 * TLSv1: 00668 * key block = PRF( master, "key expansion", randbytes ) 00669 */ 00670 ret = handshake->tls_prf( session->master, 48, "key expansion", 00671 handshake->randbytes, 64, keyblk, 256 ); 00672 if( ret != 0 ) 00673 { 00674 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret ); 00675 return( ret ); 00676 } 00677 00678 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s", 00679 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) ); 00680 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 ); 00681 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 ); 00682 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 ); 00683 00684 mbedtls_zeroize( handshake->randbytes, sizeof( handshake->randbytes ) ); 00685 00686 /* 00687 * Determine the appropriate key, IV and MAC length. 00688 */ 00689 00690 transform->keylen = cipher_info->key_bitlen / 8; 00691 00692 if( cipher_info->mode == MBEDTLS_MODE_GCM || 00693 cipher_info->mode == MBEDTLS_MODE_CCM ) 00694 { 00695 transform->maclen = 0; 00696 mac_key_len = 0; 00697 00698 transform->ivlen = 12; 00699 transform->fixed_ivlen = 4; 00700 00701 /* Minimum length is expicit IV + tag */ 00702 transform->minlen = transform->ivlen - transform->fixed_ivlen 00703 + ( transform->ciphersuite_info->flags & 00704 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16 ); 00705 } 00706 else 00707 { 00708 /* Initialize HMAC contexts */ 00709 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || 00710 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) 00711 { 00712 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 00713 return( ret ); 00714 } 00715 00716 /* Get MAC length */ 00717 mac_key_len = mbedtls_md_get_size( md_info ); 00718 transform->maclen = mac_key_len; 00719 00720 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 00721 /* 00722 * If HMAC is to be truncated, we shall keep the leftmost bytes, 00723 * (rfc 6066 page 13 or rfc 2104 section 4), 00724 * so we only need to adjust the length here. 00725 */ 00726 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) 00727 { 00728 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; 00729 00730 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) 00731 /* Fall back to old, non-compliant version of the truncated 00732 * HMAC implementation which also truncates the key 00733 * (Mbed TLS versions from 1.3 to 2.6.0) */ 00734 mac_key_len = transform->maclen; 00735 #endif 00736 } 00737 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 00738 00739 /* IV length */ 00740 transform->ivlen = cipher_info->iv_size; 00741 00742 /* Minimum length */ 00743 if( cipher_info->mode == MBEDTLS_MODE_STREAM ) 00744 transform->minlen = transform->maclen; 00745 else 00746 { 00747 /* 00748 * GenericBlockCipher: 00749 * 1. if EtM is in use: one block plus MAC 00750 * otherwise: * first multiple of blocklen greater than maclen 00751 * 2. IV except for SSL3 and TLS 1.0 00752 */ 00753 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 00754 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 00755 { 00756 transform->minlen = transform->maclen 00757 + cipher_info->block_size; 00758 } 00759 else 00760 #endif 00761 { 00762 transform->minlen = transform->maclen 00763 + cipher_info->block_size 00764 - transform->maclen % cipher_info->block_size; 00765 } 00766 00767 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 00768 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || 00769 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) 00770 ; /* No need to adjust minlen */ 00771 else 00772 #endif 00773 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 00774 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || 00775 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) 00776 { 00777 transform->minlen += transform->ivlen; 00778 } 00779 else 00780 #endif 00781 { 00782 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00783 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00784 } 00785 } 00786 } 00787 00788 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d", 00789 transform->keylen, transform->minlen, transform->ivlen, 00790 transform->maclen ) ); 00791 00792 /* 00793 * Finally setup the cipher contexts, IVs and MAC secrets. 00794 */ 00795 #if defined(MBEDTLS_SSL_CLI_C) 00796 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 00797 { 00798 key1 = keyblk + mac_key_len * 2; 00799 key2 = keyblk + mac_key_len * 2 + transform->keylen; 00800 00801 mac_enc = keyblk; 00802 mac_dec = keyblk + mac_key_len; 00803 00804 /* 00805 * This is not used in TLS v1.1. 00806 */ 00807 iv_copy_len = ( transform->fixed_ivlen ) ? 00808 transform->fixed_ivlen : transform->ivlen; 00809 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len ); 00810 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len, 00811 iv_copy_len ); 00812 } 00813 else 00814 #endif /* MBEDTLS_SSL_CLI_C */ 00815 #if defined(MBEDTLS_SSL_SRV_C) 00816 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 00817 { 00818 key1 = keyblk + mac_key_len * 2 + transform->keylen; 00819 key2 = keyblk + mac_key_len * 2; 00820 00821 mac_enc = keyblk + mac_key_len; 00822 mac_dec = keyblk; 00823 00824 /* 00825 * This is not used in TLS v1.1. 00826 */ 00827 iv_copy_len = ( transform->fixed_ivlen ) ? 00828 transform->fixed_ivlen : transform->ivlen; 00829 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len ); 00830 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len, 00831 iv_copy_len ); 00832 } 00833 else 00834 #endif /* MBEDTLS_SSL_SRV_C */ 00835 { 00836 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00837 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00838 } 00839 00840 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00841 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 00842 { 00843 if( mac_key_len > sizeof transform->mac_enc ) 00844 { 00845 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00846 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00847 } 00848 00849 memcpy( transform->mac_enc, mac_enc, mac_key_len ); 00850 memcpy( transform->mac_dec, mac_dec, mac_key_len ); 00851 } 00852 else 00853 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 00854 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 00855 defined(MBEDTLS_SSL_PROTO_TLS1_2) 00856 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 00857 { 00858 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); 00859 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); 00860 } 00861 else 00862 #endif 00863 { 00864 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 00865 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 00866 } 00867 00868 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 00869 if( mbedtls_ssl_hw_record_init != NULL ) 00870 { 00871 int ret = 0; 00872 00873 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) ); 00874 00875 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen, 00876 transform->iv_enc, transform->iv_dec, 00877 iv_copy_len, 00878 mac_enc, mac_dec, 00879 mac_key_len ) ) != 0 ) 00880 { 00881 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); 00882 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 00883 } 00884 } 00885 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 00886 00887 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 00888 if( ssl->conf->f_export_keys != NULL ) 00889 { 00890 ssl->conf->f_export_keys( ssl->conf->p_export_keys, 00891 session->master, keyblk, 00892 mac_key_len, transform->keylen, 00893 iv_copy_len ); 00894 } 00895 #endif 00896 00897 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc, 00898 cipher_info ) ) != 0 ) 00899 { 00900 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00901 return( ret ); 00902 } 00903 00904 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec, 00905 cipher_info ) ) != 0 ) 00906 { 00907 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret ); 00908 return( ret ); 00909 } 00910 00911 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, 00912 cipher_info->key_bitlen, 00913 MBEDTLS_ENCRYPT ) ) != 0 ) 00914 { 00915 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00916 return( ret ); 00917 } 00918 00919 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, 00920 cipher_info->key_bitlen, 00921 MBEDTLS_DECRYPT ) ) != 0 ) 00922 { 00923 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); 00924 return( ret ); 00925 } 00926 00927 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00928 if( cipher_info->mode == MBEDTLS_MODE_CBC ) 00929 { 00930 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, 00931 MBEDTLS_PADDING_NONE ) ) != 0 ) 00932 { 00933 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00934 return( ret ); 00935 } 00936 00937 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec, 00938 MBEDTLS_PADDING_NONE ) ) != 0 ) 00939 { 00940 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret ); 00941 return( ret ); 00942 } 00943 } 00944 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00945 00946 mbedtls_zeroize( keyblk, sizeof( keyblk ) ); 00947 00948 #if defined(MBEDTLS_ZLIB_SUPPORT) 00949 // Initialize compression 00950 // 00951 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 00952 { 00953 if( ssl->compress_buf == NULL ) 00954 { 00955 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) ); 00956 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN ); 00957 if( ssl->compress_buf == NULL ) 00958 { 00959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 00960 MBEDTLS_SSL_BUFFER_LEN ) ); 00961 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 00962 } 00963 } 00964 00965 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) ); 00966 00967 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) ); 00968 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) ); 00969 00970 if( deflateInit( &transform->ctx_deflate, 00971 Z_DEFAULT_COMPRESSION ) != Z_OK || 00972 inflateInit( &transform->ctx_inflate ) != Z_OK ) 00973 { 00974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) ); 00975 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 00976 } 00977 } 00978 #endif /* MBEDTLS_ZLIB_SUPPORT */ 00979 00980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) ); 00981 00982 return( 0 ); 00983 } 00984 00985 #if defined(MBEDTLS_SSL_PROTO_SSL3) 00986 void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 00987 { 00988 mbedtls_md5_context md5; 00989 mbedtls_sha1_context sha1; 00990 unsigned char pad_1[48]; 00991 unsigned char pad_2[48]; 00992 00993 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) ); 00994 00995 mbedtls_md5_init( &md5 ); 00996 mbedtls_sha1_init( &sha1 ); 00997 00998 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 00999 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01000 01001 memset( pad_1, 0x36, 48 ); 01002 memset( pad_2, 0x5C, 48 ); 01003 01004 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); 01005 mbedtls_md5_update_ret( &md5, pad_1, 48 ); 01006 mbedtls_md5_finish_ret( &md5, hash ); 01007 01008 mbedtls_md5_starts_ret( &md5 ); 01009 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); 01010 mbedtls_md5_update_ret( &md5, pad_2, 48 ); 01011 mbedtls_md5_update_ret( &md5, hash, 16 ); 01012 mbedtls_md5_finish_ret( &md5, hash ); 01013 01014 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); 01015 mbedtls_sha1_update_ret( &sha1, pad_1, 40 ); 01016 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01017 01018 mbedtls_sha1_starts_ret( &sha1 ); 01019 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); 01020 mbedtls_sha1_update_ret( &sha1, pad_2, 40 ); 01021 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 ); 01022 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01023 01024 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01025 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01026 01027 mbedtls_md5_free( &md5 ); 01028 mbedtls_sha1_free( &sha1 ); 01029 01030 return; 01031 } 01032 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01033 01034 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 01035 void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) 01036 { 01037 mbedtls_md5_context md5; 01038 mbedtls_sha1_context sha1; 01039 01040 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); 01041 01042 mbedtls_md5_init( &md5 ); 01043 mbedtls_sha1_init( &sha1 ); 01044 01045 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 01046 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 01047 01048 mbedtls_md5_finish_ret( &md5, hash ); 01049 mbedtls_sha1_finish_ret( &sha1, hash + 16 ); 01050 01051 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); 01052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01053 01054 mbedtls_md5_free( &md5 ); 01055 mbedtls_sha1_free( &sha1 ); 01056 01057 return; 01058 } 01059 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 01060 01061 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 01062 #if defined(MBEDTLS_SHA256_C) 01063 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] ) 01064 { 01065 mbedtls_sha256_context sha256; 01066 01067 mbedtls_sha256_init( &sha256 ); 01068 01069 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); 01070 01071 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 01072 mbedtls_sha256_finish_ret( &sha256, hash ); 01073 01074 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); 01075 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01076 01077 mbedtls_sha256_free( &sha256 ); 01078 01079 return; 01080 } 01081 #endif /* MBEDTLS_SHA256_C */ 01082 01083 #if defined(MBEDTLS_SHA512_C) 01084 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] ) 01085 { 01086 mbedtls_sha512_context sha512; 01087 01088 mbedtls_sha512_init( &sha512 ); 01089 01090 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); 01091 01092 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 01093 mbedtls_sha512_finish_ret( &sha512, hash ); 01094 01095 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); 01096 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); 01097 01098 mbedtls_sha512_free( &sha512 ); 01099 01100 return; 01101 } 01102 #endif /* MBEDTLS_SHA512_C */ 01103 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 01104 01105 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 01106 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) 01107 { 01108 unsigned char *p = ssl->handshake->premaster; 01109 unsigned char *end = p + sizeof( ssl->handshake->premaster ); 01110 const unsigned char *psk = ssl->conf->psk; 01111 size_t psk_len = ssl->conf->psk_len; 01112 01113 /* If the psk callback was called, use its result */ 01114 if( ssl->handshake->psk != NULL ) 01115 { 01116 psk = ssl->handshake->psk; 01117 psk_len = ssl->handshake->psk_len; 01118 } 01119 01120 /* 01121 * PMS = struct { 01122 * opaque other_secret<0..2^16-1>; 01123 * opaque psk<0..2^16-1>; 01124 * }; 01125 * with "other_secret" depending on the particular key exchange 01126 */ 01127 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 01128 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) 01129 { 01130 if( end - p < 2 ) 01131 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01132 01133 *(p++) = (unsigned char)( psk_len >> 8 ); 01134 *(p++) = (unsigned char)( psk_len ); 01135 01136 if( end < p || (size_t)( end - p ) < psk_len ) 01137 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01138 01139 memset( p, 0, psk_len ); 01140 p += psk_len; 01141 } 01142 else 01143 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 01144 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 01145 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 01146 { 01147 /* 01148 * other_secret already set by the ClientKeyExchange message, 01149 * and is 48 bytes long 01150 */ 01151 *p++ = 0; 01152 *p++ = 48; 01153 p += 48; 01154 } 01155 else 01156 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 01157 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 01158 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) 01159 { 01160 int ret; 01161 size_t len; 01162 01163 /* Write length only when we know the actual value */ 01164 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, 01165 p + 2, end - ( p + 2 ), &len, 01166 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01167 { 01168 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); 01169 return( ret ); 01170 } 01171 *(p++) = (unsigned char)( len >> 8 ); 01172 *(p++) = (unsigned char)( len ); 01173 p += len; 01174 01175 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); 01176 } 01177 else 01178 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 01179 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 01180 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) 01181 { 01182 int ret; 01183 size_t zlen; 01184 01185 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, 01186 p + 2, end - ( p + 2 ), 01187 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 01188 { 01189 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); 01190 return( ret ); 01191 } 01192 01193 *(p++) = (unsigned char)( zlen >> 8 ); 01194 *(p++) = (unsigned char)( zlen ); 01195 p += zlen; 01196 01197 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z ); 01198 } 01199 else 01200 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 01201 { 01202 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01203 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01204 } 01205 01206 /* opaque psk<0..2^16-1>; */ 01207 if( end - p < 2 ) 01208 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01209 01210 *(p++) = (unsigned char)( psk_len >> 8 ); 01211 *(p++) = (unsigned char)( psk_len ); 01212 01213 if( end < p || (size_t)( end - p ) < psk_len ) 01214 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01215 01216 memcpy( p, psk, psk_len ); 01217 p += psk_len; 01218 01219 ssl->handshake->pmslen = p - ssl->handshake->premaster; 01220 01221 return( 0 ); 01222 } 01223 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 01224 01225 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01226 /* 01227 * SSLv3.0 MAC functions 01228 */ 01229 #define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */ 01230 static void ssl_mac( mbedtls_md_context_t *md_ctx, 01231 const unsigned char *secret, 01232 const unsigned char *buf, size_t len, 01233 const unsigned char *ctr, int type, 01234 unsigned char out[SSL_MAC_MAX_BYTES] ) 01235 { 01236 unsigned char header[11]; 01237 unsigned char padding[48]; 01238 int padlen; 01239 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 01240 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 01241 01242 /* Only MD5 and SHA-1 supported */ 01243 if( md_type == MBEDTLS_MD_MD5 ) 01244 padlen = 48; 01245 else 01246 padlen = 40; 01247 01248 memcpy( header, ctr, 8 ); 01249 header[ 8] = (unsigned char) type; 01250 header[ 9] = (unsigned char)( len >> 8 ); 01251 header[10] = (unsigned char)( len ); 01252 01253 memset( padding, 0x36, padlen ); 01254 mbedtls_md_starts( md_ctx ); 01255 mbedtls_md_update( md_ctx, secret, md_size ); 01256 mbedtls_md_update( md_ctx, padding, padlen ); 01257 mbedtls_md_update( md_ctx, header, 11 ); 01258 mbedtls_md_update( md_ctx, buf, len ); 01259 mbedtls_md_finish( md_ctx, out ); 01260 01261 memset( padding, 0x5C, padlen ); 01262 mbedtls_md_starts( md_ctx ); 01263 mbedtls_md_update( md_ctx, secret, md_size ); 01264 mbedtls_md_update( md_ctx, padding, padlen ); 01265 mbedtls_md_update( md_ctx, out, md_size ); 01266 mbedtls_md_finish( md_ctx, out ); 01267 } 01268 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01269 01270 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \ 01271 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01272 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) ) 01273 #define SSL_SOME_MODES_USE_MAC 01274 #endif 01275 01276 /* 01277 * Encryption/decryption functions 01278 */ 01279 static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) 01280 { 01281 mbedtls_cipher_mode_t mode; 01282 int auth_done = 0; 01283 01284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 01285 01286 if( ssl->session_out == NULL || ssl->transform_out == NULL ) 01287 { 01288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01289 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01290 } 01291 01292 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ); 01293 01294 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 01295 ssl->out_msg, ssl->out_msglen ); 01296 01297 if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 01298 { 01299 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d", 01300 (unsigned) ssl->out_msglen, 01301 MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 01302 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 01303 } 01304 01305 /* 01306 * Add MAC before if needed 01307 */ 01308 #if defined(SSL_SOME_MODES_USE_MAC) 01309 if( mode == MBEDTLS_MODE_STREAM || 01310 ( mode == MBEDTLS_MODE_CBC 01311 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01312 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 01313 #endif 01314 ) ) 01315 { 01316 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01317 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01318 { 01319 unsigned char mac[SSL_MAC_MAX_BYTES]; 01320 01321 ssl_mac( &ssl->transform_out->md_ctx_enc, 01322 ssl->transform_out->mac_enc, 01323 ssl->out_msg, ssl->out_msglen, 01324 ssl->out_ctr, ssl->out_msgtype, 01325 mac ); 01326 01327 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); 01328 } 01329 else 01330 #endif 01331 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01332 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01333 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 01334 { 01335 unsigned char mac[MBEDTLS_SSL_MAC_ADD]; 01336 01337 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); 01338 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); 01339 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); 01340 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01341 ssl->out_msg, ssl->out_msglen ); 01342 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac ); 01343 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01344 01345 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); 01346 } 01347 else 01348 #endif 01349 { 01350 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01351 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01352 } 01353 01354 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", 01355 ssl->out_msg + ssl->out_msglen, 01356 ssl->transform_out->maclen ); 01357 01358 ssl->out_msglen += ssl->transform_out->maclen; 01359 auth_done++; 01360 } 01361 #endif /* AEAD not the only option */ 01362 01363 /* 01364 * Encrypt 01365 */ 01366 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01367 if( mode == MBEDTLS_MODE_STREAM ) 01368 { 01369 int ret; 01370 size_t olen = 0; 01371 01372 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01373 "including %d bytes of padding", 01374 ssl->out_msglen, 0 ) ); 01375 01376 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01377 ssl->transform_out->iv_enc, 01378 ssl->transform_out->ivlen, 01379 ssl->out_msg, ssl->out_msglen, 01380 ssl->out_msg, &olen ) ) != 0 ) 01381 { 01382 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01383 return( ret ); 01384 } 01385 01386 if( ssl->out_msglen != olen ) 01387 { 01388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01389 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01390 } 01391 } 01392 else 01393 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01394 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01395 if( mode == MBEDTLS_MODE_GCM || 01396 mode == MBEDTLS_MODE_CCM ) 01397 { 01398 int ret; 01399 size_t enc_msglen, olen; 01400 unsigned char *enc_msg; 01401 unsigned char add_data[13]; 01402 unsigned char taglen = ssl->transform_out->ciphersuite_info->flags & 01403 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01404 01405 memcpy( add_data, ssl->out_ctr, 8 ); 01406 add_data[8] = ssl->out_msgtype; 01407 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01408 ssl->conf->transport, add_data + 9 ); 01409 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; 01410 add_data[12] = ssl->out_msglen & 0xFF; 01411 01412 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01413 add_data, 13 ); 01414 01415 /* 01416 * Generate IV 01417 */ 01418 if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 ) 01419 { 01420 /* Reminder if we ever add an AEAD mode with a different size */ 01421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01422 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01423 } 01424 01425 memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, 01426 ssl->out_ctr, 8 ); 01427 memcpy( ssl->out_iv, ssl->out_ctr, 8 ); 01428 01429 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv, 01430 ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); 01431 01432 /* 01433 * Fix pointer positions and message length with added IV 01434 */ 01435 enc_msg = ssl->out_msg; 01436 enc_msglen = ssl->out_msglen; 01437 ssl->out_msglen += ssl->transform_out->ivlen - 01438 ssl->transform_out->fixed_ivlen; 01439 01440 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01441 "including %d bytes of padding", 01442 ssl->out_msglen, 0 ) ); 01443 01444 /* 01445 * Encrypt and authenticate 01446 */ 01447 if( ( ret = mbedtls_cipher_auth_encrypt( &ssl->transform_out->cipher_ctx_enc, 01448 ssl->transform_out->iv_enc, 01449 ssl->transform_out->ivlen, 01450 add_data, 13, 01451 enc_msg, enc_msglen, 01452 enc_msg, &olen, 01453 enc_msg + enc_msglen, taglen ) ) != 0 ) 01454 { 01455 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 01456 return( ret ); 01457 } 01458 01459 if( olen != enc_msglen ) 01460 { 01461 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01462 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01463 } 01464 01465 ssl->out_msglen += taglen; 01466 auth_done++; 01467 01468 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen ); 01469 } 01470 else 01471 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01472 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01473 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01474 if( mode == MBEDTLS_MODE_CBC ) 01475 { 01476 int ret; 01477 unsigned char *enc_msg; 01478 size_t enc_msglen, padlen, olen = 0, i; 01479 01480 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) % 01481 ssl->transform_out->ivlen; 01482 if( padlen == ssl->transform_out->ivlen ) 01483 padlen = 0; 01484 01485 for( i = 0; i <= padlen; i++ ) 01486 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen; 01487 01488 ssl->out_msglen += padlen + 1; 01489 01490 enc_msglen = ssl->out_msglen; 01491 enc_msg = ssl->out_msg; 01492 01493 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01494 /* 01495 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 01496 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 01497 */ 01498 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01499 { 01500 /* 01501 * Generate IV 01502 */ 01503 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, 01504 ssl->transform_out->ivlen ); 01505 if( ret != 0 ) 01506 return( ret ); 01507 01508 memcpy( ssl->out_iv, ssl->transform_out->iv_enc, 01509 ssl->transform_out->ivlen ); 01510 01511 /* 01512 * Fix pointer positions and message length with added IV 01513 */ 01514 enc_msg = ssl->out_msg; 01515 enc_msglen = ssl->out_msglen; 01516 ssl->out_msglen += ssl->transform_out->ivlen; 01517 } 01518 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01519 01520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, " 01521 "including %d bytes of IV and %d bytes of padding", 01522 ssl->out_msglen, ssl->transform_out->ivlen, 01523 padlen + 1 ) ); 01524 01525 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc, 01526 ssl->transform_out->iv_enc, 01527 ssl->transform_out->ivlen, 01528 enc_msg, enc_msglen, 01529 enc_msg, &olen ) ) != 0 ) 01530 { 01531 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01532 return( ret ); 01533 } 01534 01535 if( enc_msglen != olen ) 01536 { 01537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01538 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01539 } 01540 01541 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01542 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01543 { 01544 /* 01545 * Save IV in SSL3 and TLS1 01546 */ 01547 memcpy( ssl->transform_out->iv_enc, 01548 ssl->transform_out->cipher_ctx_enc.iv, 01549 ssl->transform_out->ivlen ); 01550 } 01551 #endif 01552 01553 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01554 if( auth_done == 0 ) 01555 { 01556 /* 01557 * MAC(MAC_write_key, seq_num + 01558 * TLSCipherText.type + 01559 * TLSCipherText.version + 01560 * length_of( (IV +) ENC(...) ) + 01561 * IV + // except for TLS 1.0 01562 * ENC(content + padding + padding_length)); 01563 */ 01564 unsigned char pseudo_hdr[13]; 01565 01566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01567 01568 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 ); 01569 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 ); 01570 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF ); 01571 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF ); 01572 01573 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01574 01575 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 ); 01576 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, 01577 ssl->out_iv, ssl->out_msglen ); 01578 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, 01579 ssl->out_iv + ssl->out_msglen ); 01580 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); 01581 01582 ssl->out_msglen += ssl->transform_out->maclen; 01583 auth_done++; 01584 } 01585 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01586 } 01587 else 01588 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01589 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01590 { 01591 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01592 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01593 } 01594 01595 /* Make extra sure authentication was performed, exactly once */ 01596 if( auth_done != 1 ) 01597 { 01598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01599 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01600 } 01601 01602 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 01603 01604 return( 0 ); 01605 } 01606 01607 static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) 01608 { 01609 size_t i; 01610 mbedtls_cipher_mode_t mode; 01611 int auth_done = 0; 01612 #if defined(SSL_SOME_MODES_USE_MAC) 01613 size_t padlen = 0, correct = 1; 01614 #endif 01615 01616 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 01617 01618 if( ssl->session_in == NULL || ssl->transform_in == NULL ) 01619 { 01620 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01621 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01622 } 01623 01624 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec ); 01625 01626 if( ssl->in_msglen < ssl->transform_in->minlen ) 01627 { 01628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)", 01629 ssl->in_msglen, ssl->transform_in->minlen ) ); 01630 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01631 } 01632 01633 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 01634 if( mode == MBEDTLS_MODE_STREAM ) 01635 { 01636 int ret; 01637 size_t olen = 0; 01638 01639 padlen = 0; 01640 01641 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01642 ssl->transform_in->iv_dec, 01643 ssl->transform_in->ivlen, 01644 ssl->in_msg, ssl->in_msglen, 01645 ssl->in_msg, &olen ) ) != 0 ) 01646 { 01647 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01648 return( ret ); 01649 } 01650 01651 if( ssl->in_msglen != olen ) 01652 { 01653 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01654 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01655 } 01656 } 01657 else 01658 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 01659 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) 01660 if( mode == MBEDTLS_MODE_GCM || 01661 mode == MBEDTLS_MODE_CCM ) 01662 { 01663 int ret; 01664 size_t dec_msglen, olen; 01665 unsigned char *dec_msg; 01666 unsigned char *dec_msg_result; 01667 unsigned char add_data[13]; 01668 unsigned char taglen = ssl->transform_in->ciphersuite_info->flags & 01669 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 01670 size_t explicit_iv_len = ssl->transform_in->ivlen - 01671 ssl->transform_in->fixed_ivlen; 01672 01673 if( ssl->in_msglen < explicit_iv_len + taglen ) 01674 { 01675 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " 01676 "+ taglen (%d)", ssl->in_msglen, 01677 explicit_iv_len, taglen ) ); 01678 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01679 } 01680 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; 01681 01682 dec_msg = ssl->in_msg; 01683 dec_msg_result = ssl->in_msg; 01684 ssl->in_msglen = dec_msglen; 01685 01686 memcpy( add_data, ssl->in_ctr, 8 ); 01687 add_data[8] = ssl->in_msgtype; 01688 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 01689 ssl->conf->transport, add_data + 9 ); 01690 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; 01691 add_data[12] = ssl->in_msglen & 0xFF; 01692 01693 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 01694 add_data, 13 ); 01695 01696 memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen, 01697 ssl->in_iv, 01698 ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen ); 01699 01700 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec, 01701 ssl->transform_in->ivlen ); 01702 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen ); 01703 01704 /* 01705 * Decrypt and authenticate 01706 */ 01707 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec, 01708 ssl->transform_in->iv_dec, 01709 ssl->transform_in->ivlen, 01710 add_data, 13, 01711 dec_msg, dec_msglen, 01712 dec_msg_result, &olen, 01713 dec_msg + dec_msglen, taglen ) ) != 0 ) 01714 { 01715 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 01716 01717 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 01718 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01719 01720 return( ret ); 01721 } 01722 auth_done++; 01723 01724 if( olen != dec_msglen ) 01725 { 01726 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01727 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01728 } 01729 } 01730 else 01731 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 01732 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 01733 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) 01734 if( mode == MBEDTLS_MODE_CBC ) 01735 { 01736 /* 01737 * Decrypt and check the padding 01738 */ 01739 int ret; 01740 unsigned char *dec_msg; 01741 unsigned char *dec_msg_result; 01742 size_t dec_msglen; 01743 size_t minlen = 0; 01744 size_t olen = 0; 01745 01746 /* 01747 * Check immediate ciphertext sanity 01748 */ 01749 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01750 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01751 minlen += ssl->transform_in->ivlen; 01752 #endif 01753 01754 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen || 01755 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 ) 01756 { 01757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) " 01758 "+ 1 ) ( + expl IV )", ssl->in_msglen, 01759 ssl->transform_in->ivlen, 01760 ssl->transform_in->maclen ) ); 01761 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01762 } 01763 01764 dec_msglen = ssl->in_msglen; 01765 dec_msg = ssl->in_msg; 01766 dec_msg_result = ssl->in_msg; 01767 01768 /* 01769 * Authenticate before decrypt if enabled 01770 */ 01771 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 01772 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 01773 { 01774 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 01775 unsigned char pseudo_hdr[13]; 01776 01777 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 01778 01779 dec_msglen -= ssl->transform_in->maclen; 01780 ssl->in_msglen -= ssl->transform_in->maclen; 01781 01782 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 ); 01783 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 ); 01784 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF ); 01785 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF ); 01786 01787 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 ); 01788 01789 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); 01790 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, 01791 ssl->in_iv, ssl->in_msglen ); 01792 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); 01793 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 01794 01795 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, 01796 ssl->transform_in->maclen ); 01797 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, 01798 ssl->transform_in->maclen ); 01799 01800 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect, 01801 ssl->transform_in->maclen ) != 0 ) 01802 { 01803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 01804 01805 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01806 } 01807 auth_done++; 01808 } 01809 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 01810 01811 /* 01812 * Check length sanity 01813 */ 01814 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 ) 01815 { 01816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0", 01817 ssl->in_msglen, ssl->transform_in->ivlen ) ); 01818 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 01819 } 01820 01821 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 01822 /* 01823 * Initialize for prepended IV for block cipher in TLS v1.1 and up 01824 */ 01825 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 01826 { 01827 dec_msglen -= ssl->transform_in->ivlen; 01828 ssl->in_msglen -= ssl->transform_in->ivlen; 01829 01830 for( i = 0; i < ssl->transform_in->ivlen; i++ ) 01831 ssl->transform_in->iv_dec[i] = ssl->in_iv[i]; 01832 } 01833 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 01834 01835 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec, 01836 ssl->transform_in->iv_dec, 01837 ssl->transform_in->ivlen, 01838 dec_msg, dec_msglen, 01839 dec_msg_result, &olen ) ) != 0 ) 01840 { 01841 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 01842 return( ret ); 01843 } 01844 01845 if( dec_msglen != olen ) 01846 { 01847 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01848 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01849 } 01850 01851 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 01852 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 01853 { 01854 /* 01855 * Save IV in SSL3 and TLS1 01856 */ 01857 memcpy( ssl->transform_in->iv_dec, 01858 ssl->transform_in->cipher_ctx_dec.iv, 01859 ssl->transform_in->ivlen ); 01860 } 01861 #endif 01862 01863 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; 01864 01865 if( ssl->in_msglen < ssl->transform_in->maclen + padlen && 01866 auth_done == 0 ) 01867 { 01868 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01869 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", 01870 ssl->in_msglen, ssl->transform_in->maclen, padlen ) ); 01871 #endif 01872 padlen = 0; 01873 correct = 0; 01874 } 01875 01876 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01877 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01878 { 01879 if( padlen > ssl->transform_in->ivlen ) 01880 { 01881 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01882 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " 01883 "should be no more than %d", 01884 padlen, ssl->transform_in->ivlen ) ); 01885 #endif 01886 correct = 0; 01887 } 01888 } 01889 else 01890 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01891 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01892 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01893 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01894 { 01895 /* 01896 * TLSv1+: always check the padding up to the first failure 01897 * and fake check up to 256 bytes of padding 01898 */ 01899 size_t pad_count = 0, real_count = 1; 01900 size_t padding_idx = ssl->in_msglen - padlen - 1; 01901 01902 /* 01903 * Padding is guaranteed to be incorrect if: 01904 * 1. padlen >= ssl->in_msglen 01905 * 01906 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN + 01907 * ssl->transform_in->maclen 01908 * 01909 * In both cases we reset padding_idx to a safe value (0) to 01910 * prevent out-of-buffer reads. 01911 */ 01912 correct &= ( ssl->in_msglen >= padlen + 1 ); 01913 correct &= ( padding_idx < MBEDTLS_SSL_MAX_CONTENT_LEN + 01914 ssl->transform_in->maclen ); 01915 01916 padding_idx *= correct; 01917 01918 for( i = 1; i <= 256; i++ ) 01919 { 01920 real_count &= ( i <= padlen ); 01921 pad_count += real_count * 01922 ( ssl->in_msg[padding_idx + i] == padlen - 1 ); 01923 } 01924 01925 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */ 01926 01927 #if defined(MBEDTLS_SSL_DEBUG_ALL) 01928 if( padlen > 0 && correct == 0 ) 01929 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 01930 #endif 01931 padlen &= correct * 0x1FF; 01932 } 01933 else 01934 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 01935 MBEDTLS_SSL_PROTO_TLS1_2 */ 01936 { 01937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01938 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01939 } 01940 01941 ssl->in_msglen -= padlen; 01942 } 01943 else 01944 #endif /* MBEDTLS_CIPHER_MODE_CBC && 01945 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */ 01946 { 01947 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 01948 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 01949 } 01950 01951 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 01952 ssl->in_msg, ssl->in_msglen ); 01953 01954 /* 01955 * Authenticate if not done yet. 01956 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 01957 */ 01958 #if defined(SSL_SOME_MODES_USE_MAC) 01959 if( auth_done == 0 ) 01960 { 01961 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 01962 01963 ssl->in_msglen -= ssl->transform_in->maclen; 01964 01965 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); 01966 ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); 01967 01968 #if defined(MBEDTLS_SSL_PROTO_SSL3) 01969 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 01970 { 01971 ssl_mac( &ssl->transform_in->md_ctx_dec, 01972 ssl->transform_in->mac_dec, 01973 ssl->in_msg, ssl->in_msglen, 01974 ssl->in_ctr, ssl->in_msgtype, 01975 mac_expect ); 01976 } 01977 else 01978 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 01979 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 01980 defined(MBEDTLS_SSL_PROTO_TLS1_2) 01981 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 01982 { 01983 /* 01984 * Process MAC and always update for padlen afterwards to make 01985 * total time independent of padlen 01986 * 01987 * extra_run compensates MAC check for padlen 01988 * 01989 * Known timing attacks: 01990 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf) 01991 * 01992 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values 01993 * correctly. (We round down instead of up, so -56 is the correct 01994 * value for our calculations instead of -55) 01995 */ 01996 size_t j, extra_run = 0; 01997 extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 - 01998 ( 13 + ssl->in_msglen + 8 ) / 64; 01999 02000 extra_run &= correct * 0xFF; 02001 02002 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 ); 02003 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 ); 02004 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); 02005 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, 02006 ssl->in_msglen ); 02007 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); 02008 /* Call mbedtls_md_process at least once due to cache attacks */ 02009 for( j = 0; j < extra_run + 1; j++ ) 02010 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); 02011 02012 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); 02013 } 02014 else 02015 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 02016 MBEDTLS_SSL_PROTO_TLS1_2 */ 02017 { 02018 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02019 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02020 } 02021 02022 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen ); 02023 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen, 02024 ssl->transform_in->maclen ); 02025 02026 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect, 02027 ssl->transform_in->maclen ) != 0 ) 02028 { 02029 #if defined(MBEDTLS_SSL_DEBUG_ALL) 02030 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 02031 #endif 02032 correct = 0; 02033 } 02034 auth_done++; 02035 02036 /* 02037 * Finally check the correct flag 02038 */ 02039 if( correct == 0 ) 02040 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02041 } 02042 #endif /* SSL_SOME_MODES_USE_MAC */ 02043 02044 /* Make extra sure authentication was performed, exactly once */ 02045 if( auth_done != 1 ) 02046 { 02047 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02048 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02049 } 02050 02051 if( ssl->in_msglen == 0 ) 02052 { 02053 ssl->nb_zero++; 02054 02055 /* 02056 * Three or more empty messages may be a DoS attack 02057 * (excessive CPU consumption). 02058 */ 02059 if( ssl->nb_zero > 3 ) 02060 { 02061 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 02062 "messages, possible DoS attack" ) ); 02063 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 02064 } 02065 } 02066 else 02067 ssl->nb_zero = 0; 02068 02069 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02070 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02071 { 02072 ; /* in_ctr read from peer, not maintained internally */ 02073 } 02074 else 02075 #endif 02076 { 02077 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02078 if( ++ssl->in_ctr[i - 1] != 0 ) 02079 break; 02080 02081 /* The loop goes to its end iff the counter is wrapping */ 02082 if( i == ssl_ep_len( ssl ) ) 02083 { 02084 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 02085 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02086 } 02087 } 02088 02089 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 02090 02091 return( 0 ); 02092 } 02093 02094 #undef MAC_NONE 02095 #undef MAC_PLAINTEXT 02096 #undef MAC_CIPHERTEXT 02097 02098 #if defined(MBEDTLS_ZLIB_SUPPORT) 02099 /* 02100 * Compression/decompression functions 02101 */ 02102 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 02103 { 02104 int ret; 02105 unsigned char *msg_post = ssl->out_msg; 02106 size_t len_pre = ssl->out_msglen; 02107 unsigned char *msg_pre = ssl->compress_buf; 02108 02109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 02110 02111 if( len_pre == 0 ) 02112 return( 0 ); 02113 02114 memcpy( msg_pre, ssl->out_msg, len_pre ); 02115 02116 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ", 02117 ssl->out_msglen ) ); 02118 02119 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 02120 ssl->out_msg, ssl->out_msglen ); 02121 02122 ssl->transform_out->ctx_deflate.next_in = msg_pre; 02123 ssl->transform_out->ctx_deflate.avail_in = len_pre; 02124 ssl->transform_out->ctx_deflate.next_out = msg_post; 02125 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_BUFFER_LEN; 02126 02127 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 02128 if( ret != Z_OK ) 02129 { 02130 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 02131 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02132 } 02133 02134 ssl->out_msglen = MBEDTLS_SSL_BUFFER_LEN - 02135 ssl->transform_out->ctx_deflate.avail_out; 02136 02137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ", 02138 ssl->out_msglen ) ); 02139 02140 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 02141 ssl->out_msg, ssl->out_msglen ); 02142 02143 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 02144 02145 return( 0 ); 02146 } 02147 02148 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 02149 { 02150 int ret; 02151 unsigned char *msg_post = ssl->in_msg; 02152 size_t len_pre = ssl->in_msglen; 02153 unsigned char *msg_pre = ssl->compress_buf; 02154 02155 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 02156 02157 if( len_pre == 0 ) 02158 return( 0 ); 02159 02160 memcpy( msg_pre, ssl->in_msg, len_pre ); 02161 02162 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ", 02163 ssl->in_msglen ) ); 02164 02165 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 02166 ssl->in_msg, ssl->in_msglen ); 02167 02168 ssl->transform_in->ctx_inflate.next_in = msg_pre; 02169 ssl->transform_in->ctx_inflate.avail_in = len_pre; 02170 ssl->transform_in->ctx_inflate.next_out = msg_post; 02171 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_MAX_CONTENT_LEN; 02172 02173 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 02174 if( ret != Z_OK ) 02175 { 02176 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 02177 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 02178 } 02179 02180 ssl->in_msglen = MBEDTLS_SSL_MAX_CONTENT_LEN - 02181 ssl->transform_in->ctx_inflate.avail_out; 02182 02183 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ", 02184 ssl->in_msglen ) ); 02185 02186 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 02187 ssl->in_msg, ssl->in_msglen ); 02188 02189 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 02190 02191 return( 0 ); 02192 } 02193 #endif /* MBEDTLS_ZLIB_SUPPORT */ 02194 02195 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02196 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); 02197 02198 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02199 static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) 02200 { 02201 /* If renegotiation is not enforced, retransmit until we would reach max 02202 * timeout if we were using the usual handshake doubling scheme */ 02203 if( ssl->conf->renego_max_records < 0 ) 02204 { 02205 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 02206 unsigned char doublings = 1; 02207 02208 while( ratio != 0 ) 02209 { 02210 ++doublings; 02211 ratio >>= 1; 02212 } 02213 02214 if( ++ssl->renego_records_seen > doublings ) 02215 { 02216 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) ); 02217 return( 0 ); 02218 } 02219 } 02220 02221 return( ssl_write_hello_request( ssl ) ); 02222 } 02223 #endif 02224 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02225 02226 /* 02227 * Fill the input message buffer by appending data to it. 02228 * The amount of data already fetched is in ssl->in_left. 02229 * 02230 * If we return 0, is it guaranteed that (at least) nb_want bytes are 02231 * available (from this read and/or a previous one). Otherwise, an error code 02232 * is returned (possibly EOF or WANT_READ). 02233 * 02234 * With stream transport (TLS) on success ssl->in_left == nb_want, but 02235 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 02236 * since we always read a whole datagram at once. 02237 * 02238 * For DTLS, it is up to the caller to set ssl->next_record_offset when 02239 * they're done reading a record. 02240 */ 02241 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 02242 { 02243 int ret; 02244 size_t len; 02245 02246 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 02247 02248 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 02249 { 02250 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02251 "or mbedtls_ssl_set_bio()" ) ); 02252 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02253 } 02254 02255 if( nb_want > MBEDTLS_SSL_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 02256 { 02257 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 02258 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02259 } 02260 02261 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02262 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02263 { 02264 uint32_t timeout; 02265 02266 /* Just to be sure */ 02267 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) 02268 { 02269 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use " 02270 "mbedtls_ssl_set_timer_cb() for DTLS" ) ); 02271 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02272 } 02273 02274 /* 02275 * The point is, we need to always read a full datagram at once, so we 02276 * sometimes read more then requested, and handle the additional data. 02277 * It could be the rest of the current record (while fetching the 02278 * header) and/or some other records in the same datagram. 02279 */ 02280 02281 /* 02282 * Move to the next record in the already read datagram if applicable 02283 */ 02284 if( ssl->next_record_offset != 0 ) 02285 { 02286 if( ssl->in_left < ssl->next_record_offset ) 02287 { 02288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02289 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02290 } 02291 02292 ssl->in_left -= ssl->next_record_offset; 02293 02294 if( ssl->in_left != 0 ) 02295 { 02296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d", 02297 ssl->next_record_offset ) ); 02298 memmove( ssl->in_hdr, 02299 ssl->in_hdr + ssl->next_record_offset, 02300 ssl->in_left ); 02301 } 02302 02303 ssl->next_record_offset = 0; 02304 } 02305 02306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02307 ssl->in_left, nb_want ) ); 02308 02309 /* 02310 * Done if we already have enough data. 02311 */ 02312 if( nb_want <= ssl->in_left) 02313 { 02314 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02315 return( 0 ); 02316 } 02317 02318 /* 02319 * A record can't be split accross datagrams. If we need to read but 02320 * are not at the beginning of a new record, the caller did something 02321 * wrong. 02322 */ 02323 if( ssl->in_left != 0 ) 02324 { 02325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02326 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02327 } 02328 02329 /* 02330 * Don't even try to read if time's out already. 02331 * This avoids by-passing the timer when repeatedly receiving messages 02332 * that will end up being dropped. 02333 */ 02334 if( ssl_check_timer( ssl ) != 0 ) 02335 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02336 else 02337 { 02338 len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); 02339 02340 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02341 timeout = ssl->handshake->retransmit_timeout; 02342 else 02343 timeout = ssl->conf->read_timeout; 02344 02345 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); 02346 02347 if( ssl->f_recv_timeout != NULL ) 02348 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 02349 timeout ); 02350 else 02351 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 02352 02353 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02354 02355 if( ret == 0 ) 02356 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02357 } 02358 02359 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 02360 { 02361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 02362 ssl_set_timer( ssl, 0 ); 02363 02364 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 02365 { 02366 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 02367 { 02368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 02369 return( MBEDTLS_ERR_SSL_TIMEOUT ); 02370 } 02371 02372 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 02373 { 02374 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 02375 return( ret ); 02376 } 02377 02378 return( MBEDTLS_ERR_SSL_WANT_READ ); 02379 } 02380 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 02381 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 02382 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 02383 { 02384 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 02385 { 02386 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 02387 return( ret ); 02388 } 02389 02390 return( MBEDTLS_ERR_SSL_WANT_READ ); 02391 } 02392 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 02393 } 02394 02395 if( ret < 0 ) 02396 return( ret ); 02397 02398 ssl->in_left = ret; 02399 } 02400 else 02401 #endif 02402 { 02403 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02404 ssl->in_left, nb_want ) ); 02405 02406 while( ssl->in_left < nb_want ) 02407 { 02408 len = nb_want - ssl->in_left; 02409 02410 if( ssl_check_timer( ssl ) != 0 ) 02411 ret = MBEDTLS_ERR_SSL_TIMEOUT; 02412 else 02413 { 02414 if( ssl->f_recv_timeout != NULL ) 02415 { 02416 ret = ssl->f_recv_timeout( ssl->p_bio, 02417 ssl->in_hdr + ssl->in_left, len, 02418 ssl->conf->read_timeout ); 02419 } 02420 else 02421 { 02422 ret = ssl->f_recv( ssl->p_bio, 02423 ssl->in_hdr + ssl->in_left, len ); 02424 } 02425 } 02426 02427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", 02428 ssl->in_left, nb_want ) ); 02429 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 02430 02431 if( ret == 0 ) 02432 return( MBEDTLS_ERR_SSL_CONN_EOF ); 02433 02434 if( ret < 0 ) 02435 return( ret ); 02436 02437 ssl->in_left += ret; 02438 } 02439 } 02440 02441 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 02442 02443 return( 0 ); 02444 } 02445 02446 /* 02447 * Flush any data not yet written 02448 */ 02449 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 02450 { 02451 int ret; 02452 unsigned char *buf, i; 02453 02454 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 02455 02456 if( ssl->f_send == NULL ) 02457 { 02458 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 02459 "or mbedtls_ssl_set_bio()" ) ); 02460 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02461 } 02462 02463 /* Avoid incrementing counter if data is flushed */ 02464 if( ssl->out_left == 0 ) 02465 { 02466 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02467 return( 0 ); 02468 } 02469 02470 while( ssl->out_left > 0 ) 02471 { 02472 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d", 02473 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 02474 02475 buf = ssl->out_hdr + mbedtls_ssl_hdr_len( ssl ) + 02476 ssl->out_msglen - ssl->out_left; 02477 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 02478 02479 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 02480 02481 if( ret <= 0 ) 02482 return( ret ); 02483 02484 ssl->out_left -= ret; 02485 } 02486 02487 for( i = 8; i > ssl_ep_len( ssl ); i-- ) 02488 if( ++ssl->out_ctr[i - 1] != 0 ) 02489 break; 02490 02491 /* The loop goes to its end iff the counter is wrapping */ 02492 if( i == ssl_ep_len( ssl ) ) 02493 { 02494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 02495 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 02496 } 02497 02498 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 02499 02500 return( 0 ); 02501 } 02502 02503 /* 02504 * Functions to handle the DTLS retransmission state machine 02505 */ 02506 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02507 /* 02508 * Append current handshake message to current outgoing flight 02509 */ 02510 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 02511 { 02512 mbedtls_ssl_flight_item *msg; 02513 02514 /* Allocate space for current message */ 02515 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 02516 { 02517 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", 02518 sizeof( mbedtls_ssl_flight_item ) ) ); 02519 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02520 } 02521 02522 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 02523 { 02524 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) ); 02525 mbedtls_free( msg ); 02526 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 02527 } 02528 02529 /* Copy current handshake message with headers */ 02530 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 02531 msg->len = ssl->out_msglen; 02532 msg->type = ssl->out_msgtype; 02533 msg->next = NULL; 02534 02535 /* Append to the current flight */ 02536 if( ssl->handshake->flight == NULL ) 02537 ssl->handshake->flight = msg; 02538 else 02539 { 02540 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 02541 while( cur->next != NULL ) 02542 cur = cur->next; 02543 cur->next = msg; 02544 } 02545 02546 return( 0 ); 02547 } 02548 02549 /* 02550 * Free the current flight of handshake messages 02551 */ 02552 static void ssl_flight_free( mbedtls_ssl_flight_item *flight ) 02553 { 02554 mbedtls_ssl_flight_item *cur = flight; 02555 mbedtls_ssl_flight_item *next; 02556 02557 while( cur != NULL ) 02558 { 02559 next = cur->next; 02560 02561 mbedtls_free( cur->p ); 02562 mbedtls_free( cur ); 02563 02564 cur = next; 02565 } 02566 } 02567 02568 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 02569 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); 02570 #endif 02571 02572 /* 02573 * Swap transform_out and out_ctr with the alternative ones 02574 */ 02575 static void ssl_swap_epochs( mbedtls_ssl_context *ssl ) 02576 { 02577 mbedtls_ssl_transform *tmp_transform; 02578 unsigned char tmp_out_ctr[8]; 02579 02580 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 02581 { 02582 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 02583 return; 02584 } 02585 02586 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 02587 02588 /* Swap transforms */ 02589 tmp_transform = ssl->transform_out; 02590 ssl->transform_out = ssl->handshake->alt_transform_out; 02591 ssl->handshake->alt_transform_out = tmp_transform; 02592 02593 /* Swap epoch + sequence_number */ 02594 memcpy( tmp_out_ctr, ssl->out_ctr, 8 ); 02595 memcpy( ssl->out_ctr, ssl->handshake->alt_out_ctr, 8 ); 02596 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 02597 02598 /* Adjust to the newly activated transform */ 02599 if( ssl->transform_out != NULL && 02600 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 02601 { 02602 ssl->out_msg = ssl->out_iv + ssl->transform_out->ivlen - 02603 ssl->transform_out->fixed_ivlen; 02604 } 02605 else 02606 ssl->out_msg = ssl->out_iv; 02607 02608 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02609 if( mbedtls_ssl_hw_record_activate != NULL ) 02610 { 02611 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 02612 { 02613 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 02614 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02615 } 02616 } 02617 #endif 02618 } 02619 02620 /* 02621 * Retransmit the current flight of messages. 02622 * 02623 * Need to remember the current message in case flush_output returns 02624 * WANT_WRITE, causing us to exit this function and come back later. 02625 * This function must be called until state is no longer SENDING. 02626 */ 02627 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 02628 { 02629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 02630 02631 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 02632 { 02633 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) ); 02634 02635 ssl->handshake->cur_msg = ssl->handshake->flight; 02636 ssl_swap_epochs( ssl ); 02637 02638 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 02639 } 02640 02641 while( ssl->handshake->cur_msg != NULL ) 02642 { 02643 int ret; 02644 mbedtls_ssl_flight_item *cur = ssl->handshake->cur_msg; 02645 02646 /* Swap epochs before sending Finished: we can't do it after 02647 * sending ChangeCipherSpec, in case write returns WANT_READ. 02648 * Must be done before copying, may change out_msg pointer */ 02649 if( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 02650 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ) 02651 { 02652 ssl_swap_epochs( ssl ); 02653 } 02654 02655 memcpy( ssl->out_msg, cur->p, cur->len ); 02656 ssl->out_msglen = cur->len; 02657 ssl->out_msgtype = cur->type; 02658 02659 ssl->handshake->cur_msg = cur->next; 02660 02661 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl->out_msg, 12 ); 02662 02663 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 02664 { 02665 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 02666 return( ret ); 02667 } 02668 } 02669 02670 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 02671 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02672 else 02673 { 02674 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02675 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02676 } 02677 02678 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 02679 02680 return( 0 ); 02681 } 02682 02683 /* 02684 * To be called when the last message of an incoming flight is received. 02685 */ 02686 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 02687 { 02688 /* We won't need to resend that one any more */ 02689 ssl_flight_free( ssl->handshake->flight ); 02690 ssl->handshake->flight = NULL; 02691 ssl->handshake->cur_msg = NULL; 02692 02693 /* The next incoming flight will start with this msg_seq */ 02694 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 02695 02696 /* Cancel timer */ 02697 ssl_set_timer( ssl, 0 ); 02698 02699 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02700 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02701 { 02702 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02703 } 02704 else 02705 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 02706 } 02707 02708 /* 02709 * To be called when the last message of an outgoing flight is send. 02710 */ 02711 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 02712 { 02713 ssl_reset_retransmit_timeout( ssl ); 02714 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 02715 02716 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 02717 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 02718 { 02719 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 02720 } 02721 else 02722 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 02723 } 02724 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02725 02726 /* 02727 * Record layer functions 02728 */ 02729 02730 /* 02731 * Write current record. 02732 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg. 02733 */ 02734 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) 02735 { 02736 int ret, done = 0, out_msg_type; 02737 size_t len = ssl->out_msglen; 02738 02739 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 02740 02741 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02742 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02743 ssl->handshake != NULL && 02744 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 02745 { 02746 ; /* Skip special handshake treatment when resending */ 02747 } 02748 else 02749 #endif 02750 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 02751 { 02752 out_msg_type = ssl->out_msg[0]; 02753 02754 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST && 02755 ssl->handshake == NULL ) 02756 { 02757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 02758 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 02759 } 02760 02761 ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 ); 02762 ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >> 8 ); 02763 ssl->out_msg[3] = (unsigned char)( ( len - 4 ) ); 02764 02765 /* 02766 * DTLS has additional fields in the Handshake layer, 02767 * between the length field and the actual payload: 02768 * uint16 message_seq; 02769 * uint24 fragment_offset; 02770 * uint24 fragment_length; 02771 */ 02772 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02773 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 02774 { 02775 /* Make room for the additional DTLS fields */ 02776 if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 ) 02777 { 02778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " 02779 "size %u, maximum %u", 02780 (unsigned) ( ssl->in_hslen - 4 ), 02781 (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) ); 02782 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 02783 } 02784 02785 memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); 02786 ssl->out_msglen += 8; 02787 len += 8; 02788 02789 /* Write message_seq and update it, except for HelloRequest */ 02790 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02791 { 02792 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 02793 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 02794 ++( ssl->handshake->out_msg_seq ); 02795 } 02796 else 02797 { 02798 ssl->out_msg[4] = 0; 02799 ssl->out_msg[5] = 0; 02800 } 02801 02802 /* We don't fragment, so frag_offset = 0 and frag_len = len */ 02803 memset( ssl->out_msg + 6, 0x00, 3 ); 02804 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 02805 } 02806 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 02807 02808 if( out_msg_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 02809 ssl->handshake->update_checksum( ssl, ssl->out_msg, len ); 02810 } 02811 02812 /* Save handshake and CCS messages for resending */ 02813 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02814 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 02815 ssl->handshake != NULL && 02816 ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && 02817 ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || 02818 ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) ) 02819 { 02820 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 02821 { 02822 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 02823 return( ret ); 02824 } 02825 } 02826 #endif 02827 02828 #if defined(MBEDTLS_ZLIB_SUPPORT) 02829 if( ssl->transform_out != NULL && 02830 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 02831 { 02832 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 02833 { 02834 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 02835 return( ret ); 02836 } 02837 02838 len = ssl->out_msglen; 02839 } 02840 #endif /*MBEDTLS_ZLIB_SUPPORT */ 02841 02842 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 02843 if( mbedtls_ssl_hw_record_write != NULL ) 02844 { 02845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 02846 02847 ret = mbedtls_ssl_hw_record_write( ssl ); 02848 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 02849 { 02850 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 02851 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 02852 } 02853 02854 if( ret == 0 ) 02855 done = 1; 02856 } 02857 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 02858 if( !done ) 02859 { 02860 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 02861 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 02862 ssl->conf->transport, ssl->out_hdr + 1 ); 02863 02864 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02865 ssl->out_len[1] = (unsigned char)( len ); 02866 02867 if( ssl->transform_out != NULL ) 02868 { 02869 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 ) 02870 { 02871 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 02872 return( ret ); 02873 } 02874 02875 len = ssl->out_msglen; 02876 ssl->out_len[0] = (unsigned char)( len >> 8 ); 02877 ssl->out_len[1] = (unsigned char)( len ); 02878 } 02879 02880 ssl->out_left = mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen; 02881 02882 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, " 02883 "version = [%d:%d], msglen = %d", 02884 ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2], 02885 ( ssl->out_len[0] << 8 ) | ssl->out_len[1] ) ); 02886 02887 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 02888 ssl->out_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen ); 02889 } 02890 02891 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 02892 { 02893 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 02894 return( ret ); 02895 } 02896 02897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 02898 02899 return( 0 ); 02900 } 02901 02902 #if defined(MBEDTLS_SSL_PROTO_DTLS) 02903 /* 02904 * Mark bits in bitmask (used for DTLS HS reassembly) 02905 */ 02906 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 02907 { 02908 unsigned int start_bits, end_bits; 02909 02910 start_bits = 8 - ( offset % 8 ); 02911 if( start_bits != 8 ) 02912 { 02913 size_t first_byte_idx = offset / 8; 02914 02915 /* Special case */ 02916 if( len <= start_bits ) 02917 { 02918 for( ; len != 0; len-- ) 02919 mask[first_byte_idx] |= 1 << ( start_bits - len ); 02920 02921 /* Avoid potential issues with offset or len becoming invalid */ 02922 return; 02923 } 02924 02925 offset += start_bits; /* Now offset % 8 == 0 */ 02926 len -= start_bits; 02927 02928 for( ; start_bits != 0; start_bits-- ) 02929 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 02930 } 02931 02932 end_bits = len % 8; 02933 if( end_bits != 0 ) 02934 { 02935 size_t last_byte_idx = ( offset + len ) / 8; 02936 02937 len -= end_bits; /* Now len % 8 == 0 */ 02938 02939 for( ; end_bits != 0; end_bits-- ) 02940 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 02941 } 02942 02943 memset( mask + offset / 8, 0xFF, len / 8 ); 02944 } 02945 02946 /* 02947 * Check that bitmask is full 02948 */ 02949 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 02950 { 02951 size_t i; 02952 02953 for( i = 0; i < len / 8; i++ ) 02954 if( mask[i] != 0xFF ) 02955 return( -1 ); 02956 02957 for( i = 0; i < len % 8; i++ ) 02958 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 02959 return( -1 ); 02960 02961 return( 0 ); 02962 } 02963 02964 /* 02965 * Reassemble fragmented DTLS handshake messages. 02966 * 02967 * Use a temporary buffer for reassembly, divided in two parts: 02968 * - the first holds the reassembled message (including handshake header), 02969 * - the second holds a bitmask indicating which parts of the message 02970 * (excluding headers) have been received so far. 02971 */ 02972 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) 02973 { 02974 unsigned char *msg, *bitmask; 02975 size_t frag_len, frag_off; 02976 size_t msg_len = ssl->in_hslen - 12; /* Without headers */ 02977 02978 if( ssl->handshake == NULL ) 02979 { 02980 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) ); 02981 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02982 } 02983 02984 /* 02985 * For first fragment, check size and allocate buffer 02986 */ 02987 if( ssl->handshake->hs_msg == NULL ) 02988 { 02989 size_t alloc_len; 02990 02991 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d", 02992 msg_len ) ); 02993 02994 if( ssl->in_hslen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 02995 { 02996 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) ); 02997 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 02998 } 02999 03000 /* The bitmask needs one bit per byte of message excluding header */ 03001 alloc_len = 12 + msg_len + msg_len / 8 + ( msg_len % 8 != 0 ); 03002 03003 ssl->handshake->hs_msg = mbedtls_calloc( 1, alloc_len ); 03004 if( ssl->handshake->hs_msg == NULL ) 03005 { 03006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len ) ); 03007 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 03008 } 03009 03010 /* Prepare final header: copy msg_type, length and message_seq, 03011 * then add standardised fragment_offset and fragment_length */ 03012 memcpy( ssl->handshake->hs_msg, ssl->in_msg, 6 ); 03013 memset( ssl->handshake->hs_msg + 6, 0, 3 ); 03014 memcpy( ssl->handshake->hs_msg + 9, 03015 ssl->handshake->hs_msg + 1, 3 ); 03016 } 03017 else 03018 { 03019 /* Make sure msg_type and length are consistent */ 03020 if( memcmp( ssl->handshake->hs_msg, ssl->in_msg, 4 ) != 0 ) 03021 { 03022 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) ); 03023 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03024 } 03025 } 03026 03027 msg = ssl->handshake->hs_msg + 12; 03028 bitmask = msg + msg_len; 03029 03030 /* 03031 * Check and copy current fragment 03032 */ 03033 frag_off = ( ssl->in_msg[6] << 16 ) | 03034 ( ssl->in_msg[7] << 8 ) | 03035 ssl->in_msg[8]; 03036 frag_len = ( ssl->in_msg[9] << 16 ) | 03037 ( ssl->in_msg[10] << 8 ) | 03038 ssl->in_msg[11]; 03039 03040 if( frag_off + frag_len > msg_len ) 03041 { 03042 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d", 03043 frag_off, frag_len, msg_len ) ); 03044 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03045 } 03046 03047 if( frag_len + 12 > ssl->in_msglen ) 03048 { 03049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d", 03050 frag_len, ssl->in_msglen ) ); 03051 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03052 } 03053 03054 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d", 03055 frag_off, frag_len ) ); 03056 03057 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 03058 ssl_bitmask_set( bitmask, frag_off, frag_len ); 03059 03060 /* 03061 * Do we have the complete message by now? 03062 * If yes, finalize it, else ask to read the next record. 03063 */ 03064 if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) 03065 { 03066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); 03067 return( MBEDTLS_ERR_SSL_WANT_READ ); 03068 } 03069 03070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); 03071 03072 if( frag_len + 12 < ssl->in_msglen ) 03073 { 03074 /* 03075 * We'got more handshake messages in the same record. 03076 * This case is not handled now because no know implementation does 03077 * that and it's hard to test, so we prefer to fail cleanly for now. 03078 */ 03079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) ); 03080 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03081 } 03082 03083 if( ssl->in_left > ssl->next_record_offset ) 03084 { 03085 /* 03086 * We've got more data in the buffer after the current record, 03087 * that we don't want to overwrite. Move it before writing the 03088 * reassembled message, and adjust in_left and next_record_offset. 03089 */ 03090 unsigned char *cur_remain = ssl->in_hdr + ssl->next_record_offset; 03091 unsigned char *new_remain = ssl->in_msg + ssl->in_hslen; 03092 size_t remain_len = ssl->in_left - ssl->next_record_offset; 03093 03094 /* First compute and check new lengths */ 03095 ssl->next_record_offset = new_remain - ssl->in_hdr; 03096 ssl->in_left = ssl->next_record_offset + remain_len; 03097 03098 if( ssl->in_left > MBEDTLS_SSL_BUFFER_LEN - 03099 (size_t)( ssl->in_hdr - ssl->in_buf ) ) 03100 { 03101 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) ); 03102 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03103 } 03104 03105 memmove( new_remain, cur_remain, remain_len ); 03106 } 03107 03108 memcpy( ssl->in_msg, ssl->handshake->hs_msg, ssl->in_hslen ); 03109 03110 mbedtls_free( ssl->handshake->hs_msg ); 03111 ssl->handshake->hs_msg = NULL; 03112 03113 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message", 03114 ssl->in_msg, ssl->in_hslen ); 03115 03116 return( 0 ); 03117 } 03118 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03119 03120 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 03121 { 03122 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 03123 { 03124 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", 03125 ssl->in_msglen ) ); 03126 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03127 } 03128 03129 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ( 03130 ( ssl->in_msg[1] << 16 ) | 03131 ( ssl->in_msg[2] << 8 ) | 03132 ssl->in_msg[3] ); 03133 03134 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 03135 " %d, type = %d, hslen = %d", 03136 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 03137 03138 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03139 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03140 { 03141 int ret; 03142 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 03143 03144 /* ssl->handshake is NULL when receiving ClientHello for renego */ 03145 if( ssl->handshake != NULL && 03146 recv_msg_seq != ssl->handshake->in_msg_seq ) 03147 { 03148 /* Retransmit only on last message from previous flight, to avoid 03149 * too many retransmissions. 03150 * Besides, No sane server ever retransmits HelloVerifyRequest */ 03151 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 03152 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 03153 { 03154 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 03155 "message_seq = %d, start_of_flight = %d", 03156 recv_msg_seq, 03157 ssl->handshake->in_flight_start_seq ) ); 03158 03159 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 03160 { 03161 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 03162 return( ret ); 03163 } 03164 } 03165 else 03166 { 03167 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 03168 "message_seq = %d, expected = %d", 03169 recv_msg_seq, 03170 ssl->handshake->in_msg_seq ) ); 03171 } 03172 03173 return( MBEDTLS_ERR_SSL_WANT_READ ); 03174 } 03175 /* Wait until message completion to increment in_msg_seq */ 03176 03177 /* Reassemble if current message is fragmented or reassembly is 03178 * already in progress */ 03179 if( ssl->in_msglen < ssl->in_hslen || 03180 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 03181 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 || 03182 ( ssl->handshake != NULL && ssl->handshake->hs_msg != NULL ) ) 03183 { 03184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 03185 03186 if( ( ret = ssl_reassemble_dtls_handshake( ssl ) ) != 0 ) 03187 { 03188 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret ); 03189 return( ret ); 03190 } 03191 } 03192 } 03193 else 03194 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03195 /* With TLS we don't handle fragmentation (for now) */ 03196 if( ssl->in_msglen < ssl->in_hslen ) 03197 { 03198 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 03199 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 03200 } 03201 03202 return( 0 ); 03203 } 03204 03205 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) 03206 { 03207 03208 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 03209 ssl->handshake != NULL ) 03210 { 03211 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 03212 } 03213 03214 /* Handshake message is complete, increment counter */ 03215 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03216 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03217 ssl->handshake != NULL ) 03218 { 03219 ssl->handshake->in_msg_seq++; 03220 } 03221 #endif 03222 } 03223 03224 /* 03225 * DTLS anti-replay: RFC 6347 4.1.2.6 03226 * 03227 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 03228 * Bit n is set iff record number in_window_top - n has been seen. 03229 * 03230 * Usually, in_window_top is the last record number seen and the lsb of 03231 * in_window is set. The only exception is the initial state (record number 0 03232 * not seen yet). 03233 */ 03234 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03235 static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 03236 { 03237 ssl->in_window_top = 0; 03238 ssl->in_window = 0; 03239 } 03240 03241 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 03242 { 03243 return( ( (uint64_t) buf[0] << 40 ) | 03244 ( (uint64_t) buf[1] << 32 ) | 03245 ( (uint64_t) buf[2] << 24 ) | 03246 ( (uint64_t) buf[3] << 16 ) | 03247 ( (uint64_t) buf[4] << 8 ) | 03248 ( (uint64_t) buf[5] ) ); 03249 } 03250 03251 /* 03252 * Return 0 if sequence number is acceptable, -1 otherwise 03253 */ 03254 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) 03255 { 03256 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03257 uint64_t bit; 03258 03259 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03260 return( 0 ); 03261 03262 if( rec_seqnum > ssl->in_window_top ) 03263 return( 0 ); 03264 03265 bit = ssl->in_window_top - rec_seqnum; 03266 03267 if( bit >= 64 ) 03268 return( -1 ); 03269 03270 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 03271 return( -1 ); 03272 03273 return( 0 ); 03274 } 03275 03276 /* 03277 * Update replay window on new validated record 03278 */ 03279 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 03280 { 03281 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 03282 03283 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 03284 return; 03285 03286 if( rec_seqnum > ssl->in_window_top ) 03287 { 03288 /* Update window_top and the contents of the window */ 03289 uint64_t shift = rec_seqnum - ssl->in_window_top; 03290 03291 if( shift >= 64 ) 03292 ssl->in_window = 1; 03293 else 03294 { 03295 ssl->in_window <<= shift; 03296 ssl->in_window |= 1; 03297 } 03298 03299 ssl->in_window_top = rec_seqnum; 03300 } 03301 else 03302 { 03303 /* Mark that number as seen in the current window */ 03304 uint64_t bit = ssl->in_window_top - rec_seqnum; 03305 03306 if( bit < 64 ) /* Always true, but be extra sure */ 03307 ssl->in_window |= (uint64_t) 1 << bit; 03308 } 03309 } 03310 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 03311 03312 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03313 /* Forward declaration */ 03314 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); 03315 03316 /* 03317 * Without any SSL context, check if a datagram looks like a ClientHello with 03318 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 03319 * Both input and output include full DTLS headers. 03320 * 03321 * - if cookie is valid, return 0 03322 * - if ClientHello looks superficially valid but cookie is not, 03323 * fill obuf and set olen, then 03324 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03325 * - otherwise return a specific error code 03326 */ 03327 static int ssl_check_dtls_clihlo_cookie( 03328 mbedtls_ssl_cookie_write_t *f_cookie_write, 03329 mbedtls_ssl_cookie_check_t *f_cookie_check, 03330 void *p_cookie, 03331 const unsigned char *cli_id, size_t cli_id_len, 03332 const unsigned char *in, size_t in_len, 03333 unsigned char *obuf, size_t buf_len, size_t *olen ) 03334 { 03335 size_t sid_len, cookie_len; 03336 unsigned char *p; 03337 03338 if( f_cookie_write == NULL || f_cookie_check == NULL ) 03339 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 03340 03341 /* 03342 * Structure of ClientHello with record and handshake headers, 03343 * and expected values. We don't need to check a lot, more checks will be 03344 * done when actually parsing the ClientHello - skipping those checks 03345 * avoids code duplication and does not make cookie forging any easier. 03346 * 03347 * 0-0 ContentType type; copied, must be handshake 03348 * 1-2 ProtocolVersion version; copied 03349 * 3-4 uint16 epoch; copied, must be 0 03350 * 5-10 uint48 sequence_number; copied 03351 * 11-12 uint16 length; (ignored) 03352 * 03353 * 13-13 HandshakeType msg_type; (ignored) 03354 * 14-16 uint24 length; (ignored) 03355 * 17-18 uint16 message_seq; copied 03356 * 19-21 uint24 fragment_offset; copied, must be 0 03357 * 22-24 uint24 fragment_length; (ignored) 03358 * 03359 * 25-26 ProtocolVersion client_version; (ignored) 03360 * 27-58 Random random; (ignored) 03361 * 59-xx SessionID session_id; 1 byte len + sid_len content 03362 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 03363 * ... 03364 * 03365 * Minimum length is 61 bytes. 03366 */ 03367 if( in_len < 61 || 03368 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 03369 in[3] != 0 || in[4] != 0 || 03370 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 03371 { 03372 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03373 } 03374 03375 sid_len = in[59]; 03376 if( sid_len > in_len - 61 ) 03377 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03378 03379 cookie_len = in[60 + sid_len]; 03380 if( cookie_len > in_len - 60 ) 03381 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 03382 03383 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 03384 cli_id, cli_id_len ) == 0 ) 03385 { 03386 /* Valid cookie */ 03387 return( 0 ); 03388 } 03389 03390 /* 03391 * If we get here, we've got an invalid cookie, let's prepare HVR. 03392 * 03393 * 0-0 ContentType type; copied 03394 * 1-2 ProtocolVersion version; copied 03395 * 3-4 uint16 epoch; copied 03396 * 5-10 uint48 sequence_number; copied 03397 * 11-12 uint16 length; olen - 13 03398 * 03399 * 13-13 HandshakeType msg_type; hello_verify_request 03400 * 14-16 uint24 length; olen - 25 03401 * 17-18 uint16 message_seq; copied 03402 * 19-21 uint24 fragment_offset; copied 03403 * 22-24 uint24 fragment_length; olen - 25 03404 * 03405 * 25-26 ProtocolVersion server_version; 0xfe 0xff 03406 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 03407 * 03408 * Minimum length is 28. 03409 */ 03410 if( buf_len < 28 ) 03411 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 03412 03413 /* Copy most fields and adapt others */ 03414 memcpy( obuf, in, 25 ); 03415 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 03416 obuf[25] = 0xfe; 03417 obuf[26] = 0xff; 03418 03419 /* Generate and write actual cookie */ 03420 p = obuf + 28; 03421 if( f_cookie_write( p_cookie, 03422 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 03423 { 03424 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03425 } 03426 03427 *olen = p - obuf; 03428 03429 /* Go back and fill length fields */ 03430 obuf[27] = (unsigned char)( *olen - 28 ); 03431 03432 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 03433 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 03434 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 03435 03436 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 03437 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 03438 03439 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03440 } 03441 03442 /* 03443 * Handle possible client reconnect with the same UDP quadruplet 03444 * (RFC 6347 Section 4.2.8). 03445 * 03446 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 03447 * that looks like a ClientHello. 03448 * 03449 * - if the input looks like a ClientHello without cookies, 03450 * send back HelloVerifyRequest, then 03451 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 03452 * - if the input looks like a ClientHello with a valid cookie, 03453 * reset the session of the current context, and 03454 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 03455 * - if anything goes wrong, return a specific error code 03456 * 03457 * mbedtls_ssl_read_record() will ignore the record if anything else than 03458 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function 03459 * cannot not return 0. 03460 */ 03461 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 03462 { 03463 int ret; 03464 size_t len; 03465 03466 ret = ssl_check_dtls_clihlo_cookie( 03467 ssl->conf->f_cookie_write, 03468 ssl->conf->f_cookie_check, 03469 ssl->conf->p_cookie, 03470 ssl->cli_id, ssl->cli_id_len, 03471 ssl->in_buf, ssl->in_left, 03472 ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); 03473 03474 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 03475 03476 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 03477 { 03478 /* Don't check write errors as we can't do anything here. 03479 * If the error is permanent we'll catch it later, 03480 * if it's not, then hopefully it'll work next time. */ 03481 (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 03482 03483 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 03484 } 03485 03486 if( ret == 0 ) 03487 { 03488 /* Got a valid cookie, partially reset context */ 03489 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) 03490 { 03491 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 03492 return( ret ); 03493 } 03494 03495 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 03496 } 03497 03498 return( ret ); 03499 } 03500 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03501 03502 /* 03503 * ContentType type; 03504 * ProtocolVersion version; 03505 * uint16 epoch; // DTLS only 03506 * uint48 sequence_number; // DTLS only 03507 * uint16 length; 03508 * 03509 * Return 0 if header looks sane (and, for DTLS, the record is expected) 03510 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 03511 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 03512 * 03513 * With DTLS, mbedtls_ssl_read_record() will: 03514 * 1. proceed with the record if this function returns 0 03515 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 03516 * 3. return CLIENT_RECONNECT if this function return that value 03517 * 4. drop the whole datagram if this function returns anything else. 03518 * Point 2 is needed when the peer is resending, and we have already received 03519 * the first record from a datagram but are still waiting for the others. 03520 */ 03521 static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) 03522 { 03523 int major_ver, minor_ver; 03524 03525 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) ); 03526 03527 ssl->in_msgtype = ssl->in_hdr[0]; 03528 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; 03529 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); 03530 03531 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " 03532 "version = [%d:%d], msglen = %d", 03533 ssl->in_msgtype, 03534 major_ver, minor_ver, ssl->in_msglen ) ); 03535 03536 /* Check record type */ 03537 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 03538 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT && 03539 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03540 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 03541 { 03542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 03543 03544 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03545 /* Silently ignore invalid DTLS records as recommended by RFC 6347 03546 * Section 4.1.2.7 */ 03547 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03548 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03549 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 03550 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 03551 03552 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03553 } 03554 03555 /* Check version */ 03556 if( major_ver != ssl->major_ver ) 03557 { 03558 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 03559 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03560 } 03561 03562 if( minor_ver > ssl->conf->max_minor_ver ) 03563 { 03564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 03565 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03566 } 03567 03568 /* Check length against the size of our buffer */ 03569 if( ssl->in_msglen > MBEDTLS_SSL_BUFFER_LEN 03570 - (size_t)( ssl->in_msg - ssl->in_buf ) ) 03571 { 03572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03573 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03574 } 03575 03576 /* Check length against bounds of the current transform and version */ 03577 if( ssl->transform_in == NULL ) 03578 { 03579 if( ssl->in_msglen < 1 || 03580 ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03581 { 03582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03583 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03584 } 03585 } 03586 else 03587 { 03588 if( ssl->in_msglen < ssl->transform_in->minlen ) 03589 { 03590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03591 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03592 } 03593 03594 #if defined(MBEDTLS_SSL_PROTO_SSL3) 03595 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 03596 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_MAX_CONTENT_LEN ) 03597 { 03598 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03599 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03600 } 03601 #endif 03602 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 03603 defined(MBEDTLS_SSL_PROTO_TLS1_2) 03604 /* 03605 * TLS encrypted messages can have up to 256 bytes of padding 03606 */ 03607 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 && 03608 ssl->in_msglen > ssl->transform_in->minlen + 03609 MBEDTLS_SSL_MAX_CONTENT_LEN + 256 ) 03610 { 03611 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03612 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03613 } 03614 #endif 03615 } 03616 03617 /* 03618 * DTLS-related tests done last, because most of them may result in 03619 * silently dropping the record (but not the whole datagram), and we only 03620 * want to consider that after ensuring that the "basic" fields (type, 03621 * version, length) are sane. 03622 */ 03623 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03624 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03625 { 03626 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 03627 03628 /* Drop unexpected ChangeCipherSpec messages */ 03629 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 03630 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 03631 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 03632 { 03633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) ); 03634 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03635 } 03636 03637 /* Drop unexpected ApplicationData records, 03638 * except at the beginning of renegotiations */ 03639 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 03640 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 03641 #if defined(MBEDTLS_SSL_RENEGOTIATION) 03642 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 03643 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 03644 #endif 03645 ) 03646 { 03647 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 03648 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03649 } 03650 03651 /* Check epoch (and sequence number) with DTLS */ 03652 if( rec_epoch != ssl->in_epoch ) 03653 { 03654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 03655 "expected %d, received %d", 03656 ssl->in_epoch, rec_epoch ) ); 03657 03658 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 03659 /* 03660 * Check for an epoch 0 ClientHello. We can't use in_msg here to 03661 * access the first byte of record content (handshake type), as we 03662 * have an active transform (possibly iv_len != 0), so use the 03663 * fact that the record header len is 13 instead. 03664 */ 03665 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 03666 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 03667 rec_epoch == 0 && 03668 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 03669 ssl->in_left > 13 && 03670 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 03671 { 03672 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 03673 "from the same port" ) ); 03674 return( ssl_handle_possible_reconnect( ssl ) ); 03675 } 03676 else 03677 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 03678 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03679 } 03680 03681 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03682 /* Replay detection only works for the current epoch */ 03683 if( rec_epoch == ssl->in_epoch && 03684 mbedtls_ssl_dtls_replay_check( ssl ) != 0 ) 03685 { 03686 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 03687 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 03688 } 03689 #endif 03690 } 03691 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 03692 03693 return( 0 ); 03694 } 03695 03696 /* 03697 * If applicable, decrypt (and decompress) record content 03698 */ 03699 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) 03700 { 03701 int ret, done = 0; 03702 03703 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 03704 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ); 03705 03706 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 03707 if( mbedtls_ssl_hw_record_read != NULL ) 03708 { 03709 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 03710 03711 ret = mbedtls_ssl_hw_record_read( ssl ); 03712 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 03713 { 03714 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 03715 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 03716 } 03717 03718 if( ret == 0 ) 03719 done = 1; 03720 } 03721 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 03722 if( !done && ssl->transform_in != NULL ) 03723 { 03724 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) 03725 { 03726 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 03727 return( ret ); 03728 } 03729 03730 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 03731 ssl->in_msg, ssl->in_msglen ); 03732 03733 if( ssl->in_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) 03734 { 03735 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 03736 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 03737 } 03738 } 03739 03740 #if defined(MBEDTLS_ZLIB_SUPPORT) 03741 if( ssl->transform_in != NULL && 03742 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 03743 { 03744 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 03745 { 03746 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 03747 return( ret ); 03748 } 03749 } 03750 #endif /* MBEDTLS_ZLIB_SUPPORT */ 03751 03752 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 03753 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03754 { 03755 mbedtls_ssl_dtls_replay_update( ssl ); 03756 } 03757 #endif 03758 03759 return( 0 ); 03760 } 03761 03762 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ); 03763 03764 /* 03765 * Read a record. 03766 * 03767 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 03768 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 03769 * 03770 */ 03771 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl ) 03772 { 03773 int ret; 03774 03775 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 03776 03777 if( ssl->keep_current_message == 0 ) 03778 { 03779 do { 03780 03781 if( ( ret = mbedtls_ssl_read_record_layer( ssl ) ) != 0 ) 03782 { 03783 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03784 return( ret ); 03785 } 03786 03787 ret = mbedtls_ssl_handle_message_type( ssl ); 03788 03789 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ); 03790 03791 if( 0 != ret ) 03792 { 03793 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret ); 03794 return( ret ); 03795 } 03796 03797 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 03798 { 03799 mbedtls_ssl_update_handshake_status( ssl ); 03800 } 03801 } 03802 else 03803 { 03804 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= reuse previously read message" ) ); 03805 ssl->keep_current_message = 0; 03806 } 03807 03808 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 03809 03810 return( 0 ); 03811 } 03812 03813 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context *ssl ) 03814 { 03815 int ret; 03816 03817 /* 03818 * Step A 03819 * 03820 * Consume last content-layer message and potentially 03821 * update in_msglen which keeps track of the contents' 03822 * consumption state. 03823 * 03824 * (1) Handshake messages: 03825 * Remove last handshake message, move content 03826 * and adapt in_msglen. 03827 * 03828 * (2) Alert messages: 03829 * Consume whole record content, in_msglen = 0. 03830 * 03831 * NOTE: This needs to be fixed, since like for 03832 * handshake messages it is allowed to have 03833 * multiple alerts witin a single record. 03834 * Internal reference IOTSSL-1321. 03835 * 03836 * (3) Change cipher spec: 03837 * Consume whole record content, in_msglen = 0. 03838 * 03839 * (4) Application data: 03840 * Don't do anything - the record layer provides 03841 * the application data as a stream transport 03842 * and consumes through mbedtls_ssl_read only. 03843 * 03844 */ 03845 03846 /* Case (1): Handshake messages */ 03847 if( ssl->in_hslen != 0 ) 03848 { 03849 /* Hard assertion to be sure that no application data 03850 * is in flight, as corrupting ssl->in_msglen during 03851 * ssl->in_offt != NULL is fatal. */ 03852 if( ssl->in_offt != NULL ) 03853 { 03854 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 03855 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 03856 } 03857 03858 /* 03859 * Get next Handshake message in the current record 03860 */ 03861 03862 /* Notes: 03863 * (1) in_hslen is *NOT* necessarily the size of the 03864 * current handshake content: If DTLS handshake 03865 * fragmentation is used, that's the fragment 03866 * size instead. Using the total handshake message 03867 * size here is FAULTY and should be changed at 03868 * some point. Internal reference IOTSSL-1414. 03869 * (2) While it doesn't seem to cause problems, one 03870 * has to be very careful not to assume that in_hslen 03871 * is always <= in_msglen in a sensible communication. 03872 * Again, it's wrong for DTLS handshake fragmentation. 03873 * The following check is therefore mandatory, and 03874 * should not be treated as a silently corrected assertion. 03875 * Additionally, ssl->in_hslen might be arbitrarily out of 03876 * bounds after handling a DTLS message with an unexpected 03877 * sequence number, see mbedtls_ssl_prepare_handshake_record. 03878 */ 03879 if( ssl->in_hslen < ssl->in_msglen ) 03880 { 03881 ssl->in_msglen -= ssl->in_hslen; 03882 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 03883 ssl->in_msglen ); 03884 03885 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 03886 ssl->in_msg, ssl->in_msglen ); 03887 } 03888 else 03889 { 03890 ssl->in_msglen = 0; 03891 } 03892 03893 ssl->in_hslen = 0; 03894 } 03895 /* Case (4): Application data */ 03896 else if( ssl->in_offt != NULL ) 03897 { 03898 return( 0 ); 03899 } 03900 /* Everything else (CCS & Alerts) */ 03901 else 03902 { 03903 ssl->in_msglen = 0; 03904 } 03905 03906 /* 03907 * Step B 03908 * 03909 * Fetch and decode new record if current one is fully consumed. 03910 * 03911 */ 03912 03913 if( ssl->in_msglen > 0 ) 03914 { 03915 /* There's something left to be processed in the current record. */ 03916 return( 0 ); 03917 } 03918 03919 /* Need to fetch a new record */ 03920 03921 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03922 read_record_header: 03923 #endif 03924 03925 /* Current record either fully processed or to be discarded. */ 03926 03927 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 ) 03928 { 03929 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03930 return( ret ); 03931 } 03932 03933 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) 03934 { 03935 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03936 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 03937 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) 03938 { 03939 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 03940 { 03941 /* Skip unexpected record (but not whole datagram) */ 03942 ssl->next_record_offset = ssl->in_msglen 03943 + mbedtls_ssl_hdr_len( ssl ); 03944 03945 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 03946 "(header)" ) ); 03947 } 03948 else 03949 { 03950 /* Skip invalid record and the rest of the datagram */ 03951 ssl->next_record_offset = 0; 03952 ssl->in_left = 0; 03953 03954 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 03955 "(header)" ) ); 03956 } 03957 03958 /* Get next record */ 03959 goto read_record_header; 03960 } 03961 #endif 03962 return( ret ); 03963 } 03964 03965 /* 03966 * Read and optionally decrypt the message contents 03967 */ 03968 if( ( ret = mbedtls_ssl_fetch_input( ssl, 03969 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 ) 03970 { 03971 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 03972 return( ret ); 03973 } 03974 03975 /* Done reading this record, get ready for the next one */ 03976 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03977 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03978 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); 03979 else 03980 #endif 03981 ssl->in_left = 0; 03982 03983 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) 03984 { 03985 #if defined(MBEDTLS_SSL_PROTO_DTLS) 03986 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 03987 { 03988 /* Silently discard invalid records */ 03989 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || 03990 ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 03991 { 03992 /* Except when waiting for Finished as a bad mac here 03993 * probably means something went wrong in the handshake 03994 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 03995 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 03996 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 03997 { 03998 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 03999 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 04000 { 04001 mbedtls_ssl_send_alert_message( ssl, 04002 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04003 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 04004 } 04005 #endif 04006 return( ret ); 04007 } 04008 04009 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 04010 if( ssl->conf->badmac_limit != 0 && 04011 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 04012 { 04013 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 04014 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 04015 } 04016 #endif 04017 04018 /* As above, invalid records cause 04019 * dismissal of the whole datagram. */ 04020 04021 ssl->next_record_offset = 0; 04022 ssl->in_left = 0; 04023 04024 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 04025 goto read_record_header; 04026 } 04027 04028 return( ret ); 04029 } 04030 else 04031 #endif 04032 { 04033 /* Error out (and send alert) on invalid records */ 04034 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 04035 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 04036 { 04037 mbedtls_ssl_send_alert_message( ssl, 04038 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04039 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 04040 } 04041 #endif 04042 return( ret ); 04043 } 04044 } 04045 04046 /* 04047 * When we sent the last flight of the handshake, we MUST respond to a 04048 * retransmit of the peer's previous flight with a retransmit. (In 04049 * practice, only the Finished message will make it, other messages 04050 * including CCS use the old transform so they're dropped as invalid.) 04051 * 04052 * If the record we received is not a handshake message, however, it 04053 * means the peer received our last flight so we can clean up 04054 * handshake info. 04055 * 04056 * This check needs to be done before prepare_handshake() due to an edge 04057 * case: if the client immediately requests renegotiation, this 04058 * finishes the current handshake first, avoiding the new ClientHello 04059 * being mistaken for an ancient message in the current handshake. 04060 */ 04061 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04062 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 04063 ssl->handshake != NULL && 04064 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 04065 { 04066 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04067 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 04068 { 04069 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) ); 04070 04071 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 04072 { 04073 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 04074 return( ret ); 04075 } 04076 04077 return( MBEDTLS_ERR_SSL_WANT_READ ); 04078 } 04079 else 04080 { 04081 ssl_handshake_wrapup_free_hs_transform( ssl ); 04082 } 04083 } 04084 #endif 04085 04086 return( 0 ); 04087 } 04088 04089 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) 04090 { 04091 int ret; 04092 04093 /* 04094 * Handle particular types of records 04095 */ 04096 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 04097 { 04098 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) 04099 { 04100 return( ret ); 04101 } 04102 } 04103 04104 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 04105 { 04106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]", 04107 ssl->in_msg[0], ssl->in_msg[1] ) ); 04108 04109 /* 04110 * Ignore non-fatal alerts, except close_notify and no_renegotiation 04111 */ 04112 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 04113 { 04114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 04115 ssl->in_msg[1] ) ); 04116 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 04117 } 04118 04119 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04120 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 04121 { 04122 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 04123 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 04124 } 04125 04126 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 04127 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04128 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 04129 { 04130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 04131 /* Will be handled when trying to parse ServerHello */ 04132 return( 0 ); 04133 } 04134 #endif 04135 04136 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 04137 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 04138 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04139 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04140 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04141 { 04142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 04143 /* Will be handled in mbedtls_ssl_parse_certificate() */ 04144 return( 0 ); 04145 } 04146 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 04147 04148 /* Silently ignore: fetch new message */ 04149 return MBEDTLS_ERR_SSL_NON_FATAL; 04150 } 04151 04152 return( 0 ); 04153 } 04154 04155 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 04156 { 04157 int ret; 04158 04159 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 04160 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04161 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 ) 04162 { 04163 return( ret ); 04164 } 04165 04166 return( 0 ); 04167 } 04168 04169 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 04170 unsigned char level, 04171 unsigned char message ) 04172 { 04173 int ret; 04174 04175 if( ssl == NULL || ssl->conf == NULL ) 04176 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 04177 04178 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 04179 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); 04180 04181 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04182 ssl->out_msglen = 2; 04183 ssl->out_msg[0] = level; 04184 ssl->out_msg[1] = message; 04185 04186 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04187 { 04188 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04189 return( ret ); 04190 } 04191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 04192 04193 return( 0 ); 04194 } 04195 04196 /* 04197 * Handshake functions 04198 */ 04199 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \ 04200 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \ 04201 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \ 04202 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \ 04203 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ 04204 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ 04205 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) 04206 /* No certificate support -> dummy functions */ 04207 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04208 { 04209 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04210 04211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04212 04213 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04214 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04215 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04216 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04217 { 04218 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04219 ssl->state++; 04220 return( 0 ); 04221 } 04222 04223 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04224 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04225 } 04226 04227 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04228 { 04229 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04230 04231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04232 04233 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04234 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04235 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04236 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04237 { 04238 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04239 ssl->state++; 04240 return( 0 ); 04241 } 04242 04243 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04244 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 04245 } 04246 04247 #else 04248 /* Some certificate support -> implement write and parse */ 04249 04250 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) 04251 { 04252 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04253 size_t i, n; 04254 const mbedtls_x509_crt *crt; 04255 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04256 04257 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); 04258 04259 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04260 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04261 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04262 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04263 { 04264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04265 ssl->state++; 04266 return( 0 ); 04267 } 04268 04269 #if defined(MBEDTLS_SSL_CLI_C) 04270 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 04271 { 04272 if( ssl->client_auth == 0 ) 04273 { 04274 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); 04275 ssl->state++; 04276 return( 0 ); 04277 } 04278 04279 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04280 /* 04281 * If using SSLv3 and got no cert, send an Alert message 04282 * (otherwise an empty Certificate message will be sent). 04283 */ 04284 if( mbedtls_ssl_own_cert( ssl ) == NULL && 04285 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04286 { 04287 ssl->out_msglen = 2; 04288 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 04289 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 04290 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT; 04291 04292 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) ); 04293 goto write_msg; 04294 } 04295 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04296 } 04297 #endif /* MBEDTLS_SSL_CLI_C */ 04298 #if defined(MBEDTLS_SSL_SRV_C) 04299 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 04300 { 04301 if( mbedtls_ssl_own_cert( ssl ) == NULL ) 04302 { 04303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); 04304 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); 04305 } 04306 } 04307 #endif 04308 04309 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) ); 04310 04311 /* 04312 * 0 . 0 handshake type 04313 * 1 . 3 handshake length 04314 * 4 . 6 length of all certs 04315 * 7 . 9 length of cert. 1 04316 * 10 . n-1 peer certificate 04317 * n . n+2 length of cert. 2 04318 * n+3 . ... upper level cert, etc. 04319 */ 04320 i = 7; 04321 crt = mbedtls_ssl_own_cert( ssl ); 04322 04323 while( crt != NULL ) 04324 { 04325 n = crt->raw.len; 04326 if( n > MBEDTLS_SSL_MAX_CONTENT_LEN - 3 - i ) 04327 { 04328 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d", 04329 i + 3 + n, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); 04330 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); 04331 } 04332 04333 ssl->out_msg[i ] = (unsigned char)( n >> 16 ); 04334 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 ); 04335 ssl->out_msg[i + 2] = (unsigned char)( n ); 04336 04337 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n ); 04338 i += n; crt = crt->next; 04339 } 04340 04341 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 ); 04342 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 ); 04343 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) ); 04344 04345 ssl->out_msglen = i; 04346 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 04347 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 04348 04349 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 04350 write_msg: 04351 #endif 04352 04353 ssl->state++; 04354 04355 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04356 { 04357 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04358 return( ret ); 04359 } 04360 04361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) ); 04362 04363 return( ret ); 04364 } 04365 04366 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) 04367 { 04368 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 04369 size_t i, n; 04370 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; 04371 int authmode = ssl->conf->authmode; 04372 uint8_t alert; 04373 04374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); 04375 04376 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || 04377 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || 04378 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || 04379 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) 04380 { 04381 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04382 ssl->state++; 04383 return( 0 ); 04384 } 04385 04386 #if defined(MBEDTLS_SSL_SRV_C) 04387 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04388 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) 04389 { 04390 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04391 ssl->state++; 04392 return( 0 ); 04393 } 04394 04395 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04396 if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) 04397 authmode = ssl->handshake->sni_authmode; 04398 #endif 04399 04400 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04401 authmode == MBEDTLS_SSL_VERIFY_NONE ) 04402 { 04403 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; 04404 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); 04405 ssl->state++; 04406 return( 0 ); 04407 } 04408 #endif 04409 04410 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04411 { 04412 /* mbedtls_ssl_read_record may have sent an alert already. We 04413 let it decide whether to alert. */ 04414 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04415 return( ret ); 04416 } 04417 04418 ssl->state++; 04419 04420 #if defined(MBEDTLS_SSL_SRV_C) 04421 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04422 /* 04423 * Check if the client sent an empty certificate 04424 */ 04425 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04426 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 04427 { 04428 if( ssl->in_msglen == 2 && 04429 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT && 04430 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 04431 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 04432 { 04433 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); 04434 04435 /* The client was asked for a certificate but didn't send 04436 one. The client should know what's going on, so we 04437 don't send an alert. */ 04438 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04439 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04440 return( 0 ); 04441 else 04442 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04443 } 04444 } 04445 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 04446 04447 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 04448 defined(MBEDTLS_SSL_PROTO_TLS1_2) 04449 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 04450 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) 04451 { 04452 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && 04453 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 04454 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 04455 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) 04456 { 04457 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); 04458 04459 /* The client was asked for a certificate but didn't send 04460 one. The client should know what's going on, so we 04461 don't send an alert. */ 04462 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 04463 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) 04464 return( 0 ); 04465 else 04466 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); 04467 } 04468 } 04469 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 04470 MBEDTLS_SSL_PROTO_TLS1_2 */ 04471 #endif /* MBEDTLS_SSL_SRV_C */ 04472 04473 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 04474 { 04475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04476 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04477 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04478 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04479 } 04480 04481 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE || 04482 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 ) 04483 { 04484 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04485 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04486 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04487 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04488 } 04489 04490 i = mbedtls_ssl_hs_hdr_len( ssl ); 04491 04492 /* 04493 * Same message structure as in mbedtls_ssl_write_certificate() 04494 */ 04495 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2]; 04496 04497 if( ssl->in_msg[i] != 0 || 04498 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) ) 04499 { 04500 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04501 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04502 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04503 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04504 } 04505 04506 /* In case we tried to reuse a session but it failed */ 04507 if( ssl->session_negotiate->peer_cert != NULL ) 04508 { 04509 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); 04510 mbedtls_free( ssl->session_negotiate->peer_cert ); 04511 } 04512 04513 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1, 04514 sizeof( mbedtls_x509_crt ) ) ) == NULL ) 04515 { 04516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", 04517 sizeof( mbedtls_x509_crt ) ) ); 04518 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04519 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04520 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 04521 } 04522 04523 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert ); 04524 04525 i += 3; 04526 04527 while( i < ssl->in_hslen ) 04528 { 04529 if( ssl->in_msg[i] != 0 ) 04530 { 04531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04532 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04533 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04534 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04535 } 04536 04537 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 ) 04538 | (unsigned int) ssl->in_msg[i + 2]; 04539 i += 3; 04540 04541 if( n < 128 || i + n > ssl->in_hslen ) 04542 { 04543 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) ); 04544 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04545 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04546 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04547 } 04548 04549 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert, 04550 ssl->in_msg + i, n ); 04551 switch( ret ) 04552 { 04553 case 0: /*ok*/ 04554 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 04555 /* Ignore certificate with an unknown algorithm: maybe a 04556 prior certificate was already trusted. */ 04557 break; 04558 04559 case MBEDTLS_ERR_X509_ALLOC_FAILED: 04560 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 04561 goto crt_parse_der_failed; 04562 04563 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 04564 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04565 goto crt_parse_der_failed; 04566 04567 default: 04568 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04569 crt_parse_der_failed: 04570 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert ); 04571 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret ); 04572 return( ret ); 04573 } 04574 04575 i += n; 04576 } 04577 04578 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); 04579 04580 /* 04581 * On client, make sure the server cert doesn't change during renego to 04582 * avoid "triple handshake" attack: https://secure-resumption.com/ 04583 */ 04584 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 04585 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 04586 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 04587 { 04588 if( ssl->session->peer_cert == NULL ) 04589 { 04590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) ); 04591 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04592 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04593 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04594 } 04595 04596 if( ssl->session->peer_cert->raw.len != 04597 ssl->session_negotiate->peer_cert->raw.len || 04598 memcmp( ssl->session->peer_cert->raw.p, 04599 ssl->session_negotiate->peer_cert->raw.p, 04600 ssl->session->peer_cert->raw.len ) != 0 ) 04601 { 04602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) ); 04603 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04604 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED ); 04605 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); 04606 } 04607 } 04608 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 04609 04610 if( authmode != MBEDTLS_SSL_VERIFY_NONE ) 04611 { 04612 mbedtls_x509_crt *ca_chain; 04613 mbedtls_x509_crl *ca_crl; 04614 04615 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 04616 if( ssl->handshake->sni_ca_chain != NULL ) 04617 { 04618 ca_chain = ssl->handshake->sni_ca_chain; 04619 ca_crl = ssl->handshake->sni_ca_crl; 04620 } 04621 else 04622 #endif 04623 { 04624 ca_chain = ssl->conf->ca_chain; 04625 ca_crl = ssl->conf->ca_crl; 04626 } 04627 04628 /* 04629 * Main check: verify certificate 04630 */ 04631 ret = mbedtls_x509_crt_verify_with_profile( 04632 ssl->session_negotiate->peer_cert, 04633 ca_chain, ca_crl, 04634 ssl->conf->cert_profile, 04635 ssl->hostname, 04636 &ssl->session_negotiate->verify_result, 04637 ssl->conf->f_vrfy, ssl->conf->p_vrfy ); 04638 04639 if( ret != 0 ) 04640 { 04641 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret ); 04642 } 04643 04644 /* 04645 * Secondary checks: always done, but change 'ret' only if it was 0 04646 */ 04647 04648 #if defined(MBEDTLS_ECP_C) 04649 { 04650 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; 04651 04652 /* If certificate uses an EC key, make sure the curve is OK */ 04653 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) && 04654 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp .id ) != 0 ) 04655 { 04656 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; 04657 04658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) ); 04659 if( ret == 0 ) 04660 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04661 } 04662 } 04663 #endif /* MBEDTLS_ECP_C */ 04664 04665 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, 04666 ciphersuite_info, 04667 ! ssl->conf->endpoint, 04668 &ssl->session_negotiate->verify_result ) != 0 ) 04669 { 04670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); 04671 if( ret == 0 ) 04672 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; 04673 } 04674 04675 /* mbedtls_x509_crt_verify_with_profile is supposed to report a 04676 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, 04677 * with details encoded in the verification flags. All other kinds 04678 * of error codes, including those from the user provided f_vrfy 04679 * functions, are treated as fatal and lead to a failure of 04680 * ssl_parse_certificate even if verification was optional. */ 04681 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 04682 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 04683 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) ) 04684 { 04685 ret = 0; 04686 } 04687 04688 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) 04689 { 04690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); 04691 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 04692 } 04693 04694 if( ret != 0 ) 04695 { 04696 /* The certificate may have been rejected for several reasons. 04697 Pick one and send the corresponding alert. Which alert to send 04698 may be a subject of debate in some cases. */ 04699 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER ) 04700 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 04701 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH ) 04702 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 04703 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE ) 04704 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04705 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE ) 04706 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04707 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE ) 04708 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04709 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK ) 04710 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04711 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY ) 04712 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 04713 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED ) 04714 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 04715 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED ) 04716 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 04717 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) 04718 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 04719 else 04720 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 04721 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04722 alert ); 04723 } 04724 04725 #if defined(MBEDTLS_DEBUG_C) 04726 if( ssl->session_negotiate->verify_result != 0 ) 04727 { 04728 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x", 04729 ssl->session_negotiate->verify_result ) ); 04730 } 04731 else 04732 { 04733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) ); 04734 } 04735 #endif /* MBEDTLS_DEBUG_C */ 04736 } 04737 04738 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); 04739 04740 return( ret ); 04741 } 04742 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 04743 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 04744 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 04745 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 04746 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 04747 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 04748 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ 04749 04750 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 04751 { 04752 int ret; 04753 04754 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 04755 04756 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 04757 ssl->out_msglen = 1; 04758 ssl->out_msg[0] = 1; 04759 04760 ssl->state++; 04761 04762 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 04763 { 04764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 04765 return( ret ); 04766 } 04767 04768 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 04769 04770 return( 0 ); 04771 } 04772 04773 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 04774 { 04775 int ret; 04776 04777 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 04778 04779 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 04780 { 04781 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 04782 return( ret ); 04783 } 04784 04785 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 04786 { 04787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04788 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04789 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 04790 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 04791 } 04792 04793 if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 ) 04794 { 04795 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 04796 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04797 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 04798 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC ); 04799 } 04800 04801 /* 04802 * Switch to our negotiated transform and session parameters for inbound 04803 * data. 04804 */ 04805 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 04806 ssl->transform_in = ssl->transform_negotiate; 04807 ssl->session_in = ssl->session_negotiate; 04808 04809 #if defined(MBEDTLS_SSL_PROTO_DTLS) 04810 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 04811 { 04812 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 04813 ssl_dtls_replay_reset( ssl ); 04814 #endif 04815 04816 /* Increment epoch */ 04817 if( ++ssl->in_epoch == 0 ) 04818 { 04819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 04820 /* This is highly unlikely to happen for legitimate reasons, so 04821 treat it as an attack and don't send an alert. */ 04822 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 04823 } 04824 } 04825 else 04826 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 04827 memset( ssl->in_ctr, 0, 8 ); 04828 04829 /* 04830 * Set the in_msg pointer to the correct location based on IV length 04831 */ 04832 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 04833 { 04834 ssl->in_msg = ssl->in_iv + ssl->transform_negotiate->ivlen - 04835 ssl->transform_negotiate->fixed_ivlen; 04836 } 04837 else 04838 ssl->in_msg = ssl->in_iv; 04839 04840 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 04841 if( mbedtls_ssl_hw_record_activate != NULL ) 04842 { 04843 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 04844 { 04845 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 04846 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 04847 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 04848 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 04849 } 04850 } 04851 #endif 04852 04853 ssl->state++; 04854 04855 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 04856 04857 return( 0 ); 04858 } 04859 04860 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, 04861 const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) 04862 { 04863 ((void) ciphersuite_info); 04864 04865 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04866 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04867 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) 04868 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; 04869 else 04870 #endif 04871 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04872 #if defined(MBEDTLS_SHA512_C) 04873 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) 04874 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 04875 else 04876 #endif 04877 #if defined(MBEDTLS_SHA256_C) 04878 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) 04879 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 04880 else 04881 #endif 04882 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04883 { 04884 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 04885 return; 04886 } 04887 } 04888 04889 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) 04890 { 04891 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04892 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04893 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 ); 04894 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 ); 04895 #endif 04896 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04897 #if defined(MBEDTLS_SHA256_C) 04898 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); 04899 #endif 04900 #if defined(MBEDTLS_SHA512_C) 04901 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); 04902 #endif 04903 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04904 } 04905 04906 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, 04907 const unsigned char *buf, size_t len ) 04908 { 04909 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04910 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04911 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); 04912 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); 04913 #endif 04914 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04915 #if defined(MBEDTLS_SHA256_C) 04916 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); 04917 #endif 04918 #if defined(MBEDTLS_SHA512_C) 04919 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); 04920 #endif 04921 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04922 } 04923 04924 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 04925 defined(MBEDTLS_SSL_PROTO_TLS1_1) 04926 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, 04927 const unsigned char *buf, size_t len ) 04928 { 04929 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); 04930 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); 04931 } 04932 #endif 04933 04934 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 04935 #if defined(MBEDTLS_SHA256_C) 04936 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, 04937 const unsigned char *buf, size_t len ) 04938 { 04939 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); 04940 } 04941 #endif 04942 04943 #if defined(MBEDTLS_SHA512_C) 04944 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, 04945 const unsigned char *buf, size_t len ) 04946 { 04947 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); 04948 } 04949 #endif 04950 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 04951 04952 #if defined(MBEDTLS_SSL_PROTO_SSL3) 04953 static void ssl_calc_finished_ssl( 04954 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 04955 { 04956 const char *sender; 04957 mbedtls_md5_context md5; 04958 mbedtls_sha1_context sha1; 04959 04960 unsigned char padbuf[48]; 04961 unsigned char md5sum[16]; 04962 unsigned char sha1sum[20]; 04963 04964 mbedtls_ssl_session *session = ssl->session_negotiate; 04965 if( !session ) 04966 session = ssl->session; 04967 04968 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) ); 04969 04970 mbedtls_md5_init( &md5 ); 04971 mbedtls_sha1_init( &sha1 ); 04972 04973 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 04974 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 04975 04976 /* 04977 * SSLv3: 04978 * hash = 04979 * MD5( master + pad2 + 04980 * MD5( handshake + sender + master + pad1 ) ) 04981 * + SHA1( master + pad2 + 04982 * SHA1( handshake + sender + master + pad1 ) ) 04983 */ 04984 04985 #if !defined(MBEDTLS_MD5_ALT) 04986 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 04987 md5.state , sizeof( md5.state ) ); 04988 #endif 04989 04990 #if !defined(MBEDTLS_SHA1_ALT) 04991 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 04992 sha1.state , sizeof( sha1.state ) ); 04993 #endif 04994 04995 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT" 04996 : "SRVR"; 04997 04998 memset( padbuf, 0x36, 48 ); 04999 05000 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 ); 05001 mbedtls_md5_update_ret( &md5, session->master, 48 ); 05002 mbedtls_md5_update_ret( &md5, padbuf, 48 ); 05003 mbedtls_md5_finish_ret( &md5, md5sum ); 05004 05005 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 ); 05006 mbedtls_sha1_update_ret( &sha1, session->master, 48 ); 05007 mbedtls_sha1_update_ret( &sha1, padbuf, 40 ); 05008 mbedtls_sha1_finish_ret( &sha1, sha1sum ); 05009 05010 memset( padbuf, 0x5C, 48 ); 05011 05012 mbedtls_md5_starts_ret( &md5 ); 05013 mbedtls_md5_update_ret( &md5, session->master, 48 ); 05014 mbedtls_md5_update_ret( &md5, padbuf, 48 ); 05015 mbedtls_md5_update_ret( &md5, md5sum, 16 ); 05016 mbedtls_md5_finish_ret( &md5, buf ); 05017 05018 mbedtls_sha1_starts_ret( &sha1 ); 05019 mbedtls_sha1_update_ret( &sha1, session->master, 48 ); 05020 mbedtls_sha1_update_ret( &sha1, padbuf , 40 ); 05021 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 ); 05022 mbedtls_sha1_finish_ret( &sha1, buf + 16 ); 05023 05024 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); 05025 05026 mbedtls_md5_free( &md5 ); 05027 mbedtls_sha1_free( &sha1 ); 05028 05029 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05030 mbedtls_zeroize( md5sum, sizeof( md5sum ) ); 05031 mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); 05032 05033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05034 } 05035 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 05036 05037 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 05038 static void ssl_calc_finished_tls( 05039 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05040 { 05041 int len = 12; 05042 const char *sender; 05043 mbedtls_md5_context md5; 05044 mbedtls_sha1_context sha1; 05045 unsigned char padbuf[36]; 05046 05047 mbedtls_ssl_session *session = ssl->session_negotiate; 05048 if( !session ) 05049 session = ssl->session; 05050 05051 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); 05052 05053 mbedtls_md5_init( &md5 ); 05054 mbedtls_sha1_init( &sha1 ); 05055 05056 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); 05057 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); 05058 05059 /* 05060 * TLSv1: 05061 * hash = PRF( master, finished_label, 05062 * MD5( handshake ) + SHA1( handshake ) )[0..11] 05063 */ 05064 05065 #if !defined(MBEDTLS_MD5_ALT) 05066 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) 05067 md5.state , sizeof( md5.state ) ); 05068 #endif 05069 05070 #if !defined(MBEDTLS_SHA1_ALT) 05071 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) 05072 sha1.state , sizeof( sha1.state ) ); 05073 #endif 05074 05075 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05076 ? "client finished" 05077 : "server finished"; 05078 05079 mbedtls_md5_finish_ret( &md5, padbuf ); 05080 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 ); 05081 05082 ssl->handshake->tls_prf( session->master, 48, sender, 05083 padbuf, 36, buf, len ); 05084 05085 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05086 05087 mbedtls_md5_free( &md5 ); 05088 mbedtls_sha1_free( &sha1 ); 05089 05090 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05091 05092 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05093 } 05094 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 05095 05096 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05097 #if defined(MBEDTLS_SHA256_C) 05098 static void ssl_calc_finished_tls_sha256( 05099 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05100 { 05101 int len = 12; 05102 const char *sender; 05103 mbedtls_sha256_context sha256; 05104 unsigned char padbuf[32]; 05105 05106 mbedtls_ssl_session *session = ssl->session_negotiate; 05107 if( !session ) 05108 session = ssl->session; 05109 05110 mbedtls_sha256_init( &sha256 ); 05111 05112 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) ); 05113 05114 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); 05115 05116 /* 05117 * TLSv1.2: 05118 * hash = PRF( master, finished_label, 05119 * Hash( handshake ) )[0.11] 05120 */ 05121 05122 #if !defined(MBEDTLS_SHA256_ALT) 05123 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *) 05124 sha256.state , sizeof( sha256.state ) ); 05125 #endif 05126 05127 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05128 ? "client finished" 05129 : "server finished"; 05130 05131 mbedtls_sha256_finish_ret( &sha256, padbuf ); 05132 05133 ssl->handshake->tls_prf( session->master, 48, sender, 05134 padbuf, 32, buf, len ); 05135 05136 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05137 05138 mbedtls_sha256_free( &sha256 ); 05139 05140 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05141 05142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05143 } 05144 #endif /* MBEDTLS_SHA256_C */ 05145 05146 #if defined(MBEDTLS_SHA512_C) 05147 static void ssl_calc_finished_tls_sha384( 05148 mbedtls_ssl_context *ssl, unsigned char *buf, int from ) 05149 { 05150 int len = 12; 05151 const char *sender; 05152 mbedtls_sha512_context sha512; 05153 unsigned char padbuf[48]; 05154 05155 mbedtls_ssl_session *session = ssl->session_negotiate; 05156 if( !session ) 05157 session = ssl->session; 05158 05159 mbedtls_sha512_init( &sha512 ); 05160 05161 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) ); 05162 05163 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); 05164 05165 /* 05166 * TLSv1.2: 05167 * hash = PRF( master, finished_label, 05168 * Hash( handshake ) )[0.11] 05169 */ 05170 05171 #if !defined(MBEDTLS_SHA512_ALT) 05172 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) 05173 sha512.state , sizeof( sha512.state ) ); 05174 #endif 05175 05176 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) 05177 ? "client finished" 05178 : "server finished"; 05179 05180 mbedtls_sha512_finish_ret( &sha512, padbuf ); 05181 05182 ssl->handshake->tls_prf( session->master, 48, sender, 05183 padbuf, 48, buf, len ); 05184 05185 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); 05186 05187 mbedtls_sha512_free( &sha512 ); 05188 05189 mbedtls_zeroize( padbuf, sizeof( padbuf ) ); 05190 05191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); 05192 } 05193 #endif /* MBEDTLS_SHA512_C */ 05194 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05195 05196 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) 05197 { 05198 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) ); 05199 05200 /* 05201 * Free our handshake params 05202 */ 05203 mbedtls_ssl_handshake_free( ssl->handshake ); 05204 mbedtls_free( ssl->handshake ); 05205 ssl->handshake = NULL; 05206 05207 /* 05208 * Free the previous transform and swith in the current one 05209 */ 05210 if( ssl->transform ) 05211 { 05212 mbedtls_ssl_transform_free( ssl->transform ); 05213 mbedtls_free( ssl->transform ); 05214 } 05215 ssl->transform = ssl->transform_negotiate; 05216 ssl->transform_negotiate = NULL; 05217 05218 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) ); 05219 } 05220 05221 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) 05222 { 05223 int resume = ssl->handshake->resume; 05224 05225 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); 05226 05227 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05228 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 05229 { 05230 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 05231 ssl->renego_records_seen = 0; 05232 } 05233 #endif 05234 05235 /* 05236 * Free the previous session and switch in the current one 05237 */ 05238 if( ssl->session ) 05239 { 05240 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 05241 /* RFC 7366 3.1: keep the EtM state */ 05242 ssl->session_negotiate->encrypt_then_mac = 05243 ssl->session->encrypt_then_mac; 05244 #endif 05245 05246 mbedtls_ssl_session_free( ssl->session ); 05247 mbedtls_free( ssl->session ); 05248 } 05249 ssl->session = ssl->session_negotiate; 05250 ssl->session_negotiate = NULL; 05251 05252 /* 05253 * Add cache entry 05254 */ 05255 if( ssl->conf->f_set_cache != NULL && 05256 ssl->session->id_len != 0 && 05257 resume == 0 ) 05258 { 05259 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) 05260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); 05261 } 05262 05263 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05264 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 05265 ssl->handshake->flight != NULL ) 05266 { 05267 /* Cancel handshake timer */ 05268 ssl_set_timer( ssl, 0 ); 05269 05270 /* Keep last flight around in case we need to resend it: 05271 * we need the handshake and transform structures for that */ 05272 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) ); 05273 } 05274 else 05275 #endif 05276 ssl_handshake_wrapup_free_hs_transform( ssl ); 05277 05278 ssl->state++; 05279 05280 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) ); 05281 } 05282 05283 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) 05284 { 05285 int ret, hash_len; 05286 05287 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) ); 05288 05289 /* 05290 * Set the out_msg pointer to the correct location based on IV length 05291 */ 05292 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 05293 { 05294 ssl->out_msg = ssl->out_iv + ssl->transform_negotiate->ivlen - 05295 ssl->transform_negotiate->fixed_ivlen; 05296 } 05297 else 05298 ssl->out_msg = ssl->out_iv; 05299 05300 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); 05301 05302 /* 05303 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 05304 * may define some other value. Currently (early 2016), no defined 05305 * ciphersuite does this (and this is unlikely to change as activity has 05306 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 05307 */ 05308 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; 05309 05310 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05311 ssl->verify_data_len = hash_len; 05312 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); 05313 #endif 05314 05315 ssl->out_msglen = 4 + hash_len; 05316 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 05317 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 05318 05319 /* 05320 * In case of session resuming, invert the client and server 05321 * ChangeCipherSpec messages order. 05322 */ 05323 if( ssl->handshake->resume != 0 ) 05324 { 05325 #if defined(MBEDTLS_SSL_CLI_C) 05326 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05327 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05328 #endif 05329 #if defined(MBEDTLS_SSL_SRV_C) 05330 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05331 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05332 #endif 05333 } 05334 else 05335 ssl->state++; 05336 05337 /* 05338 * Switch to our negotiated transform and session parameters for outbound 05339 * data. 05340 */ 05341 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); 05342 05343 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05344 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05345 { 05346 unsigned char i; 05347 05348 /* Remember current epoch settings for resending */ 05349 ssl->handshake->alt_transform_out = ssl->transform_out; 05350 memcpy( ssl->handshake->alt_out_ctr, ssl->out_ctr, 8 ); 05351 05352 /* Set sequence_number to zero */ 05353 memset( ssl->out_ctr + 2, 0, 6 ); 05354 05355 /* Increment epoch */ 05356 for( i = 2; i > 0; i-- ) 05357 if( ++ssl->out_ctr[i - 1] != 0 ) 05358 break; 05359 05360 /* The loop goes to its end iff the counter is wrapping */ 05361 if( i == 0 ) 05362 { 05363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 05364 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 05365 } 05366 } 05367 else 05368 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 05369 memset( ssl->out_ctr, 0, 8 ); 05370 05371 ssl->transform_out = ssl->transform_negotiate; 05372 ssl->session_out = ssl->session_negotiate; 05373 05374 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05375 if( mbedtls_ssl_hw_record_activate != NULL ) 05376 { 05377 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 ) 05378 { 05379 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 05380 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05381 } 05382 } 05383 #endif 05384 05385 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05386 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05387 mbedtls_ssl_send_flight_completed( ssl ); 05388 #endif 05389 05390 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 05391 { 05392 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 05393 return( ret ); 05394 } 05395 05396 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) ); 05397 05398 return( 0 ); 05399 } 05400 05401 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05402 #define SSL_MAX_HASH_LEN 36 05403 #else 05404 #define SSL_MAX_HASH_LEN 12 05405 #endif 05406 05407 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) 05408 { 05409 int ret; 05410 unsigned int hash_len; 05411 unsigned char buf[SSL_MAX_HASH_LEN]; 05412 05413 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); 05414 05415 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); 05416 05417 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 05418 { 05419 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 05420 return( ret ); 05421 } 05422 05423 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) 05424 { 05425 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05426 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05427 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 05428 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 05429 } 05430 05431 /* There is currently no ciphersuite using another length with TLS 1.2 */ 05432 #if defined(MBEDTLS_SSL_PROTO_SSL3) 05433 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 05434 hash_len = 36; 05435 else 05436 #endif 05437 hash_len = 12; 05438 05439 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED || 05440 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len ) 05441 { 05442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05443 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05444 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05445 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05446 } 05447 05448 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), 05449 buf, hash_len ) != 0 ) 05450 { 05451 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); 05452 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 05453 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); 05454 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); 05455 } 05456 05457 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05458 ssl->verify_data_len = hash_len; 05459 memcpy( ssl->peer_verify_data, buf, hash_len ); 05460 #endif 05461 05462 if( ssl->handshake->resume != 0 ) 05463 { 05464 #if defined(MBEDTLS_SSL_CLI_C) 05465 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05466 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 05467 #endif 05468 #if defined(MBEDTLS_SSL_SRV_C) 05469 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 05470 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 05471 #endif 05472 } 05473 else 05474 ssl->state++; 05475 05476 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05477 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05478 mbedtls_ssl_recv_flight_completed( ssl ); 05479 #endif 05480 05481 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) ); 05482 05483 return( 0 ); 05484 } 05485 05486 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) 05487 { 05488 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); 05489 05490 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 05491 defined(MBEDTLS_SSL_PROTO_TLS1_1) 05492 mbedtls_md5_init( &handshake->fin_md5 ); 05493 mbedtls_sha1_init( &handshake->fin_sha1 ); 05494 mbedtls_md5_starts_ret( &handshake->fin_md5 ); 05495 mbedtls_sha1_starts_ret( &handshake->fin_sha1 ); 05496 #endif 05497 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 05498 #if defined(MBEDTLS_SHA256_C) 05499 mbedtls_sha256_init( &handshake->fin_sha256 ); 05500 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 ); 05501 #endif 05502 #if defined(MBEDTLS_SHA512_C) 05503 mbedtls_sha512_init( &handshake->fin_sha512 ); 05504 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); 05505 #endif 05506 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 05507 05508 handshake->update_checksum = ssl_update_checksum_start; 05509 05510 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 05511 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 05512 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs ); 05513 #endif 05514 05515 #if defined(MBEDTLS_DHM_C) 05516 mbedtls_dhm_init( &handshake->dhm_ctx ); 05517 #endif 05518 #if defined(MBEDTLS_ECDH_C) 05519 mbedtls_ecdh_init( &handshake->ecdh_ctx ); 05520 #endif 05521 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 05522 mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); 05523 #if defined(MBEDTLS_SSL_CLI_C) 05524 handshake->ecjpake_cache = NULL; 05525 handshake->ecjpake_cache_len = 0; 05526 #endif 05527 #endif 05528 05529 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 05530 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 05531 #endif 05532 } 05533 05534 static void ssl_transform_init( mbedtls_ssl_transform *transform ) 05535 { 05536 memset( transform, 0, sizeof(mbedtls_ssl_transform) ); 05537 05538 mbedtls_cipher_init( &transform->cipher_ctx_enc ); 05539 mbedtls_cipher_init( &transform->cipher_ctx_dec ); 05540 05541 mbedtls_md_init( &transform->md_ctx_enc ); 05542 mbedtls_md_init( &transform->md_ctx_dec ); 05543 } 05544 05545 void mbedtls_ssl_session_init( mbedtls_ssl_session *session ) 05546 { 05547 memset( session, 0, sizeof(mbedtls_ssl_session) ); 05548 } 05549 05550 static int ssl_handshake_init( mbedtls_ssl_context *ssl ) 05551 { 05552 /* Clear old handshake information if present */ 05553 if( ssl->transform_negotiate ) 05554 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 05555 if( ssl->session_negotiate ) 05556 mbedtls_ssl_session_free( ssl->session_negotiate ); 05557 if( ssl->handshake ) 05558 mbedtls_ssl_handshake_free( ssl->handshake ); 05559 05560 /* 05561 * Either the pointers are now NULL or cleared properly and can be freed. 05562 * Now allocate missing structures. 05563 */ 05564 if( ssl->transform_negotiate == NULL ) 05565 { 05566 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); 05567 } 05568 05569 if( ssl->session_negotiate == NULL ) 05570 { 05571 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) ); 05572 } 05573 05574 if( ssl->handshake == NULL ) 05575 { 05576 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) ); 05577 } 05578 05579 /* All pointers should exist and can be directly freed without issue */ 05580 if( ssl->handshake == NULL || 05581 ssl->transform_negotiate == NULL || 05582 ssl->session_negotiate == NULL ) 05583 { 05584 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); 05585 05586 mbedtls_free( ssl->handshake ); 05587 mbedtls_free( ssl->transform_negotiate ); 05588 mbedtls_free( ssl->session_negotiate ); 05589 05590 ssl->handshake = NULL; 05591 ssl->transform_negotiate = NULL; 05592 ssl->session_negotiate = NULL; 05593 05594 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05595 } 05596 05597 /* Initialize structures */ 05598 mbedtls_ssl_session_init( ssl->session_negotiate ); 05599 ssl_transform_init( ssl->transform_negotiate ); 05600 ssl_handshake_params_init( ssl->handshake ); 05601 05602 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05603 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05604 { 05605 ssl->handshake->alt_transform_out = ssl->transform_out; 05606 05607 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 05608 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 05609 else 05610 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 05611 05612 ssl_set_timer( ssl, 0 ); 05613 } 05614 #endif 05615 05616 return( 0 ); 05617 } 05618 05619 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05620 /* Dummy cookie callbacks for defaults */ 05621 static int ssl_cookie_write_dummy( void *ctx, 05622 unsigned char **p, unsigned char *end, 05623 const unsigned char *cli_id, size_t cli_id_len ) 05624 { 05625 ((void) ctx); 05626 ((void) p); 05627 ((void) end); 05628 ((void) cli_id); 05629 ((void) cli_id_len); 05630 05631 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05632 } 05633 05634 static int ssl_cookie_check_dummy( void *ctx, 05635 const unsigned char *cookie, size_t cookie_len, 05636 const unsigned char *cli_id, size_t cli_id_len ) 05637 { 05638 ((void) ctx); 05639 ((void) cookie); 05640 ((void) cookie_len); 05641 ((void) cli_id); 05642 ((void) cli_id_len); 05643 05644 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 05645 } 05646 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 05647 05648 /* 05649 * Initialize an SSL context 05650 */ 05651 void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) 05652 { 05653 memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); 05654 } 05655 05656 /* 05657 * Setup an SSL context 05658 */ 05659 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, 05660 const mbedtls_ssl_config *conf ) 05661 { 05662 int ret; 05663 const size_t len = MBEDTLS_SSL_BUFFER_LEN; 05664 05665 ssl->conf = conf; 05666 05667 /* 05668 * Prepare base structures 05669 */ 05670 if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL || 05671 ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL ) 05672 { 05673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) ); 05674 mbedtls_free( ssl->in_buf ); 05675 ssl->in_buf = NULL; 05676 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 05677 } 05678 05679 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05680 if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 05681 { 05682 ssl->out_hdr = ssl->out_buf; 05683 ssl->out_ctr = ssl->out_buf + 3; 05684 ssl->out_len = ssl->out_buf + 11; 05685 ssl->out_iv = ssl->out_buf + 13; 05686 ssl->out_msg = ssl->out_buf + 13; 05687 05688 ssl->in_hdr = ssl->in_buf; 05689 ssl->in_ctr = ssl->in_buf + 3; 05690 ssl->in_len = ssl->in_buf + 11; 05691 ssl->in_iv = ssl->in_buf + 13; 05692 ssl->in_msg = ssl->in_buf + 13; 05693 } 05694 else 05695 #endif 05696 { 05697 ssl->out_ctr = ssl->out_buf; 05698 ssl->out_hdr = ssl->out_buf + 8; 05699 ssl->out_len = ssl->out_buf + 11; 05700 ssl->out_iv = ssl->out_buf + 13; 05701 ssl->out_msg = ssl->out_buf + 13; 05702 05703 ssl->in_ctr = ssl->in_buf; 05704 ssl->in_hdr = ssl->in_buf + 8; 05705 ssl->in_len = ssl->in_buf + 11; 05706 ssl->in_iv = ssl->in_buf + 13; 05707 ssl->in_msg = ssl->in_buf + 13; 05708 } 05709 05710 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05711 return( ret ); 05712 05713 return( 0 ); 05714 } 05715 05716 /* 05717 * Reset an initialized and used SSL context for re-use while retaining 05718 * all application-set variables, function pointers and data. 05719 * 05720 * If partial is non-zero, keep data in the input buffer and client ID. 05721 * (Use when a DTLS client reconnects from the same port.) 05722 */ 05723 static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) 05724 { 05725 int ret; 05726 05727 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 05728 05729 /* Cancel any possibly running timer */ 05730 ssl_set_timer( ssl, 0 ); 05731 05732 #if defined(MBEDTLS_SSL_RENEGOTIATION) 05733 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 05734 ssl->renego_records_seen = 0; 05735 05736 ssl->verify_data_len = 0; 05737 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05738 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN ); 05739 #endif 05740 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 05741 05742 ssl->in_offt = NULL; 05743 05744 ssl->in_msg = ssl->in_buf + 13; 05745 ssl->in_msgtype = 0; 05746 ssl->in_msglen = 0; 05747 if( partial == 0 ) 05748 ssl->in_left = 0; 05749 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05750 ssl->next_record_offset = 0; 05751 ssl->in_epoch = 0; 05752 #endif 05753 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05754 ssl_dtls_replay_reset( ssl ); 05755 #endif 05756 05757 ssl->in_hslen = 0; 05758 ssl->nb_zero = 0; 05759 05760 ssl->keep_current_message = 0; 05761 05762 ssl->out_msg = ssl->out_buf + 13; 05763 ssl->out_msgtype = 0; 05764 ssl->out_msglen = 0; 05765 ssl->out_left = 0; 05766 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 05767 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) 05768 ssl->split_done = 0; 05769 #endif 05770 05771 ssl->transform_in = NULL; 05772 ssl->transform_out = NULL; 05773 05774 memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05775 if( partial == 0 ) 05776 memset( ssl->in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); 05777 05778 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 05779 if( mbedtls_ssl_hw_record_reset != NULL ) 05780 { 05781 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) ); 05782 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 ) 05783 { 05784 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret ); 05785 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 05786 } 05787 } 05788 #endif 05789 05790 if( ssl->transform ) 05791 { 05792 mbedtls_ssl_transform_free( ssl->transform ); 05793 mbedtls_free( ssl->transform ); 05794 ssl->transform = NULL; 05795 } 05796 05797 if( ssl->session ) 05798 { 05799 mbedtls_ssl_session_free( ssl->session ); 05800 mbedtls_free( ssl->session ); 05801 ssl->session = NULL; 05802 } 05803 05804 #if defined(MBEDTLS_SSL_ALPN) 05805 ssl->alpn_chosen = NULL; 05806 #endif 05807 05808 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 05809 if( partial == 0 ) 05810 { 05811 mbedtls_free( ssl->cli_id ); 05812 ssl->cli_id = NULL; 05813 ssl->cli_id_len = 0; 05814 } 05815 #endif 05816 05817 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 05818 return( ret ); 05819 05820 return( 0 ); 05821 } 05822 05823 /* 05824 * Reset an initialized and used SSL context for re-use while retaining 05825 * all application-set variables, function pointers and data. 05826 */ 05827 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) 05828 { 05829 return( ssl_session_reset_int( ssl, 0 ) ); 05830 } 05831 05832 /* 05833 * SSL set accessors 05834 */ 05835 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) 05836 { 05837 conf->endpoint = endpoint; 05838 } 05839 05840 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) 05841 { 05842 conf->transport = transport; 05843 } 05844 05845 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 05846 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) 05847 { 05848 conf->anti_replay = mode; 05849 } 05850 #endif 05851 05852 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 05853 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) 05854 { 05855 conf->badmac_limit = limit; 05856 } 05857 #endif 05858 05859 #if defined(MBEDTLS_SSL_PROTO_DTLS) 05860 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) 05861 { 05862 conf->hs_timeout_min = min; 05863 conf->hs_timeout_max = max; 05864 } 05865 #endif 05866 05867 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) 05868 { 05869 conf->authmode = authmode; 05870 } 05871 05872 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05873 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, 05874 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 05875 void *p_vrfy ) 05876 { 05877 conf->f_vrfy = f_vrfy; 05878 conf->p_vrfy = p_vrfy; 05879 } 05880 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 05881 05882 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, 05883 int (*f_rng)(void *, unsigned char *, size_t), 05884 void *p_rng ) 05885 { 05886 conf->f_rng = f_rng; 05887 conf->p_rng = p_rng; 05888 } 05889 05890 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, 05891 void (*f_dbg)(void *, int, const char *, int, const char *), 05892 void *p_dbg ) 05893 { 05894 conf->f_dbg = f_dbg; 05895 conf->p_dbg = p_dbg; 05896 } 05897 05898 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, 05899 void *p_bio, 05900 mbedtls_ssl_send_t *f_send, 05901 mbedtls_ssl_recv_t *f_recv, 05902 mbedtls_ssl_recv_timeout_t *f_recv_timeout ) 05903 { 05904 ssl->p_bio = p_bio; 05905 ssl->f_send = f_send; 05906 ssl->f_recv = f_recv; 05907 ssl->f_recv_timeout = f_recv_timeout; 05908 } 05909 05910 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) 05911 { 05912 conf->read_timeout = timeout; 05913 } 05914 05915 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, 05916 void *p_timer, 05917 mbedtls_ssl_set_timer_t *f_set_timer, 05918 mbedtls_ssl_get_timer_t *f_get_timer ) 05919 { 05920 ssl->p_timer = p_timer; 05921 ssl->f_set_timer = f_set_timer; 05922 ssl->f_get_timer = f_get_timer; 05923 05924 /* Make sure we start with no timer running */ 05925 ssl_set_timer( ssl, 0 ); 05926 } 05927 05928 #if defined(MBEDTLS_SSL_SRV_C) 05929 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, 05930 void *p_cache, 05931 int (*f_get_cache)(void *, mbedtls_ssl_session *), 05932 int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) 05933 { 05934 conf->p_cache = p_cache; 05935 conf->f_get_cache = f_get_cache; 05936 conf->f_set_cache = f_set_cache; 05937 } 05938 #endif /* MBEDTLS_SSL_SRV_C */ 05939 05940 #if defined(MBEDTLS_SSL_CLI_C) 05941 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) 05942 { 05943 int ret; 05944 05945 if( ssl == NULL || 05946 session == NULL || 05947 ssl->session_negotiate == NULL || 05948 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 05949 { 05950 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 05951 } 05952 05953 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) 05954 return( ret ); 05955 05956 ssl->handshake->resume = 1; 05957 05958 return( 0 ); 05959 } 05960 #endif /* MBEDTLS_SSL_CLI_C */ 05961 05962 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, 05963 const int *ciphersuites ) 05964 { 05965 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; 05966 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; 05967 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; 05968 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; 05969 } 05970 05971 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, 05972 const int *ciphersuites, 05973 int major, int minor ) 05974 { 05975 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) 05976 return; 05977 05978 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) 05979 return; 05980 05981 conf->ciphersuite_list [minor] = ciphersuites; 05982 } 05983 05984 #if defined(MBEDTLS_X509_CRT_PARSE_C) 05985 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, 05986 const mbedtls_x509_crt_profile *profile ) 05987 { 05988 conf->cert_profile = profile; 05989 } 05990 05991 /* Append a new keycert entry to a (possibly empty) list */ 05992 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, 05993 mbedtls_x509_crt *cert, 05994 mbedtls_pk_context *key ) 05995 { 05996 mbedtls_ssl_key_cert *new; 05997 05998 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) ); 05999 if( new == NULL ) 06000 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06001 06002 new->cert = cert; 06003 new->key = key; 06004 new->next = NULL; 06005 06006 /* Update head is the list was null, else add to the end */ 06007 if( *head == NULL ) 06008 { 06009 *head = new; 06010 } 06011 else 06012 { 06013 mbedtls_ssl_key_cert *cur = *head; 06014 while( cur->next != NULL ) 06015 cur = cur->next; 06016 cur->next = new; 06017 } 06018 06019 return( 0 ); 06020 } 06021 06022 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, 06023 mbedtls_x509_crt *own_cert, 06024 mbedtls_pk_context *pk_key ) 06025 { 06026 return( ssl_append_key_cert( &conf->key_cert , own_cert, pk_key ) ); 06027 } 06028 06029 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, 06030 mbedtls_x509_crt *ca_chain, 06031 mbedtls_x509_crl *ca_crl ) 06032 { 06033 conf->ca_chain = ca_chain; 06034 conf->ca_crl = ca_crl; 06035 } 06036 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06037 06038 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06039 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, 06040 mbedtls_x509_crt *own_cert, 06041 mbedtls_pk_context *pk_key ) 06042 { 06043 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, 06044 own_cert, pk_key ) ); 06045 } 06046 06047 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, 06048 mbedtls_x509_crt *ca_chain, 06049 mbedtls_x509_crl *ca_crl ) 06050 { 06051 ssl->handshake->sni_ca_chain = ca_chain; 06052 ssl->handshake->sni_ca_crl = ca_crl; 06053 } 06054 06055 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, 06056 int authmode ) 06057 { 06058 ssl->handshake->sni_authmode = authmode; 06059 } 06060 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06061 06062 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 06063 /* 06064 * Set EC J-PAKE password for current handshake 06065 */ 06066 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, 06067 const unsigned char *pw, 06068 size_t pw_len ) 06069 { 06070 mbedtls_ecjpake_role role; 06071 06072 if( ssl->handshake == NULL || ssl->conf == NULL ) 06073 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06074 06075 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06076 role = MBEDTLS_ECJPAKE_SERVER; 06077 else 06078 role = MBEDTLS_ECJPAKE_CLIENT; 06079 06080 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx, 06081 role, 06082 MBEDTLS_MD_SHA256, 06083 MBEDTLS_ECP_DP_SECP256R1, 06084 pw, pw_len ) ); 06085 } 06086 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 06087 06088 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 06089 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, 06090 const unsigned char *psk, size_t psk_len, 06091 const unsigned char *psk_identity, size_t psk_identity_len ) 06092 { 06093 if( psk == NULL || psk_identity == NULL ) 06094 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06095 06096 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06097 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06098 06099 /* Identity len will be encoded on two bytes */ 06100 if( ( psk_identity_len >> 16 ) != 0 || 06101 psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06102 { 06103 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06104 } 06105 06106 if( conf->psk != NULL ) 06107 { 06108 mbedtls_zeroize( conf->psk , conf->psk_len ); 06109 06110 mbedtls_free( conf->psk ); 06111 conf->psk = NULL; 06112 conf->psk_len = 0; 06113 } 06114 if( conf->psk_identity != NULL ) 06115 { 06116 mbedtls_free( conf->psk_identity ); 06117 conf->psk_identity = NULL; 06118 conf->psk_identity_len = 0; 06119 } 06120 06121 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || 06122 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL ) 06123 { 06124 mbedtls_free( conf->psk ); 06125 mbedtls_free( conf->psk_identity ); 06126 conf->psk = NULL; 06127 conf->psk_identity = NULL; 06128 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06129 } 06130 06131 conf->psk_len = psk_len; 06132 conf->psk_identity_len = psk_identity_len; 06133 06134 memcpy( conf->psk , psk, conf->psk_len ); 06135 memcpy( conf->psk_identity , psk_identity, conf->psk_identity_len ); 06136 06137 return( 0 ); 06138 } 06139 06140 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, 06141 const unsigned char *psk, size_t psk_len ) 06142 { 06143 if( psk == NULL || ssl->handshake == NULL ) 06144 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06145 06146 if( psk_len > MBEDTLS_PSK_MAX_LEN ) 06147 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06148 06149 if( ssl->handshake->psk != NULL ) 06150 { 06151 mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len ); 06152 mbedtls_free( ssl->handshake->psk ); 06153 ssl->handshake->psk_len = 0; 06154 } 06155 06156 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) 06157 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06158 06159 ssl->handshake->psk_len = psk_len; 06160 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); 06161 06162 return( 0 ); 06163 } 06164 06165 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, 06166 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 06167 size_t), 06168 void *p_psk ) 06169 { 06170 conf->f_psk = f_psk; 06171 conf->p_psk = p_psk; 06172 } 06173 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ 06174 06175 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 06176 06177 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 06178 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) 06179 { 06180 int ret; 06181 06182 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P , 16, dhm_P ) ) != 0 || 06183 ( ret = mbedtls_mpi_read_string( &conf->dhm_G , 16, dhm_G ) ) != 0 ) 06184 { 06185 mbedtls_mpi_free( &conf->dhm_P ); 06186 mbedtls_mpi_free( &conf->dhm_G ); 06187 return( ret ); 06188 } 06189 06190 return( 0 ); 06191 } 06192 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 06193 06194 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, 06195 const unsigned char *dhm_P, size_t P_len, 06196 const unsigned char *dhm_G, size_t G_len ) 06197 { 06198 int ret; 06199 06200 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P , dhm_P, P_len ) ) != 0 || 06201 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G , dhm_G, G_len ) ) != 0 ) 06202 { 06203 mbedtls_mpi_free( &conf->dhm_P ); 06204 mbedtls_mpi_free( &conf->dhm_G ); 06205 return( ret ); 06206 } 06207 06208 return( 0 ); 06209 } 06210 06211 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) 06212 { 06213 int ret; 06214 06215 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P , &dhm_ctx->P ) ) != 0 || 06216 ( ret = mbedtls_mpi_copy( &conf->dhm_G , &dhm_ctx->G ) ) != 0 ) 06217 { 06218 mbedtls_mpi_free( &conf->dhm_P ); 06219 mbedtls_mpi_free( &conf->dhm_G ); 06220 return( ret ); 06221 } 06222 06223 return( 0 ); 06224 } 06225 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 06226 06227 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 06228 /* 06229 * Set the minimum length for Diffie-Hellman parameters 06230 */ 06231 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, 06232 unsigned int bitlen ) 06233 { 06234 conf->dhm_min_bitlen = bitlen; 06235 } 06236 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 06237 06238 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 06239 /* 06240 * Set allowed/preferred hashes for handshake signatures 06241 */ 06242 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, 06243 const int *hashes ) 06244 { 06245 conf->sig_hashes = hashes; 06246 } 06247 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 06248 06249 #if defined(MBEDTLS_ECP_C) 06250 /* 06251 * Set the allowed elliptic curves 06252 */ 06253 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, 06254 const mbedtls_ecp_group_id *curve_list ) 06255 { 06256 conf->curve_list = curve_list; 06257 } 06258 #endif /* MBEDTLS_ECP_C */ 06259 06260 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06261 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) 06262 { 06263 /* Initialize to suppress unnecessary compiler warning */ 06264 size_t hostname_len = 0; 06265 06266 /* Check if new hostname is valid before 06267 * making any change to current one */ 06268 if( hostname != NULL ) 06269 { 06270 hostname_len = strlen( hostname ); 06271 06272 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN ) 06273 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06274 } 06275 06276 /* Now it's clear that we will overwrite the old hostname, 06277 * so we can free it safely */ 06278 06279 if( ssl->hostname != NULL ) 06280 { 06281 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 06282 mbedtls_free( ssl->hostname ); 06283 } 06284 06285 /* Passing NULL as hostname shall clear the old one */ 06286 06287 if( hostname == NULL ) 06288 { 06289 ssl->hostname = NULL; 06290 } 06291 else 06292 { 06293 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 ); 06294 if( ssl->hostname == NULL ) 06295 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 06296 06297 memcpy( ssl->hostname, hostname, hostname_len ); 06298 06299 ssl->hostname[hostname_len] = '\0'; 06300 } 06301 06302 return( 0 ); 06303 } 06304 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06305 06306 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 06307 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, 06308 int (*f_sni)(void *, mbedtls_ssl_context *, 06309 const unsigned char *, size_t), 06310 void *p_sni ) 06311 { 06312 conf->f_sni = f_sni; 06313 conf->p_sni = p_sni; 06314 } 06315 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 06316 06317 #if defined(MBEDTLS_SSL_ALPN) 06318 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) 06319 { 06320 size_t cur_len, tot_len; 06321 const char **p; 06322 06323 /* 06324 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 06325 * MUST NOT be truncated." 06326 * We check lengths now rather than later. 06327 */ 06328 tot_len = 0; 06329 for( p = protos; *p != NULL; p++ ) 06330 { 06331 cur_len = strlen( *p ); 06332 tot_len += cur_len; 06333 06334 if( cur_len == 0 || cur_len > 255 || tot_len > 65535 ) 06335 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06336 } 06337 06338 conf->alpn_list = protos; 06339 06340 return( 0 ); 06341 } 06342 06343 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) 06344 { 06345 return( ssl->alpn_chosen ); 06346 } 06347 #endif /* MBEDTLS_SSL_ALPN */ 06348 06349 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) 06350 { 06351 conf->max_major_ver = major; 06352 conf->max_minor_ver = minor; 06353 } 06354 06355 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) 06356 { 06357 conf->min_major_ver = major; 06358 conf->min_minor_ver = minor; 06359 } 06360 06361 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) 06362 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) 06363 { 06364 conf->fallback = fallback; 06365 } 06366 #endif 06367 06368 #if defined(MBEDTLS_SSL_SRV_C) 06369 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, 06370 char cert_req_ca_list ) 06371 { 06372 conf->cert_req_ca_list = cert_req_ca_list; 06373 } 06374 #endif 06375 06376 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 06377 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) 06378 { 06379 conf->encrypt_then_mac = etm; 06380 } 06381 #endif 06382 06383 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 06384 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) 06385 { 06386 conf->extended_ms = ems; 06387 } 06388 #endif 06389 06390 #if defined(MBEDTLS_ARC4_C) 06391 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) 06392 { 06393 conf->arc4_disabled = arc4; 06394 } 06395 #endif 06396 06397 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06398 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) 06399 { 06400 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 06401 mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) 06402 { 06403 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06404 } 06405 06406 conf->mfl_code = mfl_code; 06407 06408 return( 0 ); 06409 } 06410 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06411 06412 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) 06413 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) 06414 { 06415 conf->trunc_hmac = truncate; 06416 } 06417 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ 06418 06419 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 06420 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) 06421 { 06422 conf->cbc_record_splitting = split; 06423 } 06424 #endif 06425 06426 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) 06427 { 06428 conf->allow_legacy_renegotiation = allow_legacy; 06429 } 06430 06431 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06432 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) 06433 { 06434 conf->disable_renegotiation = renegotiation; 06435 } 06436 06437 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) 06438 { 06439 conf->renego_max_records = max_records; 06440 } 06441 06442 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, 06443 const unsigned char period[8] ) 06444 { 06445 memcpy( conf->renego_period , period, 8 ); 06446 } 06447 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06448 06449 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 06450 #if defined(MBEDTLS_SSL_CLI_C) 06451 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) 06452 { 06453 conf->session_tickets = use_tickets; 06454 } 06455 #endif 06456 06457 #if defined(MBEDTLS_SSL_SRV_C) 06458 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf, 06459 mbedtls_ssl_ticket_write_t *f_ticket_write, 06460 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 06461 void *p_ticket ) 06462 { 06463 conf->f_ticket_write = f_ticket_write; 06464 conf->f_ticket_parse = f_ticket_parse; 06465 conf->p_ticket = p_ticket; 06466 } 06467 #endif 06468 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 06469 06470 #if defined(MBEDTLS_SSL_EXPORT_KEYS) 06471 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, 06472 mbedtls_ssl_export_keys_t *f_export_keys, 06473 void *p_export_keys ) 06474 { 06475 conf->f_export_keys = f_export_keys; 06476 conf->p_export_keys = p_export_keys; 06477 } 06478 #endif 06479 06480 /* 06481 * SSL get accessors 06482 */ 06483 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 06484 { 06485 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 06486 } 06487 06488 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) 06489 { 06490 if( ssl->session != NULL ) 06491 return( ssl->session->verify_result ); 06492 06493 if( ssl->session_negotiate != NULL ) 06494 return( ssl->session_negotiate->verify_result ); 06495 06496 return( 0xFFFFFFFF ); 06497 } 06498 06499 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) 06500 { 06501 if( ssl == NULL || ssl->session == NULL ) 06502 return( NULL ); 06503 06504 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite ); 06505 } 06506 06507 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) 06508 { 06509 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06510 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06511 { 06512 switch( ssl->minor_ver ) 06513 { 06514 case MBEDTLS_SSL_MINOR_VERSION_2: 06515 return( "DTLSv1.0" ); 06516 06517 case MBEDTLS_SSL_MINOR_VERSION_3: 06518 return( "DTLSv1.2" ); 06519 06520 default: 06521 return( "unknown (DTLS)" ); 06522 } 06523 } 06524 #endif 06525 06526 switch( ssl->minor_ver ) 06527 { 06528 case MBEDTLS_SSL_MINOR_VERSION_0: 06529 return( "SSLv3.0" ); 06530 06531 case MBEDTLS_SSL_MINOR_VERSION_1: 06532 return( "TLSv1.0" ); 06533 06534 case MBEDTLS_SSL_MINOR_VERSION_2: 06535 return( "TLSv1.1" ); 06536 06537 case MBEDTLS_SSL_MINOR_VERSION_3: 06538 return( "TLSv1.2" ); 06539 06540 default: 06541 return( "unknown" ); 06542 } 06543 } 06544 06545 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 06546 { 06547 size_t transform_expansion; 06548 const mbedtls_ssl_transform *transform = ssl->transform_out; 06549 06550 #if defined(MBEDTLS_ZLIB_SUPPORT) 06551 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 06552 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 06553 #endif 06554 06555 if( transform == NULL ) 06556 return( (int) mbedtls_ssl_hdr_len( ssl ) ); 06557 06558 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 06559 { 06560 case MBEDTLS_MODE_GCM: 06561 case MBEDTLS_MODE_CCM: 06562 case MBEDTLS_MODE_STREAM: 06563 transform_expansion = transform->minlen; 06564 break; 06565 06566 case MBEDTLS_MODE_CBC: 06567 transform_expansion = transform->maclen 06568 + mbedtls_cipher_get_block_size( &transform->cipher_ctx_enc ); 06569 break; 06570 06571 default: 06572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 06573 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 06574 } 06575 06576 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); 06577 } 06578 06579 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 06580 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) 06581 { 06582 size_t max_len; 06583 06584 /* 06585 * Assume mfl_code is correct since it was checked when set 06586 */ 06587 max_len = mfl_code_to_length[ssl->conf->mfl_code]; 06588 06589 /* 06590 * Check if a smaller max length was negotiated 06591 */ 06592 if( ssl->session_out != NULL && 06593 mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) 06594 { 06595 max_len = mfl_code_to_length[ssl->session_out->mfl_code]; 06596 } 06597 06598 return max_len; 06599 } 06600 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 06601 06602 #if defined(MBEDTLS_X509_CRT_PARSE_C) 06603 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) 06604 { 06605 if( ssl == NULL || ssl->session == NULL ) 06606 return( NULL ); 06607 06608 return( ssl->session->peer_cert ); 06609 } 06610 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 06611 06612 #if defined(MBEDTLS_SSL_CLI_C) 06613 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst ) 06614 { 06615 if( ssl == NULL || 06616 dst == NULL || 06617 ssl->session == NULL || 06618 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) 06619 { 06620 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06621 } 06622 06623 return( ssl_session_copy( dst, ssl->session ) ); 06624 } 06625 #endif /* MBEDTLS_SSL_CLI_C */ 06626 06627 /* 06628 * Perform a single step of the SSL handshake 06629 */ 06630 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) 06631 { 06632 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06633 06634 if( ssl == NULL || ssl->conf == NULL ) 06635 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06636 06637 #if defined(MBEDTLS_SSL_CLI_C) 06638 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 06639 ret = mbedtls_ssl_handshake_client_step( ssl ); 06640 #endif 06641 #if defined(MBEDTLS_SSL_SRV_C) 06642 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06643 ret = mbedtls_ssl_handshake_server_step( ssl ); 06644 #endif 06645 06646 return( ret ); 06647 } 06648 06649 /* 06650 * Perform the SSL handshake 06651 */ 06652 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) 06653 { 06654 int ret = 0; 06655 06656 if( ssl == NULL || ssl->conf == NULL ) 06657 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06658 06659 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); 06660 06661 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06662 { 06663 ret = mbedtls_ssl_handshake_step( ssl ); 06664 06665 if( ret != 0 ) 06666 break; 06667 } 06668 06669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) ); 06670 06671 return( ret ); 06672 } 06673 06674 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06675 #if defined(MBEDTLS_SSL_SRV_C) 06676 /* 06677 * Write HelloRequest to request renegotiation on server 06678 */ 06679 static int ssl_write_hello_request( mbedtls_ssl_context *ssl ) 06680 { 06681 int ret; 06682 06683 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) ); 06684 06685 ssl->out_msglen = 4; 06686 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 06687 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 06688 06689 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 06690 { 06691 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 06692 return( ret ); 06693 } 06694 06695 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) ); 06696 06697 return( 0 ); 06698 } 06699 #endif /* MBEDTLS_SSL_SRV_C */ 06700 06701 /* 06702 * Actually renegotiate current connection, triggered by either: 06703 * - any side: calling mbedtls_ssl_renegotiate(), 06704 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 06705 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 06706 * the initial handshake is completed. 06707 * If the handshake doesn't complete due to waiting for I/O, it will continue 06708 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 06709 */ 06710 static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) 06711 { 06712 int ret; 06713 06714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) ); 06715 06716 if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) 06717 return( ret ); 06718 06719 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 06720 * the ServerHello will have message_seq = 1" */ 06721 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06722 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 06723 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 06724 { 06725 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06726 ssl->handshake->out_msg_seq = 1; 06727 else 06728 ssl->handshake->in_msg_seq = 1; 06729 } 06730 #endif 06731 06732 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 06733 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 06734 06735 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06736 { 06737 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06738 return( ret ); 06739 } 06740 06741 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) ); 06742 06743 return( 0 ); 06744 } 06745 06746 /* 06747 * Renegotiate current connection on client, 06748 * or request renegotiation on server 06749 */ 06750 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) 06751 { 06752 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 06753 06754 if( ssl == NULL || ssl->conf == NULL ) 06755 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06756 06757 #if defined(MBEDTLS_SSL_SRV_C) 06758 /* On server, just send the request */ 06759 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) 06760 { 06761 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06762 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06763 06764 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 06765 06766 /* Did we already try/start sending HelloRequest? */ 06767 if( ssl->out_left != 0 ) 06768 return( mbedtls_ssl_flush_output( ssl ) ); 06769 06770 return( ssl_write_hello_request( ssl ) ); 06771 } 06772 #endif /* MBEDTLS_SSL_SRV_C */ 06773 06774 #if defined(MBEDTLS_SSL_CLI_C) 06775 /* 06776 * On client, either start the renegotiation process or, 06777 * if already in progress, continue the handshake 06778 */ 06779 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) 06780 { 06781 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06782 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06783 06784 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 ) 06785 { 06786 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 06787 return( ret ); 06788 } 06789 } 06790 else 06791 { 06792 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 06793 { 06794 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06795 return( ret ); 06796 } 06797 } 06798 #endif /* MBEDTLS_SSL_CLI_C */ 06799 06800 return( ret ); 06801 } 06802 06803 /* 06804 * Check record counters and renegotiate if they're above the limit. 06805 */ 06806 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 06807 { 06808 size_t ep_len = ssl_ep_len( ssl ); 06809 int in_ctr_cmp; 06810 int out_ctr_cmp; 06811 06812 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 06813 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 06814 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 06815 { 06816 return( 0 ); 06817 } 06818 06819 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, 06820 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06821 out_ctr_cmp = memcmp( ssl->out_ctr + ep_len, 06822 ssl->conf->renego_period + ep_len, 8 - ep_len ); 06823 06824 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) 06825 { 06826 return( 0 ); 06827 } 06828 06829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 06830 return( mbedtls_ssl_renegotiate( ssl ) ); 06831 } 06832 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 06833 06834 /* 06835 * Receive application data decrypted from the SSL layer 06836 */ 06837 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 06838 { 06839 int ret; 06840 size_t n; 06841 06842 if( ssl == NULL || ssl->conf == NULL ) 06843 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 06844 06845 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 06846 06847 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06848 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06849 { 06850 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 06851 return( ret ); 06852 06853 if( ssl->handshake != NULL && 06854 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 06855 { 06856 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 06857 return( ret ); 06858 } 06859 } 06860 #endif 06861 06862 /* 06863 * Check if renegotiation is necessary and/or handshake is 06864 * in process. If yes, perform/continue, and fall through 06865 * if an unexpected packet is received while the client 06866 * is waiting for the ServerHello. 06867 * 06868 * (There is no equivalent to the last condition on 06869 * the server-side as it is not treated as within 06870 * a handshake while waiting for the ClientHello 06871 * after a renegotiation request.) 06872 */ 06873 06874 #if defined(MBEDTLS_SSL_RENEGOTIATION) 06875 ret = ssl_check_ctr_renegotiate( ssl ); 06876 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06877 ret != 0 ) 06878 { 06879 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 06880 return( ret ); 06881 } 06882 #endif 06883 06884 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 06885 { 06886 ret = mbedtls_ssl_handshake( ssl ); 06887 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 06888 ret != 0 ) 06889 { 06890 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 06891 return( ret ); 06892 } 06893 } 06894 06895 /* 06896 * TODO 06897 * 06898 * The logic should be streamlined here: 06899 * 06900 * Instead of 06901 * 06902 * - Manually checking whether ssl->in_offt is NULL 06903 * - Fetching a new record if yes 06904 * - Setting ssl->in_offt if one finds an application record 06905 * - Resetting keep_current_message after handling the application data 06906 * 06907 * one should 06908 * 06909 * - Adapt read_record to set ssl->in_offt automatically 06910 * when a new application data record is processed. 06911 * - Always call mbedtls_ssl_read_record here. 06912 * 06913 * This way, the logic of ssl_read would be much clearer: 06914 * 06915 * (1) Always call record layer and see what kind of record is on 06916 * and have it ready for consumption (in particular, in_offt 06917 * properly set for application data records). 06918 * (2) If it's application data (either freshly fetched 06919 * or something already being partially processed), 06920 * serve the read request from it. 06921 * (3) If it's something different from application data, 06922 * handle it accordingly, e.g. potentially start a 06923 * renegotiation. 06924 * 06925 * This will also remove the need to manually reset 06926 * ssl->keep_current_message = 0 below. 06927 * 06928 */ 06929 06930 if( ssl->in_offt == NULL ) 06931 { 06932 /* Start timer if not already running */ 06933 if( ssl->f_get_timer != NULL && 06934 ssl->f_get_timer( ssl->p_timer ) == -1 ) 06935 { 06936 ssl_set_timer( ssl, ssl->conf->read_timeout ); 06937 } 06938 06939 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06940 { 06941 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06942 return( 0 ); 06943 06944 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06945 return( ret ); 06946 } 06947 06948 if( ssl->in_msglen == 0 && 06949 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 06950 { 06951 /* 06952 * OpenSSL sends empty messages to randomize the IV 06953 */ 06954 if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) 06955 { 06956 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 06957 return( 0 ); 06958 06959 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 06960 return( ret ); 06961 } 06962 } 06963 06964 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 06965 { 06966 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 06967 06968 /* 06969 * - For client-side, expect SERVER_HELLO_REQUEST. 06970 * - For server-side, expect CLIENT_HELLO. 06971 * - Fail (TLS) or silently drop record (DTLS) in other cases. 06972 */ 06973 06974 #if defined(MBEDTLS_SSL_CLI_C) 06975 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 06976 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 06977 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 06978 { 06979 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 06980 06981 /* With DTLS, drop the packet (probably from last handshake) */ 06982 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06983 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06984 return( MBEDTLS_ERR_SSL_WANT_READ ); 06985 #endif 06986 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 06987 } 06988 #endif /* MBEDTLS_SSL_CLI_C */ 06989 06990 #if defined(MBEDTLS_SSL_SRV_C) 06991 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 06992 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 06993 { 06994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 06995 06996 /* With DTLS, drop the packet (probably from last handshake) */ 06997 #if defined(MBEDTLS_SSL_PROTO_DTLS) 06998 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 06999 return( MBEDTLS_ERR_SSL_WANT_READ ); 07000 #endif 07001 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07002 } 07003 #endif /* MBEDTLS_SSL_SRV_C */ 07004 07005 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07006 /* Determine whether renegotiation attempt should be accepted */ 07007 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 07008 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 07009 ssl->conf->allow_legacy_renegotiation == 07010 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) 07011 { 07012 /* 07013 * Accept renegotiation request 07014 */ 07015 07016 /* DTLS clients need to know renego is server-initiated */ 07017 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07018 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 07019 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 07020 { 07021 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 07022 } 07023 #endif 07024 ret = ssl_start_renegotiation( ssl ); 07025 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 07026 ret != 0 ) 07027 { 07028 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); 07029 return( ret ); 07030 } 07031 } 07032 else 07033 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 07034 { 07035 /* 07036 * Refuse renegotiation 07037 */ 07038 07039 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 07040 07041 #if defined(MBEDTLS_SSL_PROTO_SSL3) 07042 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 07043 { 07044 /* SSLv3 does not have a "no_renegotiation" warning, so 07045 we send a fatal alert and abort the connection. */ 07046 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 07047 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 07048 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07049 } 07050 else 07051 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 07052 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 07053 defined(MBEDTLS_SSL_PROTO_TLS1_2) 07054 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 07055 { 07056 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 07057 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 07058 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 07059 { 07060 return( ret ); 07061 } 07062 } 07063 else 07064 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 07065 MBEDTLS_SSL_PROTO_TLS1_2 */ 07066 { 07067 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 07068 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 07069 } 07070 } 07071 07072 return( MBEDTLS_ERR_SSL_WANT_READ ); 07073 } 07074 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07075 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 07076 { 07077 if( ssl->conf->renego_max_records >= 0 ) 07078 { 07079 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 07080 { 07081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 07082 "but not honored by client" ) ); 07083 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07084 } 07085 } 07086 } 07087 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 07088 07089 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 07090 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 07091 { 07092 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 07093 return( MBEDTLS_ERR_SSL_WANT_READ ); 07094 } 07095 07096 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 07097 { 07098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 07099 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 07100 } 07101 07102 ssl->in_offt = ssl->in_msg; 07103 07104 /* We're going to return something now, cancel timer, 07105 * except if handshake (renegotiation) is in progress */ 07106 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07107 ssl_set_timer( ssl, 0 ); 07108 07109 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07110 /* If we requested renego but received AppData, resend HelloRequest. 07111 * Do it now, after setting in_offt, to avoid taking this branch 07112 * again if ssl_write_hello_request() returns WANT_WRITE */ 07113 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 07114 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 07115 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 07116 { 07117 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) 07118 { 07119 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret ); 07120 return( ret ); 07121 } 07122 } 07123 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 07124 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 07125 } 07126 07127 n = ( len < ssl->in_msglen ) 07128 ? len : ssl->in_msglen; 07129 07130 memcpy( buf, ssl->in_offt, n ); 07131 ssl->in_msglen -= n; 07132 07133 if( ssl->in_msglen == 0 ) 07134 { 07135 /* all bytes consumed */ 07136 ssl->in_offt = NULL; 07137 ssl->keep_current_message = 0; 07138 } 07139 else 07140 { 07141 /* more data available */ 07142 ssl->in_offt += n; 07143 } 07144 07145 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 07146 07147 return( (int) n ); 07148 } 07149 07150 /* 07151 * Send application data to be encrypted by the SSL layer, 07152 * taking care of max fragment length and buffer size 07153 */ 07154 static int ssl_write_real( mbedtls_ssl_context *ssl, 07155 const unsigned char *buf, size_t len ) 07156 { 07157 int ret; 07158 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 07159 size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); 07160 #else 07161 size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN; 07162 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 07163 if( len > max_len ) 07164 { 07165 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07166 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07167 { 07168 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 07169 "maximum fragment length: %d > %d", 07170 len, max_len ) ); 07171 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07172 } 07173 else 07174 #endif 07175 len = max_len; 07176 } 07177 07178 if( ssl->out_left != 0 ) 07179 { 07180 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 07181 { 07182 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 07183 return( ret ); 07184 } 07185 } 07186 else 07187 { 07188 ssl->out_msglen = len; 07189 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 07190 memcpy( ssl->out_msg, buf, len ); 07191 07192 if( ( ret = mbedtls_ssl_write_record( ssl ) ) != 0 ) 07193 { 07194 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 07195 return( ret ); 07196 } 07197 } 07198 07199 return( (int) len ); 07200 } 07201 07202 /* 07203 * Write application data, doing 1/n-1 splitting if necessary. 07204 * 07205 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 07206 * then the caller will call us again with the same arguments, so 07207 * remember whether we already did the split or not. 07208 */ 07209 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07210 static int ssl_write_split( mbedtls_ssl_context *ssl, 07211 const unsigned char *buf, size_t len ) 07212 { 07213 int ret; 07214 07215 if( ssl->conf->cbc_record_splitting == 07216 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 07217 len <= 1 || 07218 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 07219 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 07220 != MBEDTLS_MODE_CBC ) 07221 { 07222 return( ssl_write_real( ssl, buf, len ) ); 07223 } 07224 07225 if( ssl->split_done == 0 ) 07226 { 07227 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 07228 return( ret ); 07229 ssl->split_done = 1; 07230 } 07231 07232 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 07233 return( ret ); 07234 ssl->split_done = 0; 07235 07236 return( ret + 1 ); 07237 } 07238 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 07239 07240 /* 07241 * Write application data (public-facing wrapper) 07242 */ 07243 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 07244 { 07245 int ret; 07246 07247 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 07248 07249 if( ssl == NULL || ssl->conf == NULL ) 07250 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07251 07252 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07253 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 07254 { 07255 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 07256 return( ret ); 07257 } 07258 #endif 07259 07260 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 07261 { 07262 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 07263 { 07264 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 07265 return( ret ); 07266 } 07267 } 07268 07269 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07270 ret = ssl_write_split( ssl, buf, len ); 07271 #else 07272 ret = ssl_write_real( ssl, buf, len ); 07273 #endif 07274 07275 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 07276 07277 return( ret ); 07278 } 07279 07280 /* 07281 * Notify the peer that the connection is being closed 07282 */ 07283 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 07284 { 07285 int ret; 07286 07287 if( ssl == NULL || ssl->conf == NULL ) 07288 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 07289 07290 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 07291 07292 if( ssl->out_left != 0 ) 07293 return( mbedtls_ssl_flush_output( ssl ) ); 07294 07295 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 07296 { 07297 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 07298 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 07299 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 07300 { 07301 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 07302 return( ret ); 07303 } 07304 } 07305 07306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 07307 07308 return( 0 ); 07309 } 07310 07311 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 07312 { 07313 if( transform == NULL ) 07314 return; 07315 07316 #if defined(MBEDTLS_ZLIB_SUPPORT) 07317 deflateEnd( &transform->ctx_deflate ); 07318 inflateEnd( &transform->ctx_inflate ); 07319 #endif 07320 07321 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 07322 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 07323 07324 mbedtls_md_free( &transform->md_ctx_enc ); 07325 mbedtls_md_free( &transform->md_ctx_dec ); 07326 07327 mbedtls_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 07328 } 07329 07330 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07331 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert ) 07332 { 07333 mbedtls_ssl_key_cert *cur = key_cert, *next; 07334 07335 while( cur != NULL ) 07336 { 07337 next = cur->next; 07338 mbedtls_free( cur ); 07339 cur = next; 07340 } 07341 } 07342 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 07343 07344 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) 07345 { 07346 if( handshake == NULL ) 07347 return; 07348 07349 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 07350 defined(MBEDTLS_SSL_PROTO_TLS1_1) 07351 mbedtls_md5_free( &handshake->fin_md5 ); 07352 mbedtls_sha1_free( &handshake->fin_sha1 ); 07353 #endif 07354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 07355 #if defined(MBEDTLS_SHA256_C) 07356 mbedtls_sha256_free( &handshake->fin_sha256 ); 07357 #endif 07358 #if defined(MBEDTLS_SHA512_C) 07359 mbedtls_sha512_free( &handshake->fin_sha512 ); 07360 #endif 07361 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 07362 07363 #if defined(MBEDTLS_DHM_C) 07364 mbedtls_dhm_free( &handshake->dhm_ctx ); 07365 #endif 07366 #if defined(MBEDTLS_ECDH_C) 07367 mbedtls_ecdh_free( &handshake->ecdh_ctx ); 07368 #endif 07369 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07370 mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); 07371 #if defined(MBEDTLS_SSL_CLI_C) 07372 mbedtls_free( handshake->ecjpake_cache ); 07373 handshake->ecjpake_cache = NULL; 07374 handshake->ecjpake_cache_len = 0; 07375 #endif 07376 #endif 07377 07378 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 07379 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 07380 /* explicit void pointer cast for buggy MS compiler */ 07381 mbedtls_free( (void *) handshake->curves ); 07382 #endif 07383 07384 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07385 if( handshake->psk != NULL ) 07386 { 07387 mbedtls_zeroize( handshake->psk, handshake->psk_len ); 07388 mbedtls_free( handshake->psk ); 07389 } 07390 #endif 07391 07392 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 07393 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 07394 /* 07395 * Free only the linked list wrapper, not the keys themselves 07396 * since the belong to the SNI callback 07397 */ 07398 if( handshake->sni_key_cert != NULL ) 07399 { 07400 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next; 07401 07402 while( cur != NULL ) 07403 { 07404 next = cur->next; 07405 mbedtls_free( cur ); 07406 cur = next; 07407 } 07408 } 07409 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 07410 07411 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07412 mbedtls_free( handshake->verify_cookie ); 07413 mbedtls_free( handshake->hs_msg ); 07414 ssl_flight_free( handshake->flight ); 07415 #endif 07416 07417 mbedtls_zeroize( handshake, sizeof( mbedtls_ssl_handshake_params ) ); 07418 } 07419 07420 void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) 07421 { 07422 if( session == NULL ) 07423 return; 07424 07425 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07426 if( session->peer_cert != NULL ) 07427 { 07428 mbedtls_x509_crt_free( session->peer_cert ); 07429 mbedtls_free( session->peer_cert ); 07430 } 07431 #endif 07432 07433 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 07434 mbedtls_free( session->ticket ); 07435 #endif 07436 07437 mbedtls_zeroize( session, sizeof( mbedtls_ssl_session ) ); 07438 } 07439 07440 /* 07441 * Free an SSL context 07442 */ 07443 void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) 07444 { 07445 if( ssl == NULL ) 07446 return; 07447 07448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) ); 07449 07450 if( ssl->out_buf != NULL ) 07451 { 07452 mbedtls_zeroize( ssl->out_buf, MBEDTLS_SSL_BUFFER_LEN ); 07453 mbedtls_free( ssl->out_buf ); 07454 } 07455 07456 if( ssl->in_buf != NULL ) 07457 { 07458 mbedtls_zeroize( ssl->in_buf, MBEDTLS_SSL_BUFFER_LEN ); 07459 mbedtls_free( ssl->in_buf ); 07460 } 07461 07462 #if defined(MBEDTLS_ZLIB_SUPPORT) 07463 if( ssl->compress_buf != NULL ) 07464 { 07465 mbedtls_zeroize( ssl->compress_buf, MBEDTLS_SSL_BUFFER_LEN ); 07466 mbedtls_free( ssl->compress_buf ); 07467 } 07468 #endif 07469 07470 if( ssl->transform ) 07471 { 07472 mbedtls_ssl_transform_free( ssl->transform ); 07473 mbedtls_free( ssl->transform ); 07474 } 07475 07476 if( ssl->handshake ) 07477 { 07478 mbedtls_ssl_handshake_free( ssl->handshake ); 07479 mbedtls_ssl_transform_free( ssl->transform_negotiate ); 07480 mbedtls_ssl_session_free( ssl->session_negotiate ); 07481 07482 mbedtls_free( ssl->handshake ); 07483 mbedtls_free( ssl->transform_negotiate ); 07484 mbedtls_free( ssl->session_negotiate ); 07485 } 07486 07487 if( ssl->session ) 07488 { 07489 mbedtls_ssl_session_free( ssl->session ); 07490 mbedtls_free( ssl->session ); 07491 } 07492 07493 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07494 if( ssl->hostname != NULL ) 07495 { 07496 mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); 07497 mbedtls_free( ssl->hostname ); 07498 } 07499 #endif 07500 07501 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 07502 if( mbedtls_ssl_hw_record_finish != NULL ) 07503 { 07504 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) ); 07505 mbedtls_ssl_hw_record_finish( ssl ); 07506 } 07507 #endif 07508 07509 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07510 mbedtls_free( ssl->cli_id ); 07511 #endif 07512 07513 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); 07514 07515 /* Actually clear after last debug message */ 07516 mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); 07517 } 07518 07519 /* 07520 * Initialze mbedtls_ssl_config 07521 */ 07522 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) 07523 { 07524 memset( conf, 0, sizeof( mbedtls_ssl_config ) ); 07525 } 07526 07527 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07528 static int ssl_preset_default_hashes[] = { 07529 #if defined(MBEDTLS_SHA512_C) 07530 MBEDTLS_MD_SHA512, 07531 MBEDTLS_MD_SHA384, 07532 #endif 07533 #if defined(MBEDTLS_SHA256_C) 07534 MBEDTLS_MD_SHA256, 07535 MBEDTLS_MD_SHA224, 07536 #endif 07537 #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE) 07538 MBEDTLS_MD_SHA1, 07539 #endif 07540 MBEDTLS_MD_NONE 07541 }; 07542 #endif 07543 07544 static int ssl_preset_suiteb_ciphersuites[] = { 07545 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 07546 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 07547 0 07548 }; 07549 07550 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07551 static int ssl_preset_suiteb_hashes[] = { 07552 MBEDTLS_MD_SHA256, 07553 MBEDTLS_MD_SHA384, 07554 MBEDTLS_MD_NONE 07555 }; 07556 #endif 07557 07558 #if defined(MBEDTLS_ECP_C) 07559 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = { 07560 MBEDTLS_ECP_DP_SECP256R1, 07561 MBEDTLS_ECP_DP_SECP384R1, 07562 MBEDTLS_ECP_DP_NONE 07563 }; 07564 #endif 07565 07566 /* 07567 * Load default in mbedtls_ssl_config 07568 */ 07569 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, 07570 int endpoint, int transport, int preset ) 07571 { 07572 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07573 int ret; 07574 #endif 07575 07576 /* Use the functions here so that they are covered in tests, 07577 * but otherwise access member directly for efficiency */ 07578 mbedtls_ssl_conf_endpoint( conf, endpoint ); 07579 mbedtls_ssl_conf_transport( conf, transport ); 07580 07581 /* 07582 * Things that are common to all presets 07583 */ 07584 #if defined(MBEDTLS_SSL_CLI_C) 07585 if( endpoint == MBEDTLS_SSL_IS_CLIENT ) 07586 { 07587 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 07588 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 07589 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 07590 #endif 07591 } 07592 #endif 07593 07594 #if defined(MBEDTLS_ARC4_C) 07595 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; 07596 #endif 07597 07598 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 07599 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 07600 #endif 07601 07602 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 07603 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 07604 #endif 07605 07606 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 07607 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; 07608 #endif 07609 07610 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 07611 conf->f_cookie_write = ssl_cookie_write_dummy; 07612 conf->f_cookie_check = ssl_cookie_check_dummy; 07613 #endif 07614 07615 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 07616 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 07617 #endif 07618 07619 #if defined(MBEDTLS_SSL_SRV_C) 07620 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 07621 #endif 07622 07623 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07624 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 07625 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 07626 #endif 07627 07628 #if defined(MBEDTLS_SSL_RENEGOTIATION) 07629 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 07630 memset( conf->renego_period , 0x00, 2 ); 07631 memset( conf->renego_period + 2, 0xFF, 6 ); 07632 #endif 07633 07634 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 07635 if( endpoint == MBEDTLS_SSL_IS_SERVER ) 07636 { 07637 const unsigned char dhm_p[] = 07638 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 07639 const unsigned char dhm_g[] = 07640 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 07641 07642 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, 07643 dhm_p, sizeof( dhm_p ), 07644 dhm_g, sizeof( dhm_g ) ) ) != 0 ) 07645 { 07646 return( ret ); 07647 } 07648 } 07649 #endif 07650 07651 /* 07652 * Preset-specific defaults 07653 */ 07654 switch( preset ) 07655 { 07656 /* 07657 * NSA Suite B 07658 */ 07659 case MBEDTLS_SSL_PRESET_SUITEB: 07660 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07661 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */ 07662 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07663 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07664 07665 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07666 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07667 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07668 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07669 ssl_preset_suiteb_ciphersuites; 07670 07671 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07672 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 07673 #endif 07674 07675 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07676 conf->sig_hashes = ssl_preset_suiteb_hashes; 07677 #endif 07678 07679 #if defined(MBEDTLS_ECP_C) 07680 conf->curve_list = ssl_preset_suiteb_curves; 07681 #endif 07682 break; 07683 07684 /* 07685 * Default 07686 */ 07687 default: 07688 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; 07689 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ 07690 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; 07691 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; 07692 07693 #if defined(MBEDTLS_SSL_PROTO_DTLS) 07694 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 07695 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; 07696 #endif 07697 07698 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_0] = 07699 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_1] = 07700 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_2] = 07701 conf->ciphersuite_list [MBEDTLS_SSL_MINOR_VERSION_3] = 07702 mbedtls_ssl_list_ciphersuites(); 07703 07704 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07705 conf->cert_profile = &mbedtls_x509_crt_profile_default; 07706 #endif 07707 07708 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07709 conf->sig_hashes = ssl_preset_default_hashes; 07710 #endif 07711 07712 #if defined(MBEDTLS_ECP_C) 07713 conf->curve_list = mbedtls_ecp_grp_id_list(); 07714 #endif 07715 07716 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 07717 conf->dhm_min_bitlen = 1024; 07718 #endif 07719 } 07720 07721 return( 0 ); 07722 } 07723 07724 /* 07725 * Free mbedtls_ssl_config 07726 */ 07727 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) 07728 { 07729 #if defined(MBEDTLS_DHM_C) 07730 mbedtls_mpi_free( &conf->dhm_P ); 07731 mbedtls_mpi_free( &conf->dhm_G ); 07732 #endif 07733 07734 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) 07735 if( conf->psk != NULL ) 07736 { 07737 mbedtls_zeroize( conf->psk , conf->psk_len ); 07738 mbedtls_zeroize( conf->psk_identity , conf->psk_identity_len ); 07739 mbedtls_free( conf->psk ); 07740 mbedtls_free( conf->psk_identity ); 07741 conf->psk_len = 0; 07742 conf->psk_identity_len = 0; 07743 } 07744 #endif 07745 07746 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07747 ssl_key_cert_free( conf->key_cert ); 07748 #endif 07749 07750 mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); 07751 } 07752 07753 #if defined(MBEDTLS_PK_C) && \ 07754 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) ) 07755 /* 07756 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 07757 */ 07758 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk ) 07759 { 07760 #if defined(MBEDTLS_RSA_C) 07761 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) ) 07762 return( MBEDTLS_SSL_SIG_RSA ); 07763 #endif 07764 #if defined(MBEDTLS_ECDSA_C) 07765 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) ) 07766 return( MBEDTLS_SSL_SIG_ECDSA ); 07767 #endif 07768 return( MBEDTLS_SSL_SIG_ANON ); 07769 } 07770 07771 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type ) 07772 { 07773 switch( type ) { 07774 case MBEDTLS_PK_RSA: 07775 return( MBEDTLS_SSL_SIG_RSA ); 07776 case MBEDTLS_PK_ECDSA: 07777 case MBEDTLS_PK_ECKEY: 07778 return( MBEDTLS_SSL_SIG_ECDSA ); 07779 default: 07780 return( MBEDTLS_SSL_SIG_ANON ); 07781 } 07782 } 07783 07784 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ) 07785 { 07786 switch( sig ) 07787 { 07788 #if defined(MBEDTLS_RSA_C) 07789 case MBEDTLS_SSL_SIG_RSA: 07790 return( MBEDTLS_PK_RSA ); 07791 #endif 07792 #if defined(MBEDTLS_ECDSA_C) 07793 case MBEDTLS_SSL_SIG_ECDSA: 07794 return( MBEDTLS_PK_ECDSA ); 07795 #endif 07796 default: 07797 return( MBEDTLS_PK_NONE ); 07798 } 07799 } 07800 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ 07801 07802 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 07803 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07804 07805 /* Find an entry in a signature-hash set matching a given hash algorithm. */ 07806 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, 07807 mbedtls_pk_type_t sig_alg ) 07808 { 07809 switch( sig_alg ) 07810 { 07811 case MBEDTLS_PK_RSA: 07812 return( set->rsa ); 07813 case MBEDTLS_PK_ECDSA: 07814 return( set->ecdsa ); 07815 default: 07816 return( MBEDTLS_MD_NONE ); 07817 } 07818 } 07819 07820 /* Add a signature-hash-pair to a signature-hash set */ 07821 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, 07822 mbedtls_pk_type_t sig_alg, 07823 mbedtls_md_type_t md_alg ) 07824 { 07825 switch( sig_alg ) 07826 { 07827 case MBEDTLS_PK_RSA: 07828 if( set->rsa == MBEDTLS_MD_NONE ) 07829 set->rsa = md_alg; 07830 break; 07831 07832 case MBEDTLS_PK_ECDSA: 07833 if( set->ecdsa == MBEDTLS_MD_NONE ) 07834 set->ecdsa = md_alg; 07835 break; 07836 07837 default: 07838 break; 07839 } 07840 } 07841 07842 /* Allow exactly one hash algorithm for each signature. */ 07843 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, 07844 mbedtls_md_type_t md_alg ) 07845 { 07846 set->rsa = md_alg; 07847 set->ecdsa = md_alg; 07848 } 07849 07850 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) && 07851 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07852 07853 /* 07854 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 07855 */ 07856 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) 07857 { 07858 switch( hash ) 07859 { 07860 #if defined(MBEDTLS_MD5_C) 07861 case MBEDTLS_SSL_HASH_MD5: 07862 return( MBEDTLS_MD_MD5 ); 07863 #endif 07864 #if defined(MBEDTLS_SHA1_C) 07865 case MBEDTLS_SSL_HASH_SHA1: 07866 return( MBEDTLS_MD_SHA1 ); 07867 #endif 07868 #if defined(MBEDTLS_SHA256_C) 07869 case MBEDTLS_SSL_HASH_SHA224: 07870 return( MBEDTLS_MD_SHA224 ); 07871 case MBEDTLS_SSL_HASH_SHA256: 07872 return( MBEDTLS_MD_SHA256 ); 07873 #endif 07874 #if defined(MBEDTLS_SHA512_C) 07875 case MBEDTLS_SSL_HASH_SHA384: 07876 return( MBEDTLS_MD_SHA384 ); 07877 case MBEDTLS_SSL_HASH_SHA512: 07878 return( MBEDTLS_MD_SHA512 ); 07879 #endif 07880 default: 07881 return( MBEDTLS_MD_NONE ); 07882 } 07883 } 07884 07885 /* 07886 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 07887 */ 07888 unsigned char mbedtls_ssl_hash_from_md_alg( int md ) 07889 { 07890 switch( md ) 07891 { 07892 #if defined(MBEDTLS_MD5_C) 07893 case MBEDTLS_MD_MD5: 07894 return( MBEDTLS_SSL_HASH_MD5 ); 07895 #endif 07896 #if defined(MBEDTLS_SHA1_C) 07897 case MBEDTLS_MD_SHA1: 07898 return( MBEDTLS_SSL_HASH_SHA1 ); 07899 #endif 07900 #if defined(MBEDTLS_SHA256_C) 07901 case MBEDTLS_MD_SHA224: 07902 return( MBEDTLS_SSL_HASH_SHA224 ); 07903 case MBEDTLS_MD_SHA256: 07904 return( MBEDTLS_SSL_HASH_SHA256 ); 07905 #endif 07906 #if defined(MBEDTLS_SHA512_C) 07907 case MBEDTLS_MD_SHA384: 07908 return( MBEDTLS_SSL_HASH_SHA384 ); 07909 case MBEDTLS_MD_SHA512: 07910 return( MBEDTLS_SSL_HASH_SHA512 ); 07911 #endif 07912 default: 07913 return( MBEDTLS_SSL_HASH_NONE ); 07914 } 07915 } 07916 07917 #if defined(MBEDTLS_ECP_C) 07918 /* 07919 * Check if a curve proposed by the peer is in our list. 07920 * Return 0 if we're willing to use it, -1 otherwise. 07921 */ 07922 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) 07923 { 07924 const mbedtls_ecp_group_id *gid; 07925 07926 if( ssl->conf->curve_list == NULL ) 07927 return( -1 ); 07928 07929 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) 07930 if( *gid == grp_id ) 07931 return( 0 ); 07932 07933 return( -1 ); 07934 } 07935 #endif /* MBEDTLS_ECP_C */ 07936 07937 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) 07938 /* 07939 * Check if a hash proposed by the peer is in our list. 07940 * Return 0 if we're willing to use it, -1 otherwise. 07941 */ 07942 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, 07943 mbedtls_md_type_t md ) 07944 { 07945 const int *cur; 07946 07947 if( ssl->conf->sig_hashes == NULL ) 07948 return( -1 ); 07949 07950 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ ) 07951 if( *cur == (int) md ) 07952 return( 0 ); 07953 07954 return( -1 ); 07955 } 07956 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ 07957 07958 #if defined(MBEDTLS_X509_CRT_PARSE_C) 07959 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, 07960 const mbedtls_ssl_ciphersuite_t *ciphersuite, 07961 int cert_endpoint, 07962 uint32_t *flags ) 07963 { 07964 int ret = 0; 07965 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07966 int usage = 0; 07967 #endif 07968 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07969 const char *ext_oid; 07970 size_t ext_len; 07971 #endif 07972 07973 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \ 07974 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 07975 ((void) cert); 07976 ((void) cert_endpoint); 07977 ((void) flags); 07978 #endif 07979 07980 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) 07981 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 07982 { 07983 /* Server part of the key exchange */ 07984 switch( ciphersuite->key_exchange ) 07985 { 07986 case MBEDTLS_KEY_EXCHANGE_RSA: 07987 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 07988 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 07989 break; 07990 07991 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 07992 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 07993 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 07994 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 07995 break; 07996 07997 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 07998 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 07999 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 08000 break; 08001 08002 /* Don't use default: we want warnings when adding new values */ 08003 case MBEDTLS_KEY_EXCHANGE_NONE: 08004 case MBEDTLS_KEY_EXCHANGE_PSK: 08005 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 08006 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 08007 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 08008 usage = 0; 08009 } 08010 } 08011 else 08012 { 08013 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 08014 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 08015 } 08016 08017 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 ) 08018 { 08019 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 08020 ret = -1; 08021 } 08022 #else 08023 ((void) ciphersuite); 08024 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */ 08025 08026 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 08027 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) 08028 { 08029 ext_oid = MBEDTLS_OID_SERVER_AUTH; 08030 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH ); 08031 } 08032 else 08033 { 08034 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 08035 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH ); 08036 } 08037 08038 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 ) 08039 { 08040 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 08041 ret = -1; 08042 } 08043 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ 08044 08045 return( ret ); 08046 } 08047 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 08048 08049 /* 08050 * Convert version numbers to/from wire format 08051 * and, for DTLS, to/from TLS equivalent. 08052 * 08053 * For TLS this is the identity. 08054 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: 08055 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 08056 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 08057 */ 08058 void mbedtls_ssl_write_version( int major, int minor, int transport, 08059 unsigned char ver[2] ) 08060 { 08061 #if defined(MBEDTLS_SSL_PROTO_DTLS) 08062 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 08063 { 08064 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 08065 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 08066 08067 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 08068 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 08069 } 08070 else 08071 #else 08072 ((void) transport); 08073 #endif 08074 { 08075 ver[0] = (unsigned char) major; 08076 ver[1] = (unsigned char) minor; 08077 } 08078 } 08079 08080 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 08081 const unsigned char ver[2] ) 08082 { 08083 #if defined(MBEDTLS_SSL_PROTO_DTLS) 08084 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 08085 { 08086 *major = 255 - ver[0] + 2; 08087 *minor = 255 - ver[1] + 1; 08088 08089 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 08090 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 08091 } 08092 else 08093 #else 08094 ((void) transport); 08095 #endif 08096 { 08097 *major = ver[0]; 08098 *minor = ver[1]; 08099 } 08100 } 08101 08102 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) 08103 { 08104 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 08105 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) 08106 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08107 08108 switch( md ) 08109 { 08110 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) 08111 #if defined(MBEDTLS_MD5_C) 08112 case MBEDTLS_SSL_HASH_MD5: 08113 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08114 #endif 08115 #if defined(MBEDTLS_SHA1_C) 08116 case MBEDTLS_SSL_HASH_SHA1: 08117 ssl->handshake->calc_verify = ssl_calc_verify_tls; 08118 break; 08119 #endif 08120 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ 08121 #if defined(MBEDTLS_SHA512_C) 08122 case MBEDTLS_SSL_HASH_SHA384: 08123 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 08124 break; 08125 #endif 08126 #if defined(MBEDTLS_SHA256_C) 08127 case MBEDTLS_SSL_HASH_SHA256: 08128 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 08129 break; 08130 #endif 08131 default: 08132 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08133 } 08134 08135 return 0; 08136 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */ 08137 (void) ssl; 08138 (void) md; 08139 08140 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; 08141 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 08142 } 08143 08144 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ 08145 defined(MBEDTLS_SSL_PROTO_TLS1_1) 08146 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, 08147 unsigned char *output, 08148 unsigned char *data, size_t data_len ) 08149 { 08150 int ret = 0; 08151 mbedtls_md5_context mbedtls_md5; 08152 mbedtls_sha1_context mbedtls_sha1; 08153 08154 mbedtls_md5_init( &mbedtls_md5 ); 08155 mbedtls_sha1_init( &mbedtls_sha1 ); 08156 08157 /* 08158 * digitally-signed struct { 08159 * opaque md5_hash[16]; 08160 * opaque sha_hash[20]; 08161 * }; 08162 * 08163 * md5_hash 08164 * MD5(ClientHello.random + ServerHello.random 08165 * + ServerParams); 08166 * sha_hash 08167 * SHA(ClientHello.random + ServerHello.random 08168 * + ServerParams); 08169 */ 08170 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 ) 08171 { 08172 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret ); 08173 goto exit; 08174 } 08175 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, 08176 ssl->handshake->randbytes, 64 ) ) != 0 ) 08177 { 08178 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); 08179 goto exit; 08180 } 08181 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 ) 08182 { 08183 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); 08184 goto exit; 08185 } 08186 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 ) 08187 { 08188 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret ); 08189 goto exit; 08190 } 08191 08192 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 ) 08193 { 08194 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret ); 08195 goto exit; 08196 } 08197 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, 08198 ssl->handshake->randbytes, 64 ) ) != 0 ) 08199 { 08200 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); 08201 goto exit; 08202 } 08203 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data, 08204 data_len ) ) != 0 ) 08205 { 08206 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); 08207 goto exit; 08208 } 08209 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1, 08210 output + 16 ) ) != 0 ) 08211 { 08212 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret ); 08213 goto exit; 08214 } 08215 08216 exit: 08217 mbedtls_md5_free( &mbedtls_md5 ); 08218 mbedtls_sha1_free( &mbedtls_sha1 ); 08219 08220 if( ret != 0 ) 08221 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 08222 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 08223 08224 return( ret ); 08225 08226 } 08227 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ 08228 MBEDTLS_SSL_PROTO_TLS1_1 */ 08229 08230 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 08231 defined(MBEDTLS_SSL_PROTO_TLS1_2) 08232 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, 08233 unsigned char *output, 08234 unsigned char *data, size_t data_len, 08235 mbedtls_md_type_t md_alg ) 08236 { 08237 int ret = 0; 08238 mbedtls_md_context_t ctx; 08239 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); 08240 08241 mbedtls_md_init( &ctx ); 08242 08243 /* 08244 * digitally-signed struct { 08245 * opaque client_random[32]; 08246 * opaque server_random[32]; 08247 * ServerDHParams params; 08248 * }; 08249 */ 08250 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) 08251 { 08252 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); 08253 goto exit; 08254 } 08255 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 ) 08256 { 08257 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret ); 08258 goto exit; 08259 } 08260 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 ) 08261 { 08262 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); 08263 goto exit; 08264 } 08265 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 ) 08266 { 08267 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); 08268 goto exit; 08269 } 08270 if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 ) 08271 { 08272 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret ); 08273 goto exit; 08274 } 08275 08276 exit: 08277 mbedtls_md_free( &ctx ); 08278 08279 if( ret != 0 ) 08280 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 08281 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 08282 08283 return( ret ); 08284 } 08285 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 08286 MBEDTLS_SSL_PROTO_TLS1_2 */ 08287 08288 #endif /* MBEDTLS_SSL_TLS_C */
Generated on Fri Jul 22 2022 04:54:01 by
1.7.2